- APT -

Last update 09.10.2017 12:41:24

Introduction  List  Kategorie  Subcategory 0  1  2  3  4  5 



APT Trends report Q1 2018
14.4.2018 Kaspersky Analysis  APT
In the second quarter of 2017, Kaspersky’s Global Research and Analysis Team (GReAT) began publishing summaries of the quarter’s private threat intelligence reports in an effort to make the public aware of the research we have been conducting. This report serves as the next installment, focusing on the relevant activities that we observed during Q1 2018.

These summaries serve as a representative snapshot of what has been discussed in greater detail in our private reports, in order to highlight the significant events and findings that we feel people should be aware of. For brevity’s sake, we are choosing not to publish indicators associated with the reports highlighted. However, if you would like to learn more about our intelligence reports or request more information on a specific report, readers are encouraged to contact: intelreports@kaspersky.com.

Remarkable new findings
We are always very interested in analyzing new techniques used by existing groups, or in finding new clusters of activity that might lead us to discover new actors. In Q1 2018 we observed a bit of both, which are briefly summarized in this section.

We would like to start by highlighting all the new exploitation techniques applicable for the Meltdown/Spectre vulnerabilities that affect different CPU architectures and vendors. Even though we haven’t seen any of them exploited in the wild so far (only several PoCs) and although vendors have provided various patches to mitigate them, there is still no real solution. The problem relies on the optimization methods used at the processor’s architecture level. Given that a massive hardware replacement is not a realistic solution, Meltdown and Spectre might very well open the door to new infection vectors and persistence methods that we will see in the future.

A similar case was the announcement of several flaws for AMD processors. Even when the full technical details were not yet available, AMD confirmed that these flaws could be exploited for privilege escalation and persistence once a target has been compromised.

We also observed an increasing interest from attackers, including sophisticated actors, in targeting routers and networking hardware. Some early examples of such attacks driven by advanced groups include Regin and CloudAtlas. Additionally, the US Government published an advisory on unusual reboots in a prominent router brand, which might indicate that these specific devices are being actively targeted.

In our Slingshot analysis, we described how the campaign was using Mikrotik routers as an infection vector, compromising the routers to later infect the final victim through the very peculiar mechanism that Mikrotik used for the remote management of devices. In actual fact, we recognised the interest of some actors in this particular brand when the Chimay-red exploit for Mikrotek was mentioned in Wikileak´s Vault7. This same exploit was later reused by the Hajime botnet in 2018, showing once again how dangerous leaked exploits can be. Even when the vulnerability was fixed by Mikrotik, networking hardware is rarely managed properly from a security perspective. Additionally, Mikrotik reported a zero day vulnerability (CVE-2018-7445) in March 2018.

We believe routers are still an excellent target for attackers, as demonstrated by the examples above, and will continue to be abused in order to get a foothold in the victim´s infrastructure.

One of the most relevant attacks during this first quarter of 2018 was the Olympic Destroyer malware, affecting several companies related to the Pyeongchang Olympic Games’ organization and some Olympic facilities. There are different aspects of this attack to highlight, including the fact that attackers compromised companies that were providing services to the games´ organization in order to gain access, continuing the dangerous supply chain trend.

Besides the technical considerations, one of the more open questions is related to the general perception that attackers could have done much more harm than they actually did, which opened some speculation as to what the real purpose of the attack was.

MZ DOS and Rich headers of both files (3c0d740347b0362331c882c2dee96dbf – OlympicDestroyer, 5d0ffbc8389f27b0649696f0ef5b3cfe – Bluenoroff) are exactly the same.

In addition, a very relevant aspect is the effort attackers put in to planting several elaborative false flags, making this attack one of the most difficult we have analyzed in terms of attribution.

In February, we published a report about a previously unknown advanced Android backdoor that we call Skygofree. It seems that the author could be an Italian company selling the product in a similar way to how Hacking Team did in the past, however we don’t yet have any proof of this. Interestingly, shortly after we detected the Android samples of this malware, we also found an early iOS version of the backdoor. In this case, attackers had abused a rogue MDM (Mobile Device Management) server in order to install their malware in victims’ devices, probably using social engineering techniques to trick them into connecting with the rogue MDM.

Finally, we would like to highlight three new actors that we have found, all of them focused in the Asia region:

Shaggypanther – A Chinese-speaking cluster of activity targeting government entities, mainly in Taiwan and Malaysia, active since 2008 and using hidden encrypted payloads in registry keys. We couldn’t relate this to any known actor.
Sidewinder – An actor mainly targeting Pakistan military targets, active since at least 2012. We have low confidence that this malware might be authored by an Indian company. To spread the malware, they use unique implementations to leverage the exploits of known vulnerabilities (such as CVE-2017-11882) and later deploy a Powershell payload in the final stages.
CardinalLizard – We are moderately confident that this is a new collection of Chinese-speaking activity targeting businesses, active since 2014. Over the last few years, the group has shown an interest in the Philippines, Russia, Mongolia and Malaysia, the latter especially prevalent during 2018. The hackers use a custom malware featuring some interesting anti-detection and anti-emulation techniques. The infrastructure used also shows some overlaps with RomaingTiger and previous PlugX campaigns, but this could just be due to infrastructure reuse under the Chinese-speaking umbrella.
Activity of well-known groups
Some of the most heavily tracked groups, especially those that are Russian-speaking, didn´t show any remarkable activity during the last three months, as far as we know.

We observed limited activity from Sofacy in distributing Gamefish, updating its Zebrocy toolset and potentially registering new domains that might be used for future campaigns. We also saw the group slowly shift its targeting to Asia during the last months.

In the case of Turla (Snake, Uroburos), the group was suspected of breaching the German Governmental networks, according to some reports. The breach was originally reported as Sofacy, but since then no additional technical details or official confirmation have been provided.

The apparent low activity of these groups – and some others such as The Dukes – could be related to some kind of internal reorganization, however this is purely speculative.

Asia – high activity
The ever-growing APT activity in this part of the World shouldn´t be a surprise, especially seeing as the Winter Olympic Games was hosted in South Korea in January 2018. More than 30% of our 27 reports during Q1 were focused on the region.

Probably one of the most interesting activities relates to Kimsuky, an actor with a North-Korean nexus interested in South Korean think tanks and political activities. The actor renewed its arsenal with a completely new framework designed for cyberespionage, which was used in a spear-phishing campaign against South Korean targets, similar to the one targeting KHNP in 2014. According to McAfee, this activity was related to attacks against companies involved in the organization of the Pyeongchang Olympic Games, however we cannot confirm this.

The Korean focus continues with our analysis of the Flash Player 0-day vulnerability (CVE-2018-4878), deployed by Scarcruft at the end of January and triggered by Microsoft Word documents distributed through at least one website. This vulnerability was quickly reported by the Korean CERT (KN-CERT), which we believe helped to quickly mitigate any aggressive spreading. At the time of our analysis, we could only detect one victim in South Africa.

Forgotten PDB path inside the malware used by Scarcruft with CVE-2018-4876

Furthermore, IronHusky is a Chinese-speaking actor that we first detected in summer 2017. It is very focused on tracking the geopolitical agenda of targets in central Asia with a special focus in Mongolia, which seems to be an unusual target. This actor crafts campaigns for upcoming events of interest. In this case, they prepared and launched one right before a meeting with the International Monetary Fund and the Mongolian government at the end of January 2018. At the same time, they stopped their previous operations targeting Russian military contractors, which speaks volumes about the group’s limitations. In this new campaign, they exploited CVE-2017-11882 to spread common RATs typically used by Chinese-speaking groups, such as PlugX and PoisonIvy.

The final remark for this section covers the apparently never-ending greed of BlueNoroff, which has been moving to new targets among cryptocurrencies companies and expanding its operations to target PoS’s. However, we haven´t observed any new remarkable changes in the modus operandi of the group.

Middle East – always under pressure
There was a remarkable peak in StrongPity’s activity at the beginning of the year, both in January and March. For this new wave of attacks, the group used a new version of its malware that we simply call StrongPity2. However, the most remarkable aspect is the use of MiTM techniques at the ISP level to spread the malware, redirecting legitimate downloads to their artifacts. The group combines this method with registering domains that are similar to the ones used for downloading legitimate software.

StrongPity also distributed FinFisher using the same MiTM method at the ISP level, more details of which were provided by CitizenLab.

Desert Falcons showed a peak of activity at the end of 2017 and the beginning of 2018. Their toolset for this new campaign included Android implants that they had previously used back in 2014. The group continues to heavily rely on social engineering methods for malware distribution, and use rudimentary artifacts for infecting their victims. In this new wave we observed high-profile victims based mostly in Palestine, Egypt, Jordan, Israel, Lebanon and Turkey.

A particularly interesting case we analyzed was the evolution of what we believe to be the Gaza Team actor. What makes us question whether this is the same actor that we have tracked in the past, is the fact that we observed a remarkable boost in the artifacts used by the group. We actually can´t be sure whether the group suddenly developed these new technical capabilities, or if they had some internal reorganization or acquired improved tools. Another possibility is that the group itself was somehow hacked and a third actor is now distributing their artifacts through them.

Final Thoughts
As a summary of what happened during the last 3 months, we have the impression that some well-known actors are rethinking their strategies and reorganizing their teams for future attacks. In addition, a whole new wave of attackers are becoming much more active. For all these new attackers we observe different levels of sophistication, but let´s admit that the entry barrier for cyberespionage is much lower than it used to be in terms of the availability of different tools that can be used for malicious activities. Powershell, for instance, is one of the most common resources used by any of them. In other cases, there seems to be a flourishing industry of malware development behind the authorship of the tools that have been used in several campaigns.

Some of the big stories like Olympic Destroyer teach us what kind of difficulties we will likely find in the future in terms of attribution, while also illustrating how effective supply chain attacks still are. Speaking of new infection vectors, some of the CPU vulnerabilities discovered in the last few months will open new possibilities for attackers; unfortunately there is not an easy, universal protection mechanism for all of them. Routing hardware is already an infection vector for some actors, which should make us think whether we are following all the best practices in protecting such devices.


APT33 devised a code injection technique dubbed Early Bird to evade detection by anti-malware tools
13.4.2018 securityaffairs APT

The Iran-linked APT33 group continues to be very active, security researchers at Cyberbit have discovered an Early Bird code injection technique used by the group.
The Early Bird method was used to inject the TurnedUp malware into the infected systems evading security solutions.

The technique allows injecting a malicious code into a legitimate process, it allows execution of malware before the entry point of the main thread of a process.

“We saw this technique used by various malware. Among them – the “TurnedUp” backdoor written by APT33 – An Iranian hackers group, A variant of the notorious “Carberp” banking malware and by the DorkBot malware.” reads the analysis published by the experts.

“The malware code injection flow works as follows:

Create a suspended process (most likely to be a legitimate windows process)
Allocate and write malicious code into that process
Queue an asynchronous procedure call (APC) to that process
Resume the main thread of the process to execute the APC”
Anti-malware tools insert hooks when a process starts running, the code sections placed on specific Windows API calls allows security solution to detect the threats while invoking the API.

APT33 Early Bird technique allows bypassing the anti-malware hooking mechanism.

The Early Bird technique “loads the malicious code in a very early stage of thread initialization, before many security products place their hooks – which allows the malware to perform its malicious actions without being detected,” continues the analysis published by Cyberbit.

Experts noticed that during the initialization phase of the main thread, immediately after the call to NtResumeThread, a function called NtTestAlert checks the APC queue to delay the code of the main threat until the APC code is finished.

“During the initialization phase of the main thread (Right after the call to NtResumeThread), a function called NtTestAlert checks the APC queue. If the APC queue is not empty – NtTestAlert will notify the kernel which in return jump to KiUserApcDispatcher which will execute the APC. The code of the main thread itself will not execute until the code of the APC is finished executing,” continues the analysis.

“Before returning to user-mode, the kernel prepares the user-mode thread to jump to KiUserApcDispatcher which will execute the malicious code in our case,”

early bird injection

Differently from other methods, the Early Bird technique aims to hide the malicious actions executed post-injection.

The APT33 group has been around since at least 2013, since mid-2016, the group targeted the aviation industry and energy companies with connections to petrochemical production.


OSX_OCEANLOTUS.D, a new macOS backdoor linked to APT 32 group
6.4.2018 securityaffairs APT  Apple

Security experts at Trend Micro have discovered a new macOS backdoor that they linked to the APT 32 (OceanLotus, APT-C-00, SeaLotus, and Cobalt Kitty) cyber espionage group.
The APT32 group has been active since at least 2013, according to the experts it is a state-sponsored hacking group. The hackers hit organizations across multiple industries and have also targeted foreign governments, dissidents, and journalists.

Since at least 2014, experts at FireEye have observed APT32 targeting foreign corporations with an interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. The APT32 is also targeting peripheral network security and technology infrastructure corporations, and security firms that may have connections with foreign investors.

The APT32 group uses custom-built malware for its attacks, the newly discovered macOS backdoor was tracked by experts at Trend Micro as OSX_OCEANLOTUS.D.

The researchers found the backdoor on macOS systems that have the Perl programming language installed.

“We identified a MacOS backdoor (detected by Trend Micro as OSX_OCEANLOTUS.D) that we believe is the latest version of a threat used by OceanLotus (a.k.a. APT 32, APT-C-00, SeaLotus, and Cobalt Kitty).” reads the analysis published by Trend Micro.

“The attackers behind OSX_OCEANLOTUS.D target MacOS computers which have the Perl programming language installed.”

The hackers used spear-phishing messages as attack vectors, the backdoor is distributed via weaponized documents attached to emails. The bait document masquerades as the registration form for an event with HDMC, an organization in Vietnam that advertises national independence and democracy.

APT 32 _MacOS_backdoor

The malicious document contains an obfuscated macros with a Perl payload. The macro extracts an XML file (theme0.xml) from the document, it is a Mach-O 32-bit executable with a 0xFEEDFACE signature that acts as a dropper for the final OSX_OCEANLOTUS.D backdoor.

“All strings within the dropper, as well as the backdoor, are encrypted using a hardcoded RSA256 key. There are two forms of encrypted strings: an RSA256-encrypted string, and custom base64-encoded and RSA256-encrypted string.” continues the report.

“Using the setStartup() method, the dropper first checks if it is running as a root or not. Based on that, the GET_PROCESSPATH and GET_PROCESSNAME methods will decrypt the hardcoded path and filename where the backdoor should be installed.”

Once the dropper has installed the backdoor, it will set its attributes to “hidden” and set file date and time to random values using the touch command:

touch –t YYMMDDMM “/path/filename” > /dev/null.

It also changes the permissions to 0x1ed = 755, which is equal to u=rwx,go=rx.

The backdoor loops on two main functions, infoClient and runHandle; infoClient is used to collect platform information and send them to the command and control (C&C) server, meanwhile runHandle implements backdoor capabilities.

The discovery of a new backdoor linked to the APT32 group confirms that the state-sponsored crew was very active in the last months.


North Korea-Linked Lazarus APT suspected for online Casino assault
5.4.2018 securityaffairs APT

The North Korea-linked APT group known as Lazarus made the headlines again for attacking an online casino in Central America and other targets.
The activity of the Lazarus Group (aka Hidden Cobra) surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind attacks on banks, including the Bangladesh cyber heist.

Now security experts from ESET uncovered a cyber attack against an online casino in Central America and on other targets, in all the assaults hackers used similar hacking tools, including the dreaded KillDisk disk-wiper.

The experts found several backdoors and a simple command line tool that was designed to inject into/kill processes, terminate/reinstall services, and drop/remove files.

Most of the tools were specifically designed to run as a Windows service and require administrator privileges for their execution.

ESET detailed a TCP backdoor dubbed Win64/NukeSped, a console application that is installed in the system as a service.

The backdoor implements a set of 20 commands whose functionality is similar to previously analyzed Lazarus samples.

“Win64/NukeSped.W is a console application that is installed in the system as a service. One of the initial execution steps is dynamically resolving the required DLL names, on the stack:” states the analysis published by ESET.

“Likewise, procedure names of Windows APIs are constructed dynamically. In this particular sample, they are visible in plaintext; in other past samples that we’ve analyzed they were base64-encoded, encrypted or resolved on the stack character by character”

Lazarus backdoor code

The backdoor allows attackers to gather information on the system, create processes, search for files, drop files on the infected systems, and inject code into processes, including Explorer.

Researchers from ESET also detailed session hijacker, dubbed Win64/NukeSped.AB, that is a console application capable of creating a process as another currently–logged-in user on the target system.

The session hijacker was spotted in the attack against the casino, researchers at ESET believe it is the same malware used in the attacks against Polish banks and Mexican entities.

ESET pointed out that at least two variants of the KillDisk malware were used in the attack that appear not linked to past wiper-based attacks, like the ones that hit Ukraine in December 2015 and December 2016.

“KillDisk is a generic detection name that ESET uses for destructive malware with disk wiping capabilities, such as damaging boot sectors and overwriting then deleting (system) files, followed by a reboot to render the machine unusable.” continues the report.

“Sub-family variants that do have strong code similarities, are sometimes seen separate cyberattacks and thus can help us make connections, as here. Other cases, for example the directed cyberattacks against high-value targets in Ukraine in December 2015 and December 2016, also employed KillDisk malware, but those samples were from different KillDisk sub-families, so are most likely unrelated to these attacks.”

According to ESET, more than 100 machines belonging to the Central American online casino were infected with the two variants of Win32/KillDisk.NBO.

It is still unclear if the attackers used the KillDisk wiper to cover the tracks of an espionage campaign, or if the malicious code was used in an extortion schema or sabotage.

The presence of the KillDisk wipers and various Lazarus-linked malware suggests that the APT group was responsible for the attack.

Experts also found that both variants present many similarities with the ones that previously targeted financial organizations in Latin America.

The attackers also used the Mimikatz tool to extract Windows credentials, a tool designed to recover passwords from major web browsers, malicious droppers and loaders to download and execute their tools onto the victim systems.

The hackers leveraged Radmin 3 and LogMeIn as remote access tools.

“This recent attack against an online casino in Central America suggests that hacking tools from the Lazarus toolset are recompiled with every attack (we didn’t see these exact samples anywhere else).” concluded ESET.

“The attack itself was very complex, consisted of several steps, and involved tens of protected tools that, being stand-alone, would reveal little from their dynamics.”


Your new friend, KLara

29.3.2018 Kaspersky APT
GReAT’s distributed YARA scanner
While doing threat research, teams need a lot of tools and systems to aid their hunting efforts – from systems storing Passive DNS data and automated malware classification to systems allowing researchers to pattern-match a large volume of data in a relatively short period of time. These tools are extremely useful when working on APT campaigns where research is very agile and spans multiple months. One of the most frequently used tools for hunting new variants of malware is called YARA and was developed by Victor Manuel Alvarez while working for VirusTotal, now part of Alphabet.

In R&D we use a lot of open-source projects and we believe giving back to the community is our way of saying ‘Thank you’. More and more security companies are releasing their open-source projects and we would like to contribute with our distributed YARA scanner.

What is YARA?
YARA is defined as “a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples”. In other words, it is a pattern-matching tool, but on steroids. It can support complex matching rules as well as searching files with specific metadata (for example, it can search all files that use a certificate containing the string “Microsoft Corporation” but is not signed by “Microsoft”).

How can YARA help you find the next APT in your network?
YARA’s usefulness is amazing, especially given traditional protection measures are no longer enough in today’s complex threat landscape. Modern protection systems, combined with constant network monitoring and incident response have to be deployed in order to successfully protect equipment.

Protective measures that were effective yesterday don’t guarantee the same level of security tomorrow. Indicators of compromise (IoCs) can help you search for footprints of known malware or for an active infection. But serious threat actors have started to tailor their tools to fit each victim, thus making IoCs much less effective. Good YARA detection rules still allow analysts to find malware, exploits and 0-days which couldn’t be found any other way. The rules can be deployed in networks and on various multi-scanner systems.

That’s why, as part of our Threat Intelligence services, we offer a range of training courses, one of them being our world-famous YARA Training, held by our GReAT ninjas: Costin Raiu, Vitaly Kamluk and Sergey Mineev.

Finding exploits in the wild
One of the most remarkable cases in which Kaspersky Lab’s GReAT used YARA was the much publicized Silverlight 0-day. The team started hunting for it after Hacking Team, the Italian company selling “legal surveillance tools” for governments and LEAs, was hacked. One of the stories in the media attracted our researchers’ attention — according to the article, a programmer offered to sell Hacking Team a Silverlight 0-day, an exploit for an obsolete Microsoft plug-in which at one time had been installed on a huge number of computers.

GReAT decided to create a YARA rule based on this programmer’s older, publicly available proof-of-concept exploits. Our researchers found that he had a very particular style when coding the exploits, using very specific comments, shell code and function names. All of this unique information was used to write a YARA rule — the experts set it to carry out a clear task, basically saying “Go and hunt for any piece of malware that shows the characteristics described in the rule”. Eventually it caught a new sample, a 0-day, and the team immediately reported it to Microsoft.

KLara, GReAT’s distributed YARA scanner
As mentioned above, any team carrying out threat intelligence needs to have powerful tools in their arsenal in order to find the latest threats and detect attacks as soon as possible. Within our R&D department we have built a lot of tools internally, but we believe most progress is made when useful tools are shared with the community. As such, we are releasing our internal tool for running YARA rules over a large set of data (malware/virus collections).

What is KLara?
In order to hunt efficiently for malware, you need a large collection of samples to search through. Researchers usually need to fire a YARA rule over a collection/set of malicious files and then get the results back. In some cases, the rule needs adjusting. Unfortunately, scanning a large collection of files takes time. However, if a custom architecture is used instead, scanning 10TB of files can take around 30 minutes. Of course, if there are multiple YARA rules that need to be run simultaneously, it’s important the system is also distributed. And this is where KLara comes in. KLara is a distributed system written in Python, allowing researchers to scan one or more YARA rules over collections with samples, getting notifications by email and in the web interface when the scan results are ready. Systems like KLara are important when large collections of data are involved. Of course, researchers will have their own small virus collections on their computers in order to make sure their YARA rules are sound, but when searching for viruses in the wild, this task requires a lot of processing power and this can only be achieved with a cloud system.

Why is it important to have a distributed YARA scanner?
Attacks using APTs are extremely dangerous, regardless of whether the target belongs to the public, private or government sector. From our experience, constant monitoring of logs, netflow, alerts and any suspicious files helps mitigate an attack during reconnaissance stages. There are some projects similar to KLara that SOC teams can leverage, but most of them are private, meaning either the virus collection or rules exist somewhere in the cloud, outside the team’s direct control.

KLara, on the other hand, allows anyone running any kind of hardware to set up their own private YARA scanner, keeping TLP RED YARA rules local.

KLara under the hood
The project uses the dispatcher/worker model, with the usual architecture of one dispatcher and multiple workers. Worker and dispatcher agents are written in Python. Because the worker agents are written in Python, they can be deployed in any compatible ecosystem (Windows or UNIX). The same logic applies to the YARA scanner (used by KLara): it can be compiled on both platforms.

Jobs can be submitted and their status retrieved using a web-based portal, while each user has their own personal account allowing them to be part of a group, as well as share their KLara jobs with any other valid account.

Accounts have multiple properties that can be set by the administrator: what group they are part of, what scan repositories they can run their YARA rules over (based on group membership), if they can see other groups’ jobs, or the maximum number of jobs that can be submitted monthly (individual quotas).

By using the dashboard, authenticated users can submit jobs on the ‘Add a new job’ page:

And check their status on the ‘Current jobs’ page:

Once a user submits a task, they can view its status, resubmit it or delete it. One of the workers will fetch the job from the dispatcher and if it has eligible scan repositories on its file systems, will start the YARA scan. Once finished, the user is notified by email of the results.

Each job’s metadata consists of one or multiple YARA rules, the submitter’s account info and a set of scan repositories that can be selected:

On the main page, a summary is displayed:

Job status: New/Assigned/Finished/Error
Job management: Restart/Delete job
How many files have been matched
Name of the first rule in the rules set
The repository path over which YARA scanned for matches.
A more detailed status can be seen once we click on a job:

Any YARA results will be displayed at the bottom, as well as a list of matched MD5s.

Each user can have a search quota and be part of a group. Groups can choose to restrict users (preventing them from seeing what other jobs group members submit).

Finally, each user can change their email address if they want notifications to be sent to another email account.

API access
In order to facilitate automatic job submissions as well as automatic results retrieval, KLara implements a simple REST API allowing any valid account with a valid API Key to query any allowed job’s status. It allows scripts to:

Submit new tasks
Get the job results as well as job details (if it’s still scanning or assigned, finished or if there’s an unprocessed (new) job)
Get all the YARA results from a specific job.
Get all the matched MD5 hashes
More info about using the API can be found in the repository.

How can you get KLara?
The software was released on our official Kaspersky Lab GitHub account on 9 March, 2018.

We welcome anyone who wants to contribute to this project to submit pull requests. As we said before, we believe in giving back to the community the best tools we can provide in order to fight malware.

The software is open-sourced under GNU General Public License v3.0 and available with no warranty from the developers.


XM Cyber Unveils Automated Purple-Teaming at Speed and Scale
21.3.2018 securityweek APT

Israeli Cybersecurity Startup Launches Automated Advanced Persistent Threat (APT) Simulation Platform

Penetration testing is the most effective method of testing whether existing security policy stands up against advanced attackers, but it doesn't scale well to large, dynamic networks, and only provides a single conclusion at a specific point in time. The solution is clearly automation.

XM Cyber is an Israeli firm founded in 2016. Its three co-founders are Tamir Pardo (formerly head of Mossad); Boaz Gorodissky (formerly head of technology for the government of Israel); and Noam Erez (who spent 25 years in Israeli intelligence). Its headquarters are in Israel, but with a presence in the U.S. and Australia. It has customers in Israel, the U.S. and Europe.

Its primary product, an automated APT simulation platform called HaXM, is unveiled today. The product simulates the possible behavior of an attacker in order to locate potential weaknesses on the system; and then, using the data gathered, provides recommendations for the remediation of those weaknesses. In this manner it provides automated red teaming with blue teaming to produce purple teaming at speed, continuously, and at scale.

"The problem we solve," VP of Product Adi Ashkenazy told SecurityWeek, "is that when you look at modern organizations and you see the kind of security stack they have in place, you have to wonder if they are actually securing their critical assets. This is something the companies ask themselves as well. They spend a lot of money on different products and vendors; but at the end of the day, if you ask them, 'are your critical assets secure?', they may have hope and some belief, but they have no concrete evidence to support the idea."

Manual penetration testing to prove the hypothesis of security, he continued, makes no sense for the modern organization that may have tens of thousands of endpoints, and hundreds of subsystems; and is continuously evolving and changing.

"This is why we founded XM Cyber," commented Noam Erez: "to equip enterprises with a continuous 360-degree view of which critical assets are at risk, what security issues they should focus on, and how best to harness their resources to resolve them."

HaXM places sensors only on 'endpoints of interest'. "We don't have to map the entire network," said Ashkenazy. "We deploy our sensors on the endpoints of interest within the infrastructure that hackers are able or likely to use. We try to be almost religious in the way we mimic attacks -- we don't put sensors on every endpoint."

Nor does HaXM start with any preconceived idea of a potential attack. "We don't define the attack vectors in advance," he said. "We act like a virtual hacker. We start from points of likely breach -- which could be internet-facing servers, for example; or endpoints that receive external email. We place our virtual hacker in those starting points with a tool box that mimics the capabilities of an advanced attacker; and from that moment on the virtual hacker mimics the steps taken by a real hacker trying to find his way to critical assets. We never know in advance what will be found, but so far the virtual hacker has always eventually managed to compromise the entire network."

This is HaXM's simulation mode, where great care is taken not to trigger any alarms from the customer's existing security stack. It checks for the conditions that could be used by an attacker. "This is what we use for 24/7 testing. But we also have a validation mode," added Ashkenazy. "When you switch to validation mode, this is not continuous, but is a controlled mode, where you specify when and where you want to actually test a specific attack vector -- and then we conduct the malicious activities to their full extent so that you can check the security stack in its entirety."

HaXM provides a visualization of the route an aggressor can take from initial entry point on a network to the company's critical assets. In doing this, it definitively presents the existence or absence of sufficient security, highlighting if and where additional security is necessary. While many security products seek to find indications of actual compromise after an initial breach, XM Cyber's approach is to find routes of potential compromise irrespective of an existing breach. It will not locate an attacker; but it will tell the customer what an attacker could achieve.

XM Cyber has offices in Herzliya, Israel; New York; and Sydney, Australia. It has raised $15 million as initial funding in its first two years. The product will be demonstrated at the RSA Conference in San Francisco, California in April 16-19, 2018.


Experts discovered remotely exploitable buffer overflow vulnerability in MikroTik RouterOS
19.3.2018 securityaffairs APT
Security experts at Core Security have disclosed the details of a buffer overflow vulnerability that affects MikroTik RouterOS in versions prior to the latest 6.41.3.
MikroTik is a Latvian vendor that produce routers used by many telco companies worldwide that run RouterOS Linux-based operating system.

The vulnerability, tracked as CVE-2018-7445, could be exploited by a remote attacker with access to the service to execute arbitrary code on the system.

“A buffer overflow was found in the MikroTik RouterOS SMB service when processing NetBIOS session request messages. Remote attackers with access to the service can exploit this vulnerability and gain code execution on the system.” reads the advisory published by the company.

“The overflow occurs before authentication takes place, so it is possible for an unauthenticated remote attacker to exploit it.”

The researchers published a proof of concept exploit code that works with MikroTik’s x86 Cloud Hosted Router.

MikroTik routerOS

Core first reported the flaw to MikroTik on February 19, 2018. MikroTik planned to release a fix in the next release on March 1, 2018 and asked Core to do not reveal the details of the flaw. Even if MikroTik was not able to issue a fix for the estimated deadline 2018, Core waited for the release of the new version the occurred on Monday, March 12, 2018.

In case it is not possible to install an update, MikroTik suggested disabling SMB.

A few days ago, security experts at Kaspersky Lab announced to have spotted a new sophisticated APT group that has been operating under the radar at lease since at least 2012. Kaspersky tracked the group and identified a strain of malware it used, dubbed Slingshot, to compromise systems of hundreds of thousands of victims in the Middle East and Africa.

Slingshot

The researchers have seen around 100 victims of Slingshot and detected its modules, located in Kenya, Yemen, Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania.

Kenya and Yemen account for the largest number of infections to date. Most of the victims are individuals rather than organizations, the number of government organizations is limited.

The APT group exploited zero-day vulnerabilities (CVE-2007-5633; CVE-2010-1592, CVE-2009-0824.) in routers used by the Latvian network hardware provider Mikrotik to drop a spyware into victims’ computers.
The attackers first compromise the router, then replace one of its DDLs with a malicious one from the file-system, the library is loads in the target’s computer memory when the user runs the Winbox Loader software, a management suite for Mikrotik routers.

The DLL file runs on the victim’s machine and connects to a remote server to download the final payload, the Slingshot malware in the attacks monitored by Kaspersky.

It is not clear if the Slingshot gang also exploited the CVE-2018-7445 vulnerability to compromise the routers.

Now that a proof of concept exploit for vulnerability CVE-2018-7445 is available online customers need to upgrade RouterOS to version 6.41.3 to avoid problems.


Russia-linked Sofacy APT targets an unnamed European Government agency
18.3.2018 securityaffairs APT

While US-CERT warns of cyber attacks against critical infrastructure in the energy sectors, Russia-linked Sofacy APT is targeting a government agency in Europe.
Last week the US Government announced sanctions against five Russian entities and 19 individuals, including the FSB, the military intelligence agency GRU.

Despite the sanctions, Russian hackers continue to target entities worldwide, including US organizations.

The Russian spy agencies and the individuals are accused of trying to influence the 2016 presidential election and launching massive NotPetya ransomware campaign and other attacks on businesses in the energy industry.

Last year, the Department of Homeland Security and Federal Bureau of Investigation issued a joint technical alert to warn of attacks on US critical infrastructure powered by Russian threat actors. The US-CERT blamed the APT group tracked as Dragonfly, Crouching Yeti, and Energetic Bear.

Now the US-CERT updated its alert by providing further info that and officially linking the above APT groups to the Kremlin.

The Alert (TA18-074A) warns of “Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors,” it label the attackers as “Russian government cyber actors.”

“This alert provides information on Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.” reads the alert.

“It also contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by Russian government cyber actors on compromised victim networks.”

According to the DHS, based on the analysis of indicators of compromise, the Dragonfly threat actor is still very active and its attacks are ongoing.

“DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks.” continues the alert. “After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).”

The Russian Government has always denied the accusations, in June 2017 Russian President Putin declared that patriotic hackers may have powered attacks against foreign countries and denied the involvement of Russian cyberspies.

A few days ago, cyber security experts at Palo Alto Networks uncovered hacking campaigns launched by Sofacy against an unnamed European government agency leveraging an updated variant of the DealersChoice tool.

“On March 12 and March 14, we observed the Sofacy group carrying out an attack on a European government agency involving an updated variant of DealersChoice.” reads the analysis published by PaloAlto Networks.

“The updated DealersChoice documents used a similar process to obtain a malicious Flash object from a C2 server, but the inner mechanics of the Flash object contained significant differences in comparison to the original samples we analyzed. One of the differences was a particularly clever evasion technique.”

The attacks uncovered by PaloAlto aimed at a government organization in Europe used a spear phishing email referencing the “Underwater Defence & Security” conference, which will take place in the U.K. later this month.

While previous versions of DealersChoice loaded a malicious Flash object as soon as the bait document was opened, the samples analyzed by PaloAlto that were related to the last attacks include the Flash object on page three of the document and it’s only loaded if users scroll down to it.

“The user may not notice the Flash object on the page, as Word displays it as a tiny black box in the document, as seen in Figure 1. This is an interesting anti-sandbox technique, as it requires human interaction prior to the document exhibiting any malicious activity.” states the analysis.

Early February, experts from Kaspersky highlighted a shift focus in the Sofacy APT group’s interest, from NATO member countries and Ukraine to towards the Middle East and Central Asia.


Chinese APT Group TEMP.Periscope targets US Engineering and Maritime Industries
18.3.2018 securityaffairs APT

The China-linked APT group Leviathan. aka TEMP.Periscope, has increased the attacks on engineering and maritime entities over the past months.
Past attacks conducted by the group aimed at targets connected to South China Sea issues, most of them were research institutes, academic organizations, and private firms in the United States.

The group has also targeted professional/consulting services, high-tech industry, healthcare, and media/publishing. Most of the identified victims were in the United States, some of them located in Europe and at least one in Hong Kong.

“The campaign is linked to a group of suspected Chinese cyber espionage actors we have tracked since 2013, dubbed TEMP.Periscope. The group has also been reported as “Leviathan” by other security firms.” reads the analysis published by security firm FireEye.

“The current campaign is a sharp escalation of detected activity since summer 2017. Like multiple other Chinese cyber espionage actors, TEMP.Periscope has recently re-emerged and has been observed conducting operations with a revised toolkit.”

The researchers confirmed that the tactics, techniques, and procedures (TTPs) and the targets of the TEMP.Periscope overlap with ones both TEMP.Jumper and NanHaiShu APT groups.

Researchers at FireEye observed a spike in the activity of TEMP.Periscope that was also associated with the use of a broad range of tools commonly used by other Chinese threat actors.

The arsenal of the crew includes backdoors, reconnaissance tools, webshells, and file stealers.

A first backdoor dubbed BADFLICK, could be used to modify the file system of the infected system, establish a reverse shell, and modifying the command-and-control configuration.

Another backdoor used by the group is dubbed Airbreak, which is a JavaScript-based backdoor (aks “Orz”) that retrieves commands from hidden strings in compromised webpages and actor controlled profiles on legitimate services.

TEMP.Periscope

Other malware is described in the post published by FireEye.

“PHOTO: a DLL backdoor also reported publicly as “Derusbi”, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files.” continues the analysis.

“HOMEFRY: a 64-bit Windows password dumper/cracker that has previously been used in conjunction with AIRBREAK and BADFLICK backdoors. Some strings are obfuscated with XOR x56.”

The crews also used the Lunchmoney tool that exfiltrates files to Dropbox and the Murkytop command-line reconnaissance tool.

Recently the group used the China Chopper, a code injection webshell that executes Microsoft .NET code within HTTP POST commands.

The group targeted victims with spear-phishing messaged that use weaponized documents attempting to exploit the CVE-2017-11882 vulnerability to deliver malicious code.

“The current wave of identified intrusions is consistent with TEMP.Periscope and likely reflects a concerted effort to target sectors that may yield information that could provide an economic advantage, research and development data, intellectual property, or an edge in commercial negotiations,” FireEye concludes.

Further details, including the Indicators of Compromise are reported in the analysis published by FireEye.


OceanLotus APT is very active, it used new Backdoor in recent campaigns
14.3.2018 securityaffairs APT

The OceanLotus APT group, also known as APT32 and APT-C-00, has been using a new backdoor in recently observed attacks.
The OceanLotus Group has been active since at least 2013, according to the experts it is a state-sponsored hacking group linked to Vietnam, most of them in Vietnam, the Philippines, Laos, and Cambodia.

The hackers targeting organizations across multiple industries and have also targeted foreign governments, dissidents, and journalists.

Since at least 2014, experts at FireEye have observed APT32 targeting foreign corporations with an interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. The APT32 is also targeting peripheral network security and technology infrastructure corporations, and security firms that may have connections with foreign investors.

Researchers at Volexity has been tracking the threat actor since May 2017, they observed attacks aimed at the Association of Southeast Asian Nations (ASEAN), and media, human rights, and civil society organizations.

Vietnamese APT32 group is today one of the most advanced APTs in the threat landscape, Volexity researchers compared the APT with the dreaded s Russia-linked Turla APT.

The group is well-resourced, it continues to use along with old techniques.

“A great deal of research about this group was published last year, including
papers such as those from CyberReason, a lengthy global view from FireEye and the watering-hole explanation from Volexity. We see that this group keeps updating their backdoors, infrastructure, and infection vectors.” reads the analysis published by ESET.

“OceanLotus continues its activity particularly targeting company and government networks in East-Asian countries. A few months ago, we discovered and analyzed one of their latest backdoors. Several tricks are being used to convince the user to execute the backdoor, to slow down its analysis and to avoid detection.”

The threat actors started adopting a new backdoor that provides them with remote access and full control on the infected systems.

OceanLotus’s attack is carried on in two stages, in the first phase the hackers leverage a dropper, delivered via spear-phishing messages, to gain the initial foothold on the targeted system, then the malicious code prepares the stage for the backdoor.

“Over the past few months, a number of decoy documents have been used. One of them was a fake TrueType font updater for the Roboto Slab regular font. This choice of font seems a bit odd since it does not support a lot of East-Asian languages.” reads the analysis.

“When executed, this binary decrypts its resource (XOR with a 128-byte, hardcoded key) and decompresses the decrypted data (LZMA). The legitimate RobotoSlab-Regular.ttf file is written into the %temp% folder and run via Win32 API function ShellExecute.

The shellcode decrypted from the resource is executed. After its execution, the fake font updater drops another application whose sole purpose is to delete the dropper. This “eraser” application is dropped as %temp%\[0-9].tmp.exe.”

OceanLotus backdoor

Attackers also powered watering hole attacks using fake installers posing as updates for popular applications.

One of the installers used by the APT is the repackaged Firefox installer described by 360 Labs on Freebuf (Chinese language).

Researchers noticed that attackers’ dropper package includes several components, the whole process of installation and execution relies heavily on multiple layers of obfuscation to prevent detection. The dropper also included garbage code to avoid being detected and code designed to delete the bait document.

The dropper gain persistence by creating a Windows service if administrator privileges are available, or modifies the operating system’s registry if executed with normal privileges.

The backdoor is able to execute tens of commands, including fingerprint the system, create a process, call the PE Loader, drop and execute a program and run shellcode in a new thread.

“Once again, OceanLotus shows that the team is active and continues to update its toolset. This also demonstrates its intention to remain hidden by picking its targets, limiting the distribution of their malware and using several different servers to avoid attracting attention to a single domain or IP address.” concludes ESET.

“The encryption of the payload, together with the side-loading technique – despite
its age – is a good way to stay under the radar, since the malicious activities look like they come from the legitimate application.”


New North Korea-linked Cyberattacks Target Financial Institutions

12.3.2018 securityweek APT

New North Korean Hidden Cobra / Lazarus Campaign Targets Financial Institutions in Turkey

Hidden Cobra, also known as the Lazarus Group from North Korea, is now targeting the Turkish financial system with a new and 'aggressive' operation that resembles earlier attacks against the global SWIFT financial network.

An analysis published by senior analyst of major campaigns, Ryan Sherstobitoff, says McAfee believes this operation is intended to gain access to specific Turkish financial organizations via targeted spear-phishing, using a weaponized Word document containing an embedded Flash exploit. The Flash vulnerability only surfaced at the end of January 2018, but is thought to have been exploited by North Korean actors since mid-November 2017. It was patched by Adobe within a week; but any computer that has not yet updated Flash to the latest version will remain vulnerable.

McAfee's report on the campaign says that one government-controlled financial organization, a government organization involved in finance and trade, and three large financial organizations are victims of the attack -- which occurred on March 2 and 3. In this attack, the Flash exploit drops the Bankshot implant, a RAT that gives the attacker full capability on a victim's system.

Nortk Korea FlagUS-CERT issued a malware analysis report (MAR) on Bankshot (PDF) in December 2017. It describes it as malware used by the North Korean government, whose cyber activity is conducted by actors it calls Hidden Cobra. McAfee says the variant it has analyzed "is 99% similar to the documented Bankshot variants from 2017."

In the spear-phishing campaign, the Bankshot implant was associated with a Word document with the filename Agreement.docx. It masquerades as an agreement template for Bitcoin distribution. Once activated, malicious DLLs are downloaded from falcancoin.io -- a lookalike domain name to the legitimate cryptocurrency-lending platform Falcon Coin.

The DLLs communicate with three control servers (the URLs are hardcoded in the implants' code), two of them Chinese-language online gambling sites. Based on the response received from the control server, the malware can carry out a wide range of malicious tasks centered on gathering system data and controlling system processes. It also contains two methods of file deletion capable of erasing evidence of presence and other destructive actions. After every action, the malware sends a response to the control server indicating whether the action was successful.

Hidden Cobra has been linked to several attacks against financial institutions. "This implant has been connected to a major Korean bank attack and is also known as Trojan Manuscript," writes Sherstobitoff. That variant contained the capability to search for hosts related to the SWIFT network and the same control server strings as the variant we found targeting the Turkish financial sector."

North Korean actors are credited with the 2015/2016 attacks on the SWIFT network. No evidence was found to suggest that this version is designed to conduct financial transactions; "rather," writes Sherstobitoff, "it is a channel into the victim's environment, in which further stages of implants can be deployed for financial reconnaissance."

McAfee is confident that it has uncovered a new Hidden Cobra (ie, North Korean government) reconnaissance campaign against Turkish financial institutions. In February, the Winter Olympic Games held in South Korea were hit by cyber-attacks dubbed Olympic Destroyer. Many commentators assumed the attacks came from North Korea -- an assumption supported by indicators within the malware.

By mid-February, Recorded Future warned against hasty attribution for Olympic Destroyer, despite the presence of code fragments previously used by North Korean actors. "The co-occurrence of code overlap in the malware," wrote Recorded Future, "may be indicative of a false flag operation, attempting to dilute evidence and confuse researchers."

More recently, Kaspersky Lab concluded that despite the presence of a unique fingerprint tying Olympic Destroyer to Lazarus (Hidden Cobra), there is other evidence suggesting the involvement of the Russian group known as Sofacy or APT28. One possible scenario is that the Russian hackers attempted to frame Lazarus for the attack after the North Korean group tried to pin one of its own campaigns on Russian actors.

Given the relative ease and increasing frequency of so-called 'false flag' cyber-attacks, SecurityWeek asked McAfee how certain it is that Hidden Cobra is the group behind the Turkish attacks. "McAfee takes attribution very seriously," relied Ryan Sherstobitoff. "As such, McAfee Advanced Threat Research analysis and conclusions are based on multiple indicators. While the private sector can rarely claim 100% confidence in attack attribution without access to the same resources possessed by government and law enforcement agencies, we can say that the code and target similarities between the malicious files uncovered in this campaign and earlier attacks publicly attributed to Hidden Cobra by the United States Government, are very strong indicators of the acting group."

"We have found," concludes McAfee, "what may be an early data-gathering stage for future possible heists from financial organizations in Turkey (and possibly other countries)." It warns that the attack has a high chance of success against victims with an unpatched version of Flash. "Documents with the Flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal."


China-Linked APT15 used new backdoors in attack against UK Government’s service provider
12.3.2018 securityaffairs APT

China-Linked APT15 used new backdoors is an attack that is likely part of a wider operation aimed at contractors at various UK government departments and military organizations.
Last week Ahmed Zaki, a senior malware researcher at NCC Group, presented at the Kaspersky’s Security Analyst Summit (SAS), details of a malware-based attack against the service provider for the UK Government launched by the APT15 China-linked group (aka Ke3chang, Mirage, Vixen Panda and Playful Dragon).

“In May 2017, NCC Group’s Incident Response team reacted to an ongoing incident where our client, which provides a range of services to UK Government, suffered a network compromise involving the advanced persistent threat group APT15.” reads a blog post published by NCC Group.

NCC stop the investigation in June 2017 on explicit request of the victim but resumed it in August after the APT15 hackers managed to regain access to the victim’s network.

“APT15 managed to regain access a couple of weeks later via the corporate VPN solution with a stolen VPN certificate, which they had extracted from a compromised host.” continues the analysis.

The attack is likely part of a wider operation aimed at contractors at various UK government departments and military organizations.

APT15 has been active since at least 2010, it conducted cyber espionage campaigns against targets worldwide. The attackers demonstrated an increasing level of sophistication across the years, they used a custom-malware and various exploits in their attacks.

NCC Group recently spotted two new backdoors used by the group along with malware already associated with the APT15.

“During our analysis of the compromise, we identified new backdoors that now appear to be part of APT15’s toolset. The backdoor BS2005 – which has traditionally been used by the group – now appears alongside the additional backdoors RoyalCli and RoyalDNS.” continues NCC Group.

“The RoyalCli backdoor appears to be an evolution of BS2005 and uses familiar encryption and encoding routines.”


One of the backdoors has been tracked as RoyalCLI due to a debugging path left in the binary, it is the successor of BS2005 backdoor used by the group. Both RoyalCLI and BS2005 communicate with command and control (C&C) servers via Internet Explorer using the COM interface IWebBrowser2.

The attackers utilized Windows commands to conduct reconnaissance activities, the lateral movement was conducted by using a combination of net command, mounting the C$ share of hosts and manually copying files to or from compromised hosts.

The second backdoor, tracked as RoyalDNS, uses DNS to communicate with the C&C server, once executed the command the backdoor returns output through DNS.

Further information, including the IoCs, are available in the post.


Kaspersky – Sofacy ‘s campaigns overlap with other APT groups’ operations
12.3.2018 securityaffairs APT

According to Kaspersky, the Sofacy APT is particularly interested in military, defense and diplomatic entities in the far east, but overlap with other APT’s operations makes hard the attribution.
Last week, during the Kaspersky Security Analyst Summit (SAS) held in Cancun, researchers from Kaspersky illustrated the results of their investigation on the recent activities conducted by the dreaded Sofacy APT group.

The experts confirmed the news reported by Kaspersky three weeks ago, the Russia-linked APT28 group (aka Pawn Storm, Fancy Bear, Sofacy, Sednit, Tsar Team and Strontium.) have shifted focus in their interest, from NATO member countries and Ukraine to towards the Middle East and Central Asia.

According to Kaspersky researcher Kurt Baumgartner, the Sofacy APT is particularly interested in military, defense and diplomatic entities in the far east.

The researchers explained that the Russian APT group’s activity overlaps with cyber espionage campaigns conducted by other threat actors.

Baumgartner pointed out that the Zerbrocy malware used by Sofacy APT was discovered on machines that had also been infected with the Mosquito backdoor associated with Russian Turla APT. Baumgartner also explained that Sofacy SPLM malware has infected the same systems that were compromised by Danti China-linked APT.

In similar circumstances, the Kaspersky researchers found that the systems infected by the SPLM malware (aka CHOPSTICK and X-Agent) had been previously infected with other Turla malware.

Sofacy backdoor

Kaspersky noticed that the overlaps were frequent on systems belonging to government, technology, and military organizations in Central Asia.

Another case of evident overlap was between Sofacy and the Longhorn threat actor, a group that researchers at Symantec reportedly linked to the CIA due to the use of Vault 7 tools. At least a server belonging to a military and aerospace conglomerate in China was infected by Sofacy backdoors and Longhorn malware.

Of course, even in presence of overlap, it is difficult to attribute the infection to a specific actor because APT groups use to plant false flags.


Masha and these Bears
10.3.2018 Kaspersky APT
Sofacy, also known as APT28, Fancy Bear, and Tsar Team, is a prolific, well resourced, and persistent adversary. They are sometimes portrayed as wild and reckless, but as seen under our visibility, the group can be pragmatic, measured, and agile. Our previous post on their 2017 activity stepped away from the previously covered headline buzz presenting their association with previously known political hacks and interest in Europe and the US, and examines their under-reported ongoing activity in middle east, central asia, and now a shift in targeting further east, including China, along with an overlap surprise. There is much understated activity that can be clustered within this set and overlap in APT activity. Here, we examine current deployment, code, cryptography, and targeting.

Essentially, this examination finds the group maintains subdivisions of efforts in targeting, development, and coding. Comparisons to other modules quickly shows a delineation in other Sofacy efforts. SPLM, GAMEFISH, and Zebrocy delivery all maintain their own clusters, but frequently overlap later.

Because SPLM is their primary and selective second stage tool, SPLM deployment is of much interest. But Zebrocy efforts are in such high volume, that these modules need examination as well.

SPLM/CHOPSTICK/XAgent Code
SPLM, otherwise known as CHOPSTICK, or by the author(s) as “XAgent”, is described as Sofacy’s signature second stage tool, selectively used for years against around the world. Really, many modified XAgent modules have been deployed over the years. Even the individual Linux modules renamed as “Fysbis” backdoors released in 2016 were merely modified and reduced portions of recompiled XAgent C/C++ codebase. Anyway, SPLM/CHOPSTICK has maintained various combinations of code, with some recognizable functionality listed here.

Source Modules Channels
Modules Keylogger HTTP
Channels RemoteShell FTP
Boot FileSystem SMTP
Library Launcher
MainHandler CameraShot
InjectApp
Screenshot
FileObserver
PasswordFirefox
InfoOS
Version 3 and early version 4 SPLM modules maintained keylogger, remoteshell, and filestealer code all within the larger compiled backdoor, and executed each body of functionality from within that process memory space. Later v4 SPLM injected individual keylogger, filestealer, and remoteshell modules into memory space. But for the most part, deployed SPLM maintained the structure of earlier executable code. In 2018, we now see them pushing individual and separate blobs of keylogger, filesystem, and remoteshell code that never touch disk. The larger, 300kb+ SPLM backdoors deployed in 2016 and 2017 are not observed any longer at targets in 2018. Instead, in-memory modules appear in isolation.

In addition to purely XAgent based code, we also observe zebrocy modules completely recoded into powershell from .Net.

Code and Crypto Comparisons
Current SPLM code maintains the unusual cipher hack that Sofacy began deploying in 2017 to hide away configuration details. Comparisons with cipher design and implementations we see in WhiteBear, earlier SPLM and Zebrocy modules tell a few things about design decisions and culture. And when specific malware sets are selectively deployed, that may tell us something about how efforts are divided.

SPLM full backdoor and plugins crypto and strings v4
973ff7eb7a5b720c5f6aafe4cd0469d5
Summary: SPLM is being carved up and delivered as memory-only chunks of compiled code. We observe the “retranslator” code, or ProcessRetranslator.dll, currently being delivered to systems without the presence of the previous, large, SPLM code and injection capabilities. The smaller plugins deployed in 2018 now maintain the same dynamic encryption code as the large 330kb full SPLM backdoors seen in more widespread use in 2017. Strings are well organized and concise.

Code and strings example (decrypted from 2018 “ProcessRetranslator.dll” plugin):

success command not correct
error save parameters
error set parameters for channel, see full info
command processing error
not correct command
command loading func/net module error
command unloading func/net module error
cmd.exe
Retranslator is now launched
Retranslator is now stopped
the process is destroyed
one thread has died so the process is killed too
create process failed on: (%s) , error (%d)
Retranslator is already running
Retranslator is not running
exit
command is successful
command is unsuccessful

SPLM crypto v3 (DNC hack)
cc9e6578a47182a941a478b276320e06
Summary: This earlier SPLM variant found on the DNC network in 2016 still maintains the internal name “splm.dll”, with only one export “init” that was called at runtime. The C++ structure of this 280kb+ dll is familiar SPLM/CHOPSTICK, but it maintains a completely different cipher for decrypting configuration data and error messages, etc. The loop performing the bulk of the work is less than 100 bytes, performing pointer arithmetic alongside a couple xor operations of a lower nibble against sequential bytes.

Here, the cipher uses a modolo pointer arithmetic along with a decryption key per blob. Reviewing all the older ciphers and newer EC based ciphers in openssl and elsewhere results in no match.

WhiteBear code and strings
Summary: WhiteBear is a cluster of activity targeting foreign embassies and MFA organizations, starting in early 2016 and continued into early 2017. Our private GReAT report on this activity pushed in February 2017, and a public report from another vendor described much of the same content almost seven months later as “Gayzer”. It appeared to be a parallel project to WhiteAtlas Turla, and maintained quirks like modular, well logged code with an elegant, professional RSA and 3DES encryption implementation and high quality code injection capabilities, but lots of immature and crude language and english mistakes. Clearly, english and maturity was not the developers’ native language.

While WhiteBear is Turla related, it is interesting to compare to other ongoing development styles. Strings and code are crass.

Debug and command strings

i cunt waiting anymore #%d
lights aint turnt off with #%d
Not find process
CMessageProcessingSystem::Receive_NO_CONNECT_TO_GAYZER
CMessageProcessingSystem::Receive_TAKE_LAST_CONNECTION
CMessageProcessingSystem::Send_TAKE_FIN

Zebrocy custom crypto
Summary: innovative .Net, AutoIT, Delphi, and powershell components are continually updated and deployed to new and old targets. Cryptography ranges from built-in windows api to custom RC4-based ciphers. Strings and code are simple, innovative, and concise.

Code:

Targeting Overlap and a Pivot to Asia
News headlines repeatedly trumpet Sofacy’s foray into Western targets in the US and Europe, especially those connected with NATO. But these efforts only tell a portion of the Sofacy story.

Delineating groups and activity can be messy, and there appears to be overlap in targeting efforts across varying groups in central and east asia throughout 2017 and into 2018. Sofacy has been heavily interested in military and foreign affairs organizations here, resulting in multiple overlapped and competing targeting scenarios:

Mosquito Turla and Zebrocy clusters – Zebrocy clusters targeting diplomatic and commercial organizations within Europe and Asia that match Mosquito targeting profiling
SPLM overlap with traditional Turla – often Turla precedes SPLM deployments
SPLM overlap with Zebrocy – Zebrocy often precedes SPLM deployments
SPLM overlap with Danti
Currently, Sofacy targets large air-defense related commercial organizations in China with SPLM, and moves Zebrocy focus across Armenia, Turkey, Kazahkstan, Tajikistan, Afghanistan, Mongolia, China, and Japan. A previous, removed, report from another vendor claimed non-specific information about the groups’ interest in Chinese universities, but that report has been removed – most likely detections were related to students’ and researchers’ scanning known collected samples and any “incidents” remain unconfirmed and unknown. On the other hand, this Chinese conglomerate designs and manufactures aerospace and air defense technologies, among many other enterprises. And here, an interest in military technologies is certainly within Sofacy purview.

So, even more interesting than the shift eastward and other targeting overlap, is that the specific target system in China was previously a Grey Lambert target. The Sofacy modules at this system appeared to never touch disk, and resemble the Linux Fysbis code. Only one maintained the Filesystem.dll code, while another maintained ProcessRetranslator.dll code. However, it is unusual that a full SPLM backdoor was not detected on this system, nor was any powershell loader script. Because the injection source remains unidentified on such a unique system, we might speculate on what is going on here:

Sofacy attackers had recorded a previous Grey Lambert remote session and replayed the communication after discovering this host, essentially compromising the Grey Lambert module on the system to gain access and later injecting SPLM modules
Grey Lambert attackers inserted false flag and reduced SPLM modules
a new and unrecognized, full variant of SPLM attempted to inject module code into memory and deleted itself
an unknown new powershell script or legitimate but vulnerable web app was exploited to load and execute this unusual SPLM code
In all likelihood, the last option is accurate.

Conclusion
Sofacy is such a large, active group that appears to maintain multiple sub-groups and efforts that all fit under the Sofacy “umbrella”. Sometimes, they share infrastructure, but more often they do not share infrastructure and appear to compete for access within targets. Either way, the group’s consistent activity throughout central and eastern asia seems to be poorly represented in the public discussion.

SPLM did not change in substantial ways for several years, and now it is being split up and used for just functional modules. And much of the malware being deployed by Sofacy is quickly changed from C/C++ to .Net to powershell. Other open source and semi-legitimate pen-testing tools like nbtscan and powercat are being used for mapping available resources and lateral movement as well. It is easy to expect deliberate changes within this group in 2018, with even more .Net, Delphi, and powershell ports of various tools appearing at Sofacy targets throughout the year.

Technical Appendix
Early 2018 Reference Set
SPLM
452ed4c80c1d20d111a1dbbd99d649d5

ZEBROCY
efd8a516820c44ddbf4cc8ed7f30df9c
ff0e4f31a6b18b676b9518d4a748fed1

GAMEFISH
bd3e9f7e65e18bb9a7c4ff8a8aa3a784

GREY LAMBERT
86146d38b738d5bfaff7e85a23dcc53e

GREYWARE/PEN-TESTING NBTSCAN
f01a9a2d1e31332ed36c1a4d2839f412


The Slingshot APT FAQ
10.3.2018 Kaspersky  APT
While analysing an incident which involved a suspected keylogger, we identified a malicious library able to interact with a virtual file system, which is usually the sign of an advanced APT actor. This turned out to be a malicious loader internally named ‘Slingshot’, part of a new, and highly sophisticated attack platform that rivals Project Sauron and Regin in complexity.

The initial loader replaces the victim´s legitimate Windows library ‘scesrv.dll’ with a malicious one of exactly the same size. Not only that, it interacts with several other modules including a ring-0 loader, kernel-mode network sniffer, own base-independent packer, and virtual filesystem, among others.

While for most victims the infection vector for Slingshot remains unknown, we were able to find several cases where the attackers got access to Mikrotik routers and placed a component downloaded by Winbox Loader, a management suite for Mikrotik routers. In turn, this infected the administrator of the router.

We believe this cluster of activity started in at least 2012 and was still active at the time of this analysis (February 2018).

Why did you call the intruder Slingshot?
The name appears unencrypted in some of the malicious samples – it is the name of one of the threat actor’s components, so we decided to extend it to the APT as a whole.

When was Slingshot active?
The earliest sample we found was compiled in 2012 and the threat was still active in February 2018.

How did the threat attack and infect its victims?
Slingshot is very complex and the developers behind it have clearly spent a great deal of time and money on its creation. Its infection vector is remarkable – and, to the best of our knowledge, unique.

We believe that most of the victims we observed appeared to have been initially infected through a Windows exploit or compromised Mikrotik routers.

How exactly does infection happen?
The exact method used by Slingshot to exploit the routers in the first instance is not yet clear. When the target user runs Winbox Loader software (a utility used for Mikrotik router configuration), this connects to the router and downloads some DLLs (dynamic link libraries) from the router’s file system.

One of them – ipv4.dll – has been placed by the APT with what is, in fact, a downloader for other malicious components. Winbox Loader downloads this ipv4.dll library to the target’s computer, loads it in memory and runs it.

This DLL then connects to a hardcoded IP and port (in every cases we saw it was the router’s IP address), downloads the other malicious components and runs them.

To run its code in kernel mode in the most recent versions of operating systems, that have Driver Signature Enforcement, Slingshot loads signed vulnerable drivers and runs its own code through their vulnerabilities. .

Following infection, Slingshot would load a number of modules onto the victim device, including two huge and powerful ones: Cahnadr, the kernel mode module, and GollumApp, a user mode module. The two modules are connected and able to support each other in information gathering, persistence and data exfiltration.

The most sophisticated module is GollumApp. This contains nearly 1,500 user-code functions and provides most of the above described routines for persistence, file system control and C&C communications.

Canhadr, also known as NDriver, contains low-level routines for network, IO operations and so on. Its kernel-mode program is able to execute malicious code without crashing the whole file system or causing Blue Screen – a remarkable achievement. Written in pure C language, Canhadr/Ndriver provides full access to the hard drive and operating memory despite device security restrictions, and carries out integrity control of various system components to avoid debugging and security detection.

Are Mikrotik the only affected routers?
Some victims may have been infected through other routes. During our research we also found a component called KPWS that turned out to be another downloader for Slingshot components.

Did you inform the affected vendor?
Although the available intelligence is limited and we are not sure what kind of exploit was used to infect routers, we provided Mikrotik with all information available.

What can users of Mikrotik routers do to protect themselves?
Users of Mikrotik routers should upgrade to the latest software version as soon as possible to ensure protection against known vulnerabilities. Further, Mikrotik Winbox no longer downloads anything from the router to the user’s computer.

What are the advantages of achieving kernel mode?
It gives intruders complete control over the victim computer. In kernel mode malware can do everything. There are no restrictions, no limitations, and no protection for the user (or none that the malware can’t easily bypass).

What kind of information does Slingshot appear to be looking for?
Slingshot’s main purpose seems to be cyber-espionage. Analysis suggests it collects screenshots, keyboard data, network data, passwords, USB connections, other desktop activity, clipboard and more, although its kernel access means it can steal whatever it wants.

But with full access to the kernel part of the system, it can steal whatever it wants – credit card numbers, password hashes, social security account numbers – any type of data.

How did Slingshot avoid detection?
The threat actor combined a number of known approaches to protect it very effectively from detection: including encrypting all strings in its modules, calling system services directly in order to bypass security-product hooks, using a number of Anti-bug techniques, and more.

Further, it can shut down its components, but ensure they complete their tasks before closing. This process is triggered when there are signs of an imminent in-system event, such as a system shutdown, and is probably implemented to allow user-mode components of the malware to complete their tasks properly to avoid detection during any forensic research.

You said that it disables disk defragmentation module in Windows OS. Why?
This APT uses its own encrypted file system and this can be located among others in an unused part of a hard drive. During defragmentation, the defrag tool relocates data on disk and this tool can write something to sectors where Slingshot keeps its file systems (because the operating system thinks these sectors are free). This will damage the encrypted file system. We suspect that Slingshot tries to disable defragmentation of these specific areas of the hard drive in order to prevent this from happening.

How does it exfiltrate data?
The malware exfiltrates data through standard networks channels, hiding the traffic being extracted by hooking legitimate call-backs, checking for Slingshot data packages and showing the user (and users’ programs like sniffers and so on) clear traffic without exfiltrated data.

Does it use exploits to zero-day vulnerabilities? Any other exploits?
We haven’t seen Slingshot exploit any zero-days, but that doesn’t mean that it doesn’t – that part of a story is still unclear for us. But it does exploit known vulnerabilities in drivers to pass executable code into kernel mode. These vulnerabilities include CVE-2007-5633; CVE-2010-1592, CVE-2009-0824.

What is the victim profile and target geography?
So far, researchers have seen around 100 victims of Slingshot and its related modules, located in Kenya, Yemen, Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania. Most of the victims appear to be targeted individuals rather than organizations, but there are some government organizations and institutions. Kenya and the Yemen account for most of the victims observed to date.

What do we know about the group behind Slingshot?
The malicious samples investigated by the researchers were marked as ‘version 6.x’, which suggests the threat has existed for a considerable length of time. The development time, skill and cost involved in creating Slingshot’s complex toolset is likely to have been extremely high. Taken together, these clues suggest that the group behind Slingshot is likely to be highly organized and professional and probably state-sponsored.

Text clues in the code suggest it is English-speaking. Some of the techniques used by Slingshot, such as the exploitation of legitimate, yet vulnerable drivers has been seen before in other malware, such as White and Grey Lambert. However, accurate attribution is always hard, if not impossible to determine, and increasingly prone to manipulation and error.


APT Hackers Infect Routers to Covertly Implant Slingshot Spying Malware
10.3.2018 thehackernews APT

Security researchers at Kaspersky have identified a sophisticated APT hacking group that has been operating since at least 2012 without being noticed due to their complex and clever hacking techniques.
The hacking group used a piece of advanced malware—dubbed Slingshot—to infect hundreds of thousands of victims in the Middle East and Africa by hacking into their routers.
According to a 25-page report published [PDF] by Kaspersky Labs, the group exploited unknown vulnerabilities in routers from a Latvian network hardware provider Mikrotik as its first-stage infection vector in order to covertly plant its spyware into victims' computers.


Although it is unclear how the group managed to compromise the routers at the first place, Kaspersky pointed towards WikiLeaks Vault 7 CIA Leaks, which revealed the ChimayRed exploit, now available on GitHub, to compromise Mikrotik routers.
Once the router is compromised, the attackers replace one of its DDL (dynamic link libraries) file with a malicious one from the file-system, which loads directly into the victim’s computer memory when the user runs Winbox Loader software.

Winbox Loader is a legitimate management tool designed by Mikrotik for Windows users to easily configure their routers that downloads some DLL files from the router and execute them on a system.
This way the malicious DLL file runs on the targeted computer and connects to a remote server to download the final payload, i.e., Slingshot malware.
Slingshot malware includes two modules—Cahnadr (a kernel mode module) and GollumApp (a user mode module), designed for information gathering, persistence and data exfiltration.


Cahnadr module, aka NDriver, takes care of anti-debugging, rootkit and sniffing functionality, injecting other modules, network communications—basically all the capabilities required by user-mode modules.
"[Cahnadr is a] kernel-mode program is able to execute malicious code without crashing the whole file system or causing Blue Screen—a remarkable achievement," Kaspersky says in its blog post published today.
"Written in pure C language, Canhadr/Ndriver provides full access to the hard drive and operating memory despite device security restrictions, and carries out integrity control of various system components to avoid debugging and security detection."
Whereas GollumApp is the most sophisticated module which has a wide range of spying functionalities that allow attackers to capture screenshots, collect network-related information, passwords saved in web browsers, all pressed keys, and maintains communication with remote command-and-control servers.

Since GollumApp runs in kernel mode and can also run new processes with SYSTEM privileges, the malware gives attackers full control of the infected systems.
Although Kaspersky has not attributed this group to any country but based on clever techniques it used and limited targets, the security firm concluded that it is definitely a highly skilled and English-speaking state-sponsored hacking group.
"Slingshot is very complex, and the developers behind it have clearly spent a great deal of time and money on its creation. Its infection vector is remarkable—and, to the best of our knowledge, unique," the researchers say.
The victims include most of the times individuals and some government organizations across various countries including Kenya, Yemen, Libya, Afghanistan, Iraq, Tanzania, Jordan, Mauritius, Somalia, the Democratic Republic of the Congo, Turkey, Sudan and the United Arab Emirates.


North Korean Hidden Cobra APT targets Turkish financial industry with new Bankshot malware
10.3.2018 securityaffairs APT

McAfee Advanced Threat Research team discovered that the Hidden Cobra APT group is targeting financial organizations in Turkey.
North Korea-linked APT group Hidden Cobra (aka Lazarus Group) is targeting the Turkish financial system.

Experts from McAfee observed the hackers using the Bankshot implant in targeted attacks against the financial organizations in Turkey. The attack resembles previous attacks conducted by Hidden Cobra against the global payment network SWIFT.

Bankshot was first reported by the US DHS in December, now new variants of the malicious code were observed in the wild The sample analyzed by McAfee is 99% similar to the variants detected in 2017.

The hackers used spear-phishing messages with a weaponized Word document containing an embedded Flash exploit that triggers the CVE-2018-4878, Flash vulnerability that was disclosed in late January.

Adobe promptly patched the vulnerability with an emergency patch, but many computers are still vulnerable because the owners did not apply the patch,

According to McAfee, the implant’s first target was a major government-controlled financial organization that was targeted on March 2 and 3.

Later, the same malware implant infected a Turkish government organization involved in finance and trade and a large financial institution.

The implant has so far not surfaced in any other sector or country. This campaign suggests the attackers may plan a future heist against these targets by using Bankshot to gather information.

McAfee’s report on the campaign says that one government-controlled financial organization, a government organization involved in finance and trade, and three large financial organizations.

The attackers leveraged the Flash exploit to deliver the Bankshot RAT.

“Bankshot implants are distributed from a domain with a name similar to that of the cryptocurrency-lending platform Falcon Coin, but the similarly named domain is not associated with the legitimate entity.” reads the analysis published by McAfee.

“The malicious domain falcancoin.io was created December 27, 2017, and was updated on February 19, only a few days before the implants began to appear. These implants are variations of earlier forms of Bankshot, a remote access tool that gives an attacker full capability on a victim’s system. “

Spear phishing messaged used a Word document with the filename Agreement.docx, that appears as a template for Bitcoin distribution.

Hidden Cobra bait document

When the open it, the code it contains download malicious DLLs from falcancoin.io domain.

Experts discovered that the DLLs communicate with three control servers whom URLs are hardcoded in the implants’ code.

“The implants (DLLs) are disguised as ZIP files and communicate with three control servers, two of them Chinese-language online gambling sites. These URLs can be found hardcoded in the implants’ code” continues McAfee.

The malicious code is able to perform several malicious operations, including file deletion, process injection, and exfiltration over command and control channel.

Further details, included the Indicators of Compromise (IoCs) are included in the analysis.


Sofacy Attacks Overlap With Other State-Sponsored Operations
9.3.2018 securityweek BigBrothers  APT 
Attack

Kurt Baumgartner details latest Sofacy attacks at Kaspersky SAS

CANCUN - KASPERSKY SECURITY ANALYST SUMMIT - Attacks carried out by a Russian threat group appear to overlap with campaigns conducted by other cyberspies, including ones linked by researchers to China and the United States.

Kaspersky Lab revealed last month that the Russian threat actor known as Sofacy, APT28, Fancy Bear, Pawn Storm, Sednit and Strontium had shifted its focus from NATO member countries and Ukraine to Central Asia and further east, including China.

On Friday, at Kaspersky’s Security Analyst Summit (SAS), researcher Kurt Baumgartner revealed that the group appears to be particularly interested in military, defense and diplomatic entities in the far east.

Baumgartner also revealed that the attacks launched by Sofacy sometimes overlap with the operations of other state-sponsored cyberspies in terms of victims.

For instance, researchers discovered Sofacy’s Zerbrocy malware on machines that had also been compromised by Mosquito, a backdoor associated with Turla, a different threat actor linked to Russia. Shared victims include diplomatic and commercial organizations in Europe and Asia.

Sofacy’s SPLM malware (aka CHOPSTICK and X-Agent) was found on devices that had also been infected with other Turla malware, which often precedes SPLM.

SPLM has also been spotted on the same systems as malware known to have been used by a China-linked actor known as Danti.

According to Kaspersky, overlaps were generally found on systems belonging to government, technology, science, and military organizations in or based in Central Asia.

Another interesting overlap was between Sofacy and the English-speaking Lamberts group, which is also known as Longhorn. Security firms revealed last year that this cyber espionage group had been using some of the Vault 7 tools leaked by WikiLeaks. These tools are believed to have been developed and used by the U.S. Central Intelligence Agency (CIA).

Kaspersky said it had identified Sofacy backdoors and malware associated with the Lamberts, specifically Grey Lambert, on a server belonging to a military and aerospace conglomerate in China.

Researchers admit, however, that the presence of both Lamberts and Sofacy malware on the server could simply mean that the former planted a false flag, considering that the original delivery vector for the Sofacy tool remains unknown. It’s also possible that the Russian group exploited a previously unknown vulnerability, or that it somehow harnessed the Grey Lambert malware to download its own tools. The most likely scenario, according to experts, is that the Sofacy malware was delivered using an unknown PowerShell script or a legitimate app in which the attackers discovered a flaw.

“Sofacy is sometimes portrayed as wild and reckless, but as seen under our visibility, the group can be pragmatic, measured and agile. Their activity in the East has been largely under-reported, but they are clearly not the only threat actor interested in this region, or even in the same targets,” Baumgartner said. “As the threat landscape grows ever more crowded and complex, we may encounter more examples of target overlap and it could explain why many threat actors check victim systems for the presence of other intruders before fully launching their attacks.”

Kaspersky recently spotted the SPLM malware being used in an attack aimed at major air defense organization in China, while the Zebrocy tool has been used in high volume campaigns targeting entities in Armenia, Turkey, Tajikistan, Kazakhstan, Afghanistan, Mongolia, Japan and China.


New North Korea-linked Cyberattacks Target Financial Institutions
9.3.2018 securityweek APT

New North Korean Hidden Cobra / Lazarus Campaign Targets Financial Institutions in Turkey

Hidden Cobra, also known as the Lazarus Group from North Korea, is now targeting the Turkish financial system with a new and 'aggressive' operation that resembles earlier attacks against the global SWIFT financial network.

An analysis published by senior analyst of major campaigns, Ryan Sherstobitoff, says McAfee believes this operation is intended to gain access to specific Turkish financial organizations via targeted spear-phishing, using a weaponized Word document containing an embedded Flash exploit. The Flash vulnerability only surfaced at the end of January 2018, but is thought to have been exploited by North Korean actors since mid-November 2017. It was patched by Adobe within a week; but any computer that has not yet updated Flash to the latest version will remain vulnerable.

McAfee's report on the campaign says that one government-controlled financial organization, a government organization involved in finance and trade, and three large financial organizations are victims of the attack -- which occurred on March 2 and 3. In this attack, the Flash exploit drops the Bankshot implant, a RAT that gives the attacker full capability on a victim's system.

Nortk Korea FlagUS-CERT issued a malware analysis report (MAR) on Bankshot (PDF) in December 2017. It describes it as malware used by the North Korean government, whose cyber activity is conducted by actors it calls Hidden Cobra. McAfee says the variant it has analyzed "is 99% similar to the documented Bankshot variants from 2017."

In the spear-phishing campaign, the Bankshot implant was associated with a Word document with the filename Agreement.docx. It masquerades as an agreement template for Bitcoin distribution. Once activated, malicious DLLs are downloaded from falcancoin.io -- a lookalike domain name to the legitimate cryptocurrency-lending platform Falcon Coin.

The DLLs communicate with three control servers (the URLs are hardcoded in the implants' code), two of them Chinese-language online gambling sites. Based on the response received from the control server, the malware can carry out a wide range of malicious tasks centered on gathering system data and controlling system processes. It also contains two methods of file deletion capable of erasing evidence of presence and other destructive actions. After every action, the malware sends a response to the control server indicating whether the action was successful.

Hidden Cobra has been linked to several attacks against financial institutions. "This implant has been connected to a major Korean bank attack and is also known as Trojan Manuscript," writes Sherstobitoff. That variant contained the capability to search for hosts related to the SWIFT network and the same control server strings as the variant we found targeting the Turkish financial sector."

North Korean actors are credited with the 2015/2016 attacks on the SWIFT network. No evidence was found to suggest that this version is designed to conduct financial transactions; "rather," writes Sherstobitoff, "it is a channel into the victim's environment, in which further stages of implants can be deployed for financial reconnaissance."

McAfee is confident that it has uncovered a new Hidden Cobra (ie, North Korean government) reconnaissance campaign against Turkish financial institutions. In February, the Winter Olympic Games held in South Korea were hit by cyber-attacks dubbed Olympic Destroyer. Many commentators assumed the attacks came from North Korea -- an assumption supported by indicators within the malware.

By mid-February, Recorded Future warned against hasty attribution for Olympic Destroyer, despite the presence of code fragments previously used by North Korean actors. "The co-occurrence of code overlap in the malware," wrote Recorded Future, "may be indicative of a false flag operation, attempting to dilute evidence and confuse researchers."

More recently, Kaspersky Lab concluded that despite the presence of a unique fingerprint tying Olympic Destroyer to Lazarus (Hidden Cobra), there is other evidence suggesting the involvement of the Russian group known as Sofacy or APT28. One possible scenario is that the Russian hackers attempted to frame Lazarus for the attack after the North Korean group tried to pin one of its own campaigns on Russian actors.

Given the relative ease and increasing frequency of so-called 'false flag' cyber-attacks, SecurityWeek asked McAfee how certain it is that Hidden Cobra is the group behind the Turkish attacks. "McAfee takes attribution very seriously," relied Ryan Sherstobitoff. "As such, McAfee Advanced Threat Research analysis and conclusions are based on multiple indicators. While the private sector can rarely claim 100% confidence in attack attribution without access to the same resources possessed by government and law enforcement agencies, we can say that the code and target similarities between the malicious files uncovered in this campaign and earlier attacks publicly attributed to Hidden Cobra by the United States Government, are very strong indicators of the acting group."

"We have found," concludes McAfee, "what may be an early data-gathering stage for future possible heists from financial organizations in Turkey (and possibly other countries)." It warns that the attack has a high chance of success against victims with an unpatched version of Flash. "Documents with the Flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal."


Olympic Destroyer, alleged artifacts and false flag make attribution impossible
9.3.2018 securityaffairs
Attack  APT

According to Kaspersky Lab, threat actors behind the recent Olympic Destroyer attack planted sophisticated false flags inside their malicious code.
On February 9, shortly before the Pyeongchang opening ceremonies on Friday, televisions at the main press centre, wifi at the Olympic Stadium and the official website were taken down.

Hackers used the so-called Olympic Destroyer, a strain of malware that allowed the attackers to wipe files and make systems inoperable.

olympic destroyer

Experts discovered that the malware leverages the EternalRomance NSA exploit to spread via the SMB protocol.

Initially, experts blamed North Korea for the attack, later intelligence officers attributed the cyber attack to Russia.

According to Talos team, there are many similarities between the Pyeongchang attack, which they are dubbing ‘Olympic Destroyer”’, and earlier attacks such as BadRabbit and NotPetya. All of these attacks are focused on destruction and disruption of equipment not exfiltration of data or other, more subtle attacks. Using legitimate tools such as PsExec and WMI the attackers are specifically targeting the pyeongchang2018.com domain attempting to steal browser and system credentials to move laterally in the network and then wiping the victim computer to make it unusable.

“Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony.” reads the analysis published by Talos.

Kaspersky experts found samples of the malware at several ski resorts in South Korea, even if they analyzed the malicious code they were not able to attribute the attack to a specific actor.

olympic destroyer 2

The experts identified a unique “fingerprint” associated with the North Korea-linked Lazarus APT, but other evidence collected by the experts revealed important inconsistencies suggesting a false flag operation.

“What we discovered next brought a big shock. Using our own in-house malware similarity system we have discovered a unique pattern that linked Olympic Destroyer to Lazarus. A combination of certain code development environment features stored in executable files, known as Rich header, may be used as a fingerprint identifying the malware authors and their projects in some cases. In case of Olympic Destroyer wiper sample analyzed by Kaspersky Lab this “fingerprint” gave a 100% match with previously known Lazarus malware components and zero overlap with any other clean or malicious file known to date to Kaspersky Lab.” reads the analysis published by Kaspersky.

Kaspersky also found evidence that would suggest the malicious code was developed by the Russia-linked Sofacy APT (aka Pawn Storm, Fancy Bear, APT28, Sednit, Tsar Team, and Strontium.).

“we have seen attackers using NordVPN and MonoVM hosting. Both services are available for bitcoins, which make them the perfect tool for APT actors. This and several other TTPs have in the past been used by the Sofacy APT group, a widely known Russian-language threat actor.” continues Kaspersky.

Is it possible that Russian APT attempted to frame Lazarus? Maybe.

Another possible scenario sees Lazarus using false flag in the Olympics attack.

“There are some open questions about the attacker’s motivation in this story. We know that the attackers had administrative accounts in the affected networks. By deleting backups and destroying all local data they could have easily devastated the Olympic infrastructure. Instead, they decided to do some “light” destruction: wiping files on Windows shares, resetting event logs, deleting backups, disabling Windows services and rebooting systems into an unbootable state.” concluded Kaspersky.

“When you add in the multiple similarities to TTPs used by other actors and malware, intentional false flags and relatively good opsec, it merely raises more questions as to the purpose of all this.”

This case demonstrates the difficulty in the attribution of APT attacks.


Sophisticated False Flags Planted in Olympic Destroyer Malware
8.3.2018 securityweek
Virus  APT

Hackers Behind Olympic Destroyer Malware Used Sophisticated False Flag to Trick Researchers

CANCUN - KASPERSKY SECURITY ANALYST SUMMIT - The hackers behind the recent Olympic Destroyer attack planted sophisticated false flags inside their malware in an effort to trick researchers, Kaspersky Lab revealed on Thursday.

The Olympic Winter Games in Pyeongchang, South Korea, was hit by a cyberattack that caused temporary disruption to IT systems, including the official Olympics website, display monitors, and Wi-Fi connections. The attack involved Olympic Destroyer, a piece of malware designed to wipe files and make systems inoperable, and steal passwords from browsers and Windows. Compromised credentials are used to spread to other machines on the network.

Kaspersky has also spotted infections at several ski resorts in South Korea. The malware, which leverages a leaked NSA exploit known as EternalRomance to spread via the SMB protocol, temporarily disrupted ski gates and lifts at the affected resorts.

Several cybersecurity firms launched investigations into the Olympic Destroyer attack shortly after the news broke, and while they mostly agreed on the malware’s functionality, they could not agree on who was behind the operation. Some pointed the finger at North Korea, while others blamed China or Russia, leading some industry professionals to warn against this type of knee-jerk attribution.

Kaspersky researchers also analyzed the Olympic Destroyer worm in an effort to determine who was behind the attack. While they have’t been able to identify the culprit, experts have found some interesting clues.

The security firm has found a unique “fingerprint” associated with the notorious Lazarus Group, which has been linked to North Korea and blamed for high profile attacks such as the one on Sony, the WannaCry campaign, and various operations targeting financial organizations.

This fingerprint was a 100% match to known Lazarus malware components and it did not appear in any other files from Kaspersky’s database. While this piece of evidence and the type of attack suggested that Olympic Destroyer could be the work of North Korea, other data gathered by researchers as a result of an on-site investigation at a South Korean target revealed inconsistencies.

Experts determined that the unique fingerprint was likely a sophisticated false flag planted by the attackers to throw investigators off track.

“To our knowledge, the evidence we were able to find was not previously used for attribution. Yet the attackers decided to use it, predicting that someone would find it. They counted on the fact that forgery of this artifact is very hard to prove,” explained Vitaly Kamluk, head of the APAC research team at Kaspersky. “It’s as if a criminal had stolen someone else’s DNA and left it at a crime scene instead of their own. We discovered and proved that the DNA found on the crime scene was dropped there on purpose. All this demonstrates how much effort attackers are willing to spend in order to stay unidentified for as long as possible. We’ve always said that attribution in cyberspace is very hard as lots of things can be faked, and Olympic Destroyer is a pretty precise illustration of this.”

In addition to this apparent link to North Korea, Kaspersky has found evidence that would suggest the involvement of the notorious group known as Sofacy, Fancy Bear, APT28 and Pawn Storm, which is widely believed to be sponsored by the Russian government.

One possible scenario is that the Russian hackers attempted to frame Lazarus for the attack after the North Korean group tried to pin one of its campaigns on Russian actors. It’s also possible that the false flag used in the Olympics attack is part of the hackers’ efforts to improve their deception techniques.

Links to China have been found by Intezer, which specializes in recognizing code reuse. Its analysis led to the discovery of numerous code fragments uniquely linked to threat groups tracked as APT3, APT10 and APT12.


Iran-Linked Chafer Group Expands Toolset, Targets List
2.3.2018 securityweek  APT
The Iran-based targeted attack group known as "Chafer" has been expanding its target list in the Middle East and beyond and adding new tools to its cyberweapon arsenal, Symantec warns.

Last year, the group engaged in a series of ambitious new attacks, hitting a major telecom companies in the Middle East and also attempting to attack a major international travel reservations firm. Active since at least July 2014 and already detailed a couple of years ago, Chafer is mainly focused on surveillance operations and the tracking of individuals.

During 2017, the group used seven new tools, rolled out new infrastructure, and hit nine new organizations in Israel, Jordan, the United Arab Emirates, Saudi Arabia, and Turkey. Targets included airlines, aircraft services, software and IT services firms serving the air and sea transport sectors, telecoms, payroll services, engineering consultancies, and document management software companies.

The group also targeted an African airline and attempted to compromise an international travel reservations firm, Symantec discovered.

Last year, Chafer compromised a telecoms services provider in the Middle East, a company that sells solutions to multiple telecom operators in the region. The compromise could have potentially allowed the attackers to carry out surveillance on a vast pool of end-users.

In attacks observed in 2015, the group was attacking the web servers of organizations, likely through SQL injection attacks. Last year, the group also started using malicious documents to drop malware, likely sent via spear-phishing emails to individuals working in targeted organizations.

Said documents were Excel spreadsheets carrying a malicious VBS file that would run a PowerShell script to execute a dropper on the compromised machine. In turn, the dropper would install an information stealer, a screen capture utility, and an empty executable.

The screen capture tool only had a role in the initial information gathering stage, the information stealer targeted the contents of the clipboard, took screenshots, recorded keystrokes, and stole files and user credentials. Next, the attackers would download additional tools onto the infected computer and attempted lateral movement on the victim’s network.

Recently, Chafer employed seven new tools in addition to the malware already associated with the group. Most of these tools, Symantec points out, are freely available, off-the-shelf tools that have been put to a malicious use.

These include Remcom, an open-source alternative to PsExec; Non-sucking Service Manager (NSSM), an open-source alternative to the Windows Service Manager; a custom screenshot and clipboard capture tool; SMB hacking tools, including the EternalBlue exploit; GNU HTTPTunnel, an open-source tool to create a bidirectional HTTP tunnel on Linux computers; UltraVNC, an open-source remote administration tool for Windows; and NBTScan, a free tool for scanning IP networks for NetBIOS name information.

Additionally, the group continued to use tools such as its own custom backdoor Remexi, PsExec, Mimikatz, Pwdump, and Plink.

Chafer apparently used the tools in concert to traverse targeted networks. NSSM was recently adopted for persistence and to install a service to run Plink, which opens reverse SSH sessions to presumably gain RDP access to the compromised computer. Next, PsExec, Remcom, and SMB hacking tools are leveraged for lateral movement.

The new infrastructure used in recent attacks included the domain win7-updates[.]com as a command and control (C&C) address, along with multiple IP addresses, though it’s unclear whether these were leased or hijacked. On a staging server apparently used by the attackers, the researchers found copies of many of the group’s tools.

According to Symantec, Chafer’s activities have some links to Oilrig, another Iran-based cyberespionage group. Both appear to be using the same IP address for C&C address, as well as a similar infection vector, an Excel document dropping a malicious VBS file referencing to the same misspelled file path.

While this could suggest that the two groups are one and the same, there isn’t enough evidence to support that hypothesis, Symantec says. More likely, the “two groups are known to each other and enjoy access to a shared pool of resources,” the researchers suggest.

Chafer’s recent activities show not only that the group remains highly active, but also that it has become more audacious in its choice of targets. Similar to other targeted attack groups, it has been relying on freely available software tools for malicious activities, and also moved to supply chain attacks, which are more time consuming and more likely to be discovered.

“These attacks are riskier but come with a potentially higher reward and, if successful, could give the attackers access to a vast pool of potential targets,” Symantec concludes.


Russia-linked Hackers Directly Targeting Diplomats: Report
2.3.2018 securityweek  APT

The Russia-linked cyber espionage group Sofacy has been targeting foreign affairs agencies and ministries worldwide in a recently discovered campaign, Palo Alto Networks warns.

The hacking group, also known as APT28, Fancy Bear, Pawn Storm, Sednit, Tsar Team, and Strontium, has been highly active recently, and new evidence shows activity directly targeting diplomats in North America and Europe, including those at a European embassy in Moscow.

Sofacy was supposedly behind the attacks on the 2016 United States presidential election, but also hit Ukraine and NATO countries. In fact, the group heavily targeted NATO in early 2017, when it even used zero-day exploits, but then started to shift its focus towards the Middle East and Central Asia.

Palo Alto Networks has now uncovered two parallel efforts within a new Sofacy campaign, each using its own set of tools for attacks. One of the efforts was observed in the beginning of February 2018 to use phishing emails as the attack vector, to target an organization in Europe and another in North America.

The message spoofed the sender address of Jane’s by IHSMarkit, a well-known supplier of information and analysis. The email carried an attachment claiming to be a calendar of events relevant to the targeted organizations, but was a Microsoft Excel spreadsheet containing a malicious macro script.

The attackers used a white font color to hide the content of the document to the victim and lure them into enabling macros. Once that happens, the script changes the text color to black.

The macro also retrieves content from several cells to obtain a base64 encoded payload, writes it to a text file in the ProgramData folder, and leverages the command certutil -decode to decode the contents to an .exe file, which it runs after two seconds.

The executable is a loader Trojan that decrypts an embedded payload (DLL) and saves it to a file. Next, it creates a batch file to run the DLL payload, and writes the path to the batch file to a registry key, for persistence.

The installed malware is a variant of SofacyCarberp, which has been extensively used by the threat group in attacks. The malware performs initial reconnaissance by gathering system information, then sends the data to the command and control (C&C) server and fetches additional tools.

Both the loader and the SofacyCarberp variant used in the attack are similar to samples previously analyzed, yet they include several differences, such as a new hashing algorithm to resolve API functions and find browser processes for injection, and modified C&C communication mechanisms.

The security researchers also believe the group may have used the Luckystrike open-source tool to generate the malicious document and/or the macro, as the macro in the document closely resembles those found within the Microsoft PowerShell-based tool. The only difference between the two, besides random function name and random cell values, would be the path to the “.txt” and “.exe” files.

The security researchers also noticed that the Sofacy group registered new domains as part of the campaign, but that it used a default landing page they employed in other attacks as well. The domain used in this attack, cdnverify[.]net was registered on January 30, 2018.

“No other parts of the C&C infrastructure amongst these domains contained any overlapping artifacts. Instead, the actual content within the body of the websites was an exact match in each instance,” Palo Alto notes.

“The Sofacy group should no longer be an unfamiliar threat at this stage. They have been well documented and well researched with much of their attack methodologies exposed. They continue to be persistent in their attack campaigns and continue to use similar tooling as in the past. This leads us to believe that their attack attempts are likely still succeeding, even with the wealth of threat intelligence available in the public domain,” Palo Alto concludes.


DPA Report: Russia-linked APT28 group hacked Germany’s government network
1.3.2018 securityaffairs APT  BigBrothers

Germany Government confirmed that hackers had breached its computer network and implanted a malware that was undetected for one year.
German news agency DPA reported that Russian hackers belonging to the APT28 group (aka Fancy Bear, Pawn Storm, Sednit, Sofacy, and Strontium) have breached Germany’s foreign and interior ministries’ online networks.

The agency, quoting unnamed security sources, revealed that the APT28 hackers planted malware in the ministries’ networks. The malicious code was undetected as long as a year.

“A Russian-backed hacker group known for many high-level cyber attacks was able to infiltrate the German government’s secure computer networks, the dpa news agency reported Wednesday.” reported the ABCnews.

The German Government discovered the intrusion in December but the experts believe that the hackers were inside the networks as long as a year. The DPA also added that hackers were able to penetrate an isolated government IT network.

“within the federal administration the attack was isolated and brought under control.” said the Interior Ministry that also confirmed an ongoing investigation.

“This case is being worked on with the highest priority and considerable resources,” the ministry added.

The hackers exfiltrated 17 gigabytes of data that could be used in further attacks against the German Government.

APT28 targets Germany

This isn’t the first time that Russia-linked APT28 was blamed for a cyber attack against Germany, in 2015 the APT group hacked into the systems of the German Parliament.

What will happen in the future?

Top German intelligence officials are requesting to the government to hack back attackers in case of a cyber attack from a foreign government


A Slice of 2017 Sofacy Activity
25.2.2018 Kaspersky
Phishing  APT
Sofacy, also known as APT28, Fancy Bear, and Tsar Team, is a highly active and prolific APT. From their high volume 0day deployment to their innovative and broad malware set, Sofacy is one of the top groups that we monitor, report, and protect against. 2017 was not any different in this regard. Our private reports subscription customers receive a steady stream of YARA, IOC, and reports on Sofacy, our most reported APT for the year.

This high level of cyber-espionage activity goes back years. In 2011-2012, the group used a relatively tiny implant (known as “Sofacy” or SOURFACE) as their first stage malware, which at the time had similarities with the old Miniduke implants. This made us believe the two groups were connected, although it looks they split ways at a certain point, with the original Miniduke group switching to the CosmicDuke implant in 2014. The division in malware was consistent and definitive at that point.

In 2013, the Sofacy group expanded their arsenal and added more backdoors and tools, including CORESHELL, SPLM (aka Xagent, aka CHOPSTICK), JHUHUGIT (which is built with code from the Carberp sources), AZZY (aka ADVSTORESHELL, NETUI, EVILTOSS, and spans across 4-5 generations) and a few others. We’ve seen quite a few versions of these implants, which were relatively widespread at some point or still are. In 2015 we noticed another wave of attacks which took advantage of a new release of the AZZY implant, largely undetected by antivirus products. The new wave of attacks included a new generation of USB stealers deployed by Sofacy, with initial versions dating to February 2015. It appeared to be geared exclusively towards high profile targets.

Sofacy’s reported presence in the DNC network alongside APT29 brought possibly the highest level of public attention to the group’s activities in 2016, especially when data from the compromise was leaked and “weaponized”. And later 2016, their focus turned towards the Olympics’ and the World Anti-Doping Agency (WADA) and Court of Arbitration for Sports (CAS), when individuals and servers in these organizations were phished and compromised. In a similar vein with past CyberBerkut activity, attackers hid behind anonymous activist groups like “anonpoland”, and data from victimized organizations were similarly leaked and “weaponized”.

This write-up will survey notables in the past year of 2017 Sofacy activity, including their targeting, technology, and notes on their infrastructure. No one research group has 100% global visibility, and our collected data is presented accordingly. Here, external APT28 reports on 2017 Darkhotel-style activity in Europe and Dealer’s Choice spearphishing are of interest. From where we sit, 2017 Sofacy activity starts with a heavy focus on NATO and Ukrainian partners, coinciding with lighter interest in Central Asian targets, and finishing the second half of the year with a heavy focus on Central Asian targets and some shift further East.

Dealer’s Choice
The beginning of 2017 began with a slow cleanup following the Dealer’s Choice campaign, with technical characteristics documented by our colleagues at Palo Alto in several stages at the end of 2016. The group spearphished targets in several waves with Flash exploits leading to their carberp based JHUHUGIT downloaders and further stages of malware. It seems that many folks did not log in and pull down their emails until Jan 2017 to retrieve the Dealer’s Choice spearphish. Throughout these waves, we observed that the targets provided connection, even tangential, to Ukraine and NATO military and diplomatic interests.

In multiple cases, Sofacy spoofs the identity of a target, and emails a spearphish to other targets of interest. Often these are military or military-technology and manufacturing related, and here, the DealersChoice spearphish is again NATO related:

The global reach that coincided with this focus on NATO and the Ukraine couldn’t be overstated. Our KSN data showed spearphishing targets geolocated across the globe into 2017.
AM, AZ, FR, DE, IQ, IT, KG, MA, CH, UA, US, VN

DealersChoice emails, like the one above, that we were able to recover from third party sources provided additional targeting insight, and confirmed some of the targeting within our KSN data:
TR, PL, BA, AZ, KR, LV, GE, LV, AU, SE, BE

0day Deployment(s)
Sofacy kicked off the year deploying two 0day in a spearphish document, both a Microsoft Office encapsulated postscript type confusion exploit (abusing CVE-2017-0262) and an escalation of privilege use-after-free exploit (abusing CVE-2017-0263). The group attempted to deploy this spearphish attachment to push a small 30kb backdoor known as GAMEFISH to targets in Europe at the beginning of 2017. They took advantage of the Syrian military conflict for thematic content and file naming “Trump’s_Attack_on_Syria_English.docx”. Again, this deployment was likely a part of their focus on NATO targets.

Light SPLM deployment in Central Asia and Consistent Infrastructure
Meanwhile in early-to-mid 2017, SPLM/CHOPSTICK/XAgent detections in Central Asia provided a glimpse into ongoing focus on ex-Soviet republics in Central Asia. These particular detections are interesting because they indicate an attempted selective 2nd stage deployment of a backdoor maintaining filestealer, keylogger, and remoteshell functionality to a system of interest. As the latest revision of the backdoor, portions of SPLM didn’t match previous reports on SPLM/XAgent while other similarities were maintained. SPLM 64-bit modules already appeared to be at version 4 of the software by May of the year. Targeting profiles included defense related commercial and military organizations, and telecommunications.

Targeting included TR, KZ, AM, KG, JO, UK, UZ

Heavy Zebrocy deployments
Since mid-November 2015, the threat actor referred to as “Sofacy” or “APT28” has been utilizing a unique payload and delivery mechanism written in Delphi and AutoIT. We collectively refer to this package and related activity as “Zebrocy” and had written a few reports on its usage and development by June 2017 – Sofacy developers modified and redeployed incremented versions of the malware. The Zebrocy chain follows a pattern: spearphish attachment -> compiled Autoit script (downloader) -> Zebrocy payload. In some deployments, we observed Sofacy actively developing and deploying a new package to a much smaller, specific subset of targets within the broader set.

Targeting profiles, spearphish filenames, and lures carry thematic content related to visa applications and scanned images, border control administration, and various administrative notes. Targeting appears to be widely spread across the Middle East, Europe, and Asia:</p style=”margin-bottom:0!important”>

Business accounting practices and standards
Science and engineering centers
Industrial and hydrochemical engineering and standards/certification
Ministry of foreign affairs
Embassies and consulates
National security and intelligence agencies
Press services
Translation services
NGO – family and social service
Ministry of energy and industry
We identified new MSIL components deployed by Zebrocy. While recent Zebrocy versioning was 7.1, some of the related Zebrocy modules that drop file-stealing MSIL modules we call Covfacy were v7.0. The components were an unexpected inclusion in this particular toolset. For example, one sent out to a handful of countries identifies network drives when they are added to target systems, and then RC4-like-encrypts and writes certain file metadata and contents to a local path for later exfiltration. The stealer searches for files 60mb and less with these extensions:</p style=”margin-bottom:0!important”>

.doc
.docx
.xls
.xlsx
.ppt
.pptx
.exe
.zip
.rar
At execution, it installs an application-defined Windows hook. The hook gets windows messages indicating when a network drive has been attached. Upon adding a network drive, the hook calls its “RecordToFile” file stealer method.

Zebrocy spearphishing targets:
AF, AM, AU, AZ, BD, BE, CN, DE, ES, FI, GE, IL, IN, JO, KW, KG, KZ, LB, LT, MN, MY, NL, OM, PK, PO, SA, ZA, SK, SE, CH, TJ, TM, TR, UA, UAE, UK, US, UZ

SPLM deployment in Central Asia
SPLM/CHOPSTICK components deployed throughout 2017 were native 64-bit modular C++ Windows COM backdoors supporting http over fully encrypted TLSv1 and TLSv1.2 communications, mostly deployed in the second half of 2017 by Sofacy. Earlier SPLM activity deployed 32-bit modules over unencrypted http (and sometimes smtp) sessions. In 2016 we saw fully functional, very large SPLM/X-Agent modules supporting OS X.

The executable module continues to be part of a framework supporting various internal and external components communicating over internal and external channels, maintaining slightly morphed encryption and functionality per deployment. Sofacy selectively used SPLM/CHOPSTICK modules as second stage implants to high interest targets for years now. In a change from previous compilations, the module was structured and used to inject remote shell, keylogger, and filesystem add-ons into processes running on victim systems and maintaining functionality that was originally present within the main module.

The newer SPLM modules are deployed mostly to Central Asian based targets that may have a tie to NATO in some form. These targets include foreign affairs government organizations both localized and abroad, and defense organizations’ presence localized, located in Europe and also located in Afghanistan. One outlier SPLM target profile within our visibility includes an audit and consulting firm in Bosnia and Herzegovina.

Minor changes and updates to the code were released with these deployments, including a new mutex format and the exclusive use of encrypted HTTP communications over TLS. The compiled code itself already is altered per deployment in multiple subtle ways, in order to stymie identification and automated analysis and accommodate targeted environments. Strings (c2 domains and functionality, error messages, etc) are custom encrypted per deployment.

Targets: TR, KZ, BA, TM, AF, DE, LT, NL

SPLM/CHOPSTICK/XAgent Modularity and Infrastructure
This subset of SPLM/CHOPSTICK activity leads into several small surprises that take us into 2018, to be discussed in further detail at SAS 2018. The group demonstrates malleability and innovation in maintaining and producing familiar SPLM functionality, but the pragmatic and systematic approach towards producing undetected or difficult-to-detect malware continues. Changes in the second stage SPLM backdoor are refined, making the code reliably modular.

Infrastructure Notes
Sofacy set up and maintained multiple servers and c2 for varying durations, registering fairly recognizable domains with privacy services, registrars that accept bitcoin, fake phone numbers, phony individual names, and 1 to 1 email address to domain registration relationships. Some of this activity and patterns were publicly disclosed, so we expect to see more change in their process in 2018. Also, throughout the year and in previous years, researchers began to comment publicly on Sofacy’s fairly consistent infrastructure setup.

As always, attackers make mistakes and give away hints about what providers and registrars they prefer. It’s interesting to note that this version of SPLM implements communications that are fully encrypted over HTTPS. As an example, we might see extraneous data in their SSL/TLS certificates that give away information about their provider or resources. Leading up to summer 2017, infrastructure mostly was created with PDR and Internet Domain Service BS Corp, and their resellers. Hosting mostly was provided at Fast Serv Inc and resellers, in all likelihood related to bitcoin payment processing.

Accordingly, the server side certificates appear to be generated locally on VPS hosts that exclusively are paid for at providers with bitcoin merchant processing. One certificate was generated locally on what appeared to be a HP-UX box, and another was generated on “8569985.securefastserver[.]com” with an email address “root@8569985.securefastserver[.]com”, as seen here for their nethostnet[.]com domain. This certificate configuration is ignored by the malware.

In addition to other ip data, this data point suggested that Qhoster at https://www.qhoster[.]com was a VPS hosting reseller of choice at the time. It should be noted that the reseller accepted Alfa Click, PayPal, Payza, Neteller, Skrill, WebMoney, Perfect Money, Bitcoin, Litecoin, SolidTrust Pay, CashU, Ukash, OKPAY, EgoPay, paysafecard, Alipay, MG, Western Union, SOFORT Banking, QIWI, Bank transfer for payment.

Conclusion
Sofacy, one of the most active APT we monitor, continues to spearphish their way into targets, reportedly widely phishes for credentials, and infrequently participates in server side activity (including host compromise with BeEF deployment, for example). KSN visibility and detections suggests a shift from their early 2017 high volume NATO spearphish targeting towards the middle east and Central Asia, and finally moving their focus further east into late 2017. Their operational security is good. Their campaigns appear to have broken out into subsets of activity and malware involving GAMEFISH, Zebrocy, and SPLM, to name a few. Their evolving and modified SPLM/CHOPSTICK/XAgent code is a long-standing part of Sofacy activity, however much of it is changing. We’ll cover more recent 2018 change in their targeting and the malware itself at SAS 2018.

With a group like Sofacy, once their attention is detected on a network, it is important to review logins and unusual administrator access on systems, thoroughly scan and sandbox incoming attachments, and maintain two factor authentication for services like email and vpn access. In order to identify their presence, not only can you gain valuable insight into their targeting from intelligence reports and gain powerful means of detections with hunting tools like YARA, but out-of-band processing with a solution like KATA is important.

Technical Appendix
Related md5
8f9f697aa6697acee70336f66f295837
1a4b9a6b321da199aa6d10180e889313
842454b48f5f800029946b1555fba7fc
d4a5d44184333442f5015699c2b8af28
1421419d1be31f1f9ea60e8ed87277db
b1d1a2c64474d2f6e7a5db71ccbafa31
953c7321c4959655fdd53302550ce02d
57601d717fcf358220340675f8d63c8a
02b79c468c38c4312429a499fa4f6c81
85cd38f9e2c9397a18013a8921841a04
f8e92d8b5488ea76c40601c8f1a08790
66b4fb539806ce27be184b6735584339
e8e1fcf757fe06be13bead43eaa1338c
953c7321c4959655fdd53302550ce02d
aa2aac4606405d61c7e53140d35d7671
85cd38f9e2c9397a18013a8921841a04
57601d717fcf358220340675f8d63c8a
16e1ca26bc66e30bfa52f8a08846613d
f8e92d8b5488ea76c40601c8f1a08790
b137c809e3bf11f2f5d867a6f4215f95
237e6dcbc6af50ef5f5211818522c463
88009adca35560810ec220544e4fb6aa
2163a33330ae5786d3e984db09b2d9d2
02b79c468c38c4312429a499fa4f6c81
842454b48f5f800029946b1555fba7fc
d4a5d44184333442f5015699c2b8af28
b88633376fbb144971dcb503f72fd192
8f9f697aa6697acee70336f66f295837
b6f77273cbde76896a36e32b0c0540e1
1a4b9a6b321da199aa6d10180e889313
1421419d1be31f1f9ea60e8ed87277db
1a4b9a6b321da199aa6d10180e889313
9b10685b774a783eabfecdb6119a8aa3
aa34fb2e5849bff4144a1c98a8158970
aced5525ba0d4f44ffd01c4db2730a34
b1d1a2c64474d2f6e7a5db71ccbafa31
b924ff83d9120d934bb49a7a2e3c4292
cdb58c2999eeda58a9d0c70f910d1195
d4a5d44184333442f5015699c2b8af28
d6f2bf2066e053e58fe8bcd39cb2e9ad
34dc9a69f33ba93e631cd5048d9f2624
1c6f8eba504f2f429abf362626545c79
139c9ac0776804714ebe8b8d35a04641
e228cd74103dc069663bb87d4f22d7d5
bed5bc0a8aae2662ea5d2484f80c1760
8c3f5f1fff999bc783062dd50357be79
5882a8dd4446abd137c05d2451b85fea
296c956fe429cedd1b64b78e66797122
82f06d7157dd28a75f1fbb47728aea25
9a975e0ddd32c0deef1318c485358b20
529424eae07677834a770aaa431e6c54
4cafde8fa7d9e67194d4edd4f2adb92b
f6b2ef4daf1b78802548d3e6d4de7ba7
ede5d82bb6775a9b1659dccb699fadcb
116d2fc1665ce7524826a624be0ded1c
20ff290b8393f006eaf4358f09f13e99
4b02dfdfd44df3c88b0ca8c2327843a4
c789ec7537e300411d523aef74407a5e
0b32e65caf653d77cab2a866ee2d9dbc
27faa10d1bec1a25f66e88645c695016
647edddf61954822ddb7ab3341f9a6c5
2f04b8eb993ca4a3d98607824a10acfb
9fe3a0fb3304d749aeed2c3e2e5787eb
62deab0e5d61d6bf9e0ba83d9e1d7e2b
86b607fe63c76b3d808f84969cb1a781
f62182cf0ab94b3c97b0261547dfc6cf
504182aaa5575bb38bf584839beb6d51
d79a21970cad03e22440ea66bd85931f

Related domains
nethostnet[.]com
hostsvcnet[.]com
etcrem[.]net
movieultimate[.]com
newfilmts[.]com
fastdataexchange[.]org
liveweatherview[.]com
analyticsbar[.]org
analyticstest[.]net
lifeofmentalservice[.]com
meteost[.]com
righttopregnantpower[.]com
kiteim[.]org
adobe-flash-updates[.]org
generalsecurityscan[.]com
globalresearching[.]org
lvueton[.]com
audiwheel[.]com
online-reggi[.]com
fsportal[.]net
netcorpscanprotect[.]com
mvband[.]net
mvtband[.]net
viters[.]org
treepastwillingmoment[.]com
sendmevideo[.]org
satellitedeluxpanorama[.]com
ppcodecs[.]com
encoder-info[.]tk
wmdmediacodecs[.]com
postlkwarn[.]com
shcserv[.]com
versiontask[.]com
webcdelivery[.]com
miropc[.]org
securityprotectingcorp[.]com
uniquecorpind[.]com
appexsrv[.]net
adobeupgradeflash[.]com


Iran-linked group OilRig used a new Trojan called OopsIE in recent attacks
24.2.2018 securityaffairs BigBrothers  APT

According to malware researchers at Palo alto Networks, the Iran-linked OilRig APT group is now using a new Trojan called OopsIE.
The Iran-linked OilRig APT group is now using a new Trojan called OopsIE, experts at Palo Alto Networks observed the new malware being used in recent attacks against an insurance agency and a financial institution in the Middle East.

One of the attacks relied on a variant of the ThreeDollars delivery document, the same malicious document was sent by the threat actor to the UAE government to deliver the ISMInjector Trojan.

In the second attack detected by PaloAlto, the OilRig hackers attempted to deliver the malicious code via a link in a spear phishing message.

“On January 8, 2018, Unit 42 observed the OilRig threat group carry out an attack on an insurance agency based in the Middle East. Just over a week later, on January 16, 2018, we observed an attack on a Middle Eastern financial institution. In both attacks, the OilRig group attempted to deliver a new Trojan that we are tracking as OopsIE.” reads the analysis from Palo Alto Networks.

The first attack occurred on January 8, 2018, the hackers sent two emails to two different email addresses at the target organization within a six minutes time span. Attackers spoofed the email address associated with the Lebanese domain of a major global financial institution.

OilRig launched another attack on January 16, in this case, the attackers downloaded the OopsIE Trojan from the command and control (C&C) server directly. The same organization was hit by OilRig for the second time, the first attacks occurred in 2017.

The researchers explained that the malware is packed with SmartAssembly and obfuscated with ConfuserEx.

The hackers gain persistence by creating a VBScript file and a scheduled task to run itself every three minutes. The OopsIE Trojan communicates with the C&C over HTTP by using the InternetExplorer application object.

“By using the InternetExplorer application object, all C2 related requests will look as if they came from the legitimate browser and therefore will not contain any anomalous fields within the request, such as custom User-Agents. The OopsIE Trojan is configured to use a C2 server hosted at:

www.msoffice365cdn[.]com” states the analysis.

“The Trojan will construct specific URLs to communicate with the C2 server and parses the C2 server’s response looking for content within the tags <pre> and </pre>. The initial HTTP request acts as a beacon”

OilRig

The Trojan can run a command, upload a file, or download a specified file.

Oilrig will continue to adapt its tactics, the experts believe that it will remain a highly active threat actor in the Middle East region.

“This group has repeatedly shown evidence of a willingness to adapt and evolve their tactics, while also reusing certain aspects as well. We have now observed this adversary deploy a multitude of tools, with each appearing to be some form of iterative variation of something used in the past. However, although the tools themselves have morphed over time, the plays they have executed in their playbook largely remain the same when examined over the attack life cycle,” Palo Alto concludes.


Russia-linked Sofacy APT group shift focus from NATO members to towards the Middle East and Central Asia
22.2.20218 securityaffairs APT

Experts from Kaspersky highlighted a shift focus in the Sofacy APT group’s interest, from NATO member countries and Ukraine to towards the Middle East and Central Asia.
The Russia-linked APT28 group (aka Pawn Storm, Fancy Bear, Sofacy, Sednit, Tsar Team and Strontium.) made the headlines again, this time security experts from Kaspersky highlighted a shift focus in their interest, from NATO member countries and Ukraine to towards the Middle East and Central Asia.

“Sofacy, one of the most active APT we monitor, continues to spearphish their way into targets, reportedly widely phishes for credentials, and infrequently participates in server side activity (including host compromise with BeEF deployment, for example). KSN visibility and detections suggests a shift from their early 2017 high volume NATO spearphish targeting towards the middle east and Central Asia, and finally moving their focus further east into late 2017.” states Kaspersky.

The experts analyzed the infections of the Sofacy backdoor tracked as SPLM, CHOPSTICK and X-Agent, the APT group had been increasingly targeting former Soviet countries in Central Asia. The hackers mostly targeted telecoms companies and defense-related organization, primary target were entities in Turkey, Kazakhstan, Armenia, Kyrgyzstan, Jordan and Uzbekistan.

The researchers observed several attacks leveraging the SPLM and the Zebrocy tool between the second and fourth quarters of 2017 against organizations in Asia. The list of targeted countries included China, Mongolia, South Korea and Malaysia.

Sofacy APT

“This high level of cyber-espionage activity goes back years. In 2011-2012, the group used a relatively tiny implant (known as “Sofacy” or SOURFACE) as their first stage malware, which at the time had similarities with the old Miniduke implants.” states Kaspersky.

“This made us believe the two groups were connected, although it looks they split ways at a certain point, with the original Miniduke group switching to the CosmicDuke implant in 2014. The division in malware was consistent and definitive at that point.”

The Zebrocy tool was used by attackers to collect data from victims, researchers observed its involvement in attacks on accounting firms, science and engineering centers, industrial organizations, ministries, embassies and consulates, national security and intelligence agencies, press and translation services, and NGOs.

The researchers highlighted that the attack infrastructure used in the last attacks pointed to the Sofacy APT, the group has been fairly consistent throughout even if their TTPs were well documented by security firms across the years. Researchers at Kaspersky expect to see some significant changes this year.

“Sofacy set up and maintained multiple servers and c2 for varying durations, registering fairly recognizable domains with privacy services, registrars that accept bitcoin, fake phone numbers, phony individual names, and 1 to 1 email address to domain registration relationships. Some of this activity and patterns were publicly disclosed, so we expect to see more change in their process in 2018. Also, throughout the year and in previous years, researchers began to comment publicly on Sofacy’s fairly consistent infrastructure setup.” continues Kaspersky.

Further details are included in the analysis published by Kaspersky, including Indicators of Compromise (IOCs).


North Korean APT Group tracked as APT37 broadens its horizons
21.2.2018 securityweek APT

Researchers at FireEye speculate that the APT group tracked as APT37 (aka Reaper, Group123, ScarCruft) operated on behalf of the North Korean government.
Here we are to speak about a nation-state actor dubbed APT37 (aka Reaper, Group123, ScarCruft) that is believed to be operating on behalf of the North Korean government.

APT37 has been active since at least 2012, it made the headlines in early February when researchers revealed that the APT group leveraged a zero-day vulnerability in Adobe Flash Player to deliver malware to South Korean users.

Cyber attacks conducted by the APT37 group mainly targeted government, defense, military, and media organizations in South Korea.

FireEye linked the APT37 group to the North Korean government based on the following clues:

the use of a North Korean IP;
malware compilation timestamps consistent with a developer operating in the North Korea time
zone (UTC +8:30) and follows what is believed to be a typical North Korean workday;
objectives that align with Pyongyang’s interests(i.e. organizations and individuals involved in Korean
Peninsula reunification efforts);
Researchers from FireEye revealed that the nation-state actor also targeted entities in Japan, Vietnam, and even the Middle East in 2017. The hackers targeted organizations in the chemicals, manufacturing, electronics, aerospace, healthcare, and automotive sectors.

“APT37 has likely been active since at least 2012 and focuses on targeting the public and private sectors primarily in South Korea. In 2017, APT37 expanded its targeting beyond the Korean peninsula to include Japan, Vietnam and the Middle East, and to a wider range of industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities” reads the report published by FireEye.

APT37 targets

Experts revealed that in 2017, the APT37 targeted a Middle Eastern company that entered into a joint venture with the North Korean government to provide telecommunications service to the country.

The hackers leveraged several vulnerabilities in Flash Player and in the Hangul Word Processor to deliver several types of malware.

The arsenal of the group includes the RUHAPPY wiper, the CORALDECK exfiltration tool, the GELCAPSULE and HAPPYWORK downloaders, the MILKDROP and SLOWDRIFT launchers, the ZUMKONG infostealer, the audio-capturing tool SOUNDWAVE, and backdoors tracked by FireEye as DOGCALL, KARAE, POORAIM, WINERACK and SHUTTERSPEED.

“North Korea has repeatedly demonstrated a willingness to leverage its cyber capabilities for a variety of purposes, undeterred by notional redlines and international norms. Though they have primarily tapped other tracked suspected North Korean teams to carry out the most aggressive actions, APT37 is an additional tool available to the regime, perhaps even desirable for its relative obscurity.” concludes FireEye.

“We anticipate APT37 will be leveraged more and more in previously unfamiliar roles and regions, especially as pressure mounts on their sponsor.”


North Korean Hacking Group APT37 Expands Targets
20.2.2018 securityweek APT

A lesser known hacker group believed to be working on behalf of the North Korean government has been expanding the scope and sophistication of its campaigns, according to a report published on Tuesday by FireEye.

The threat actor is tracked by FireEye as APT37 and Reaper, and by other security firms as Group123 (Cisco) and ScarCruft (Kaspersky). APT37 has been active since at least 2012, but it has not been analyzed as much as the North Korea-linked Lazarus group, which is said to be responsible for high-profile attacks targeting Sony and financial organizations worldwide.

Cisco published a report in January detailing some of the campaigns launched by the threat actor in 2017, but APT37 only started making headlines in early February when researchers revealed that it had been using a zero-day vulnerability in Adobe Flash Player to deliver malware to South Korean users.

APT37, whose goals appear to align with North Korea’s military, political and economic interests, has mainly focused on targeting public and private entities in South Korea, including government, defense, military and media organizations.

However, according to FireEye, the group expanded its attacks to Japan, Vietnam and even the Middle East last year. The list of targets includes organizations in the chemicals, manufacturing, electronics, aerospace, healthcare, and automotive sectors.

North Korean hacker group APT37 expands targets

One of the targets in the Middle East was a telecommunications services provider that had entered an agreement with the North Korean government. The deal fell through, which is when APT37 started hacking the Middle Eastern company, likely in an effort to collect information, FireEye said.

APT37 has exploited several Flash Player and Hangul Word Processor vulnerabilities to deliver various types of malware, including the RUHAPPY wiper, the CORALDECK exfiltration tool, the GELCAPSULE and HAPPYWORK downloaders, the MILKDROP and SLOWDRIFT launchers, the ZUMKONG infostealer, the audio-capturing tool SOUNDWAVE, and backdoors tracked by FireEye as DOGCALL, KARAE, POORAIM, WINERACK and SHUTTERSPEED.

This malware has been delivered using social engineering tactics, watering holes, and even torrent sites for wide-scale distribution.

FireEye is highly confident that APT37 is linked to the North Korean government based on several pieces of evidence, including the use of a North Korean IP, malware compilation timestamps consistent with a typical workday in North Korea, and objectives that align with Pyongyang’s interests.

“North Korea has repeatedly demonstrated a willingness to leverage its cyber capabilities for a variety of purposes, undeterred by notional redlines and international norms,” FireEye said in its report. “Though they have primarily tapped other tracked suspected North Korean teams to carry out the most aggressive actions, APT37 is an additional tool available to the regime, perhaps even desirable for its relative obscurity. We anticipate APT37 will be leveraged more and more in previously unfamiliar roles and regions, especially as pressure mounts on their sponsor.”

Neither Kaspersky nor Cisco have explicitly attributed the APT37 attacks to North Korea.


Gold Dragon Implant Linked to Pyeongchang Olympics Attacks
5.2.2018 securityweek APT
McAfee has discovered an implant that they believe was used as a second-state payload in the recent fileless attacks targeting organizations involved with the upcoming Olympics Games in Pyeongchang, South Korea.

In early January, McAfee's security researchers warned that hackers had already began targeting the Pyeongchang Olympic Games with malware-infected emails. The first such attacks reportedly took place on December 22, with the sender’s address spoofed to appear as if the messages came from the South Korea's National Counter-Terrorism Center.

The hackers were using a PowerShell implant to establish a channel to the attacker’s server and gather basic system-level data, but McAfee couldn’t immediately determine what the attackers did after gaining initial access to a victim’s system.

McAfee has since published a report detailing additional implants used in the attacks, which were used to gain persistence on targeted systems and for continued data exfiltration, including Gold Dragon, Brave Prince, Ghost419, and RunningRat.

Gold Dragon, a Korean-language implant observed on December 24, 2017, is believed to be the second-stage payload in the Olympics attack, with a much more robust persistence mechanism than the initial PowerShell implant.

Designed as a data-gathering implant, Gold Dragon has the domain golddragon.com hardcoded and acts as a reconnaissance tool and downloader for subsequent payloads. It also generates a key to encrypt data gathered from the system, which is then sent to the server ink.inkboom.co.kr.

Gold Dragon is not a full-fledged spyware, as it only has limited reconnaissance and data-gathering functionality. The malware, which had its first variant in the wild in South Korea in July 2017, features elements, code, and behavior similar to Ghost419 and Brave Prince, implants that McAfee has been tracking since May 2017.

The malware lists the directories in the user’s Desktop folder, in the user’s recently accessed files, and in the system’s %programfiles% folder, and gathers this information along with system details, the ixe000.bin file from the current user’s UserProfiles, and registry key and value information for the current user’s Run key, encrypts the data, and sends it to the remote server.

The malware can check the system for processes related to antivirus products and cleaner applications, which it can then terminate to evade detection. Furthermore, it supports the download and execution of additional components retrieved from the command and control (C&C) server.

Also a Korean-language implant featuring similarities to Gold Dragon, Brave Prince too was designed for system profiling, capable of gathering information on directories and files, network configuration, address resolution protocol cache, and systemconfig. The malware was first seen in December 13, 2017. It is also capable of terminating a process associated with a tool that can block malicious code.

First observed in the wild in December 18, 2017, Ghost419 is a Korean-language implant that can be traced to July 29, 2017, to a sample that only shares 46% of the code used in the December samples. This malware appears based on Gold Dragon and Brave Prince, featuring shared elements and code, especially related to system reconnaissance.

The attackers also used a remote access Trojan (RAT) in the Pyeongchang Olympics attacks, the security researchers say. Dubbed RunningRat, this tool operates with two DLLs, the first of which kills any antimalware solution on the system and unpacks and executes the main RAT DLL, in addition to gaining persistence.

The second DLL, which employs anti-debugging techniques, is decompressed in memory, which results in a fileless attack, as it never touches the user’s file system. The malware gathers information about the operating system, along with driver and processor information, and starts capturing user keystrokes and sending them to the C&C server.

“From our analysis, stealing keystrokes is the main function of RunningRat; however, the DLL has code for more extensive functionality. Code is included to copy the clipboard, delete files, compress files, clear event logs, shut down the machine, and much more. However, our current analysis shows no way for such code to be executed,” McAfee reveals.

All of these implants can establish a permanent presence on the victim’s system, but they require a first-stage malware that provides the attacker with an initial foothold on the victim’s system. Some of the implants would only achieve persistence if Hangul Word (the South Korean-specific alternative to Microsoft Office) is running on the system.

“With the discovery of these implants, we now have a better understanding of the scope of this operation. Gold Dragon, Brave Prince, Ghost419, and RunningRat demonstrate a much wider campaign than previously known. The persistent data exfiltration we see from these implants could give the attacker a potential advantage during the Olympics,” McAffee concludes.


Chinese Iron Tiger APT is back, a close look at the Operation PZChao
3.2.2018 securityaffairs APT

Chinese Iron Tiger APT is back, the new campaign, dubbed by Operation PZChao is targeting government, technology, education, and telecommunications organizations in Asia and the US.
Malware researchers from Bitdefender have discovered and monitored for several months the activity of a custom-built backdoor capable of password-stealing, bitcoin-mining, and of course to gain full control of the victim’s machine.

The campaign, dubbed by Bitdefender, Operation PZChao is targeting government, technology, education, and telecommunications organizations in Asia and the US.

“This is also the case of a custom-built piece of malware that we have been monitoring for several months as it wrought havoc in Asia. Our threat intelligence systems picked up the first indicators of compromise in July last year, and we have kept an eye on the threat ever since.” states the report published by BitDefender.
“An interesting feature of this threat, which drew our team to the challenge of analyzing it, is that it features a network of malicious subdomains, each one used for a specific task (download, upload, RAT related actions, malware DLL delivery). The payloads are diversified and include capabilities to download and execute additional binary files, collect private information and remotely execute commands on the system.”

It is interesting to notice that the malware features a network of malicious subdomains, each one used for a specific task (download, upload, RAT related actions, malware DLL delivery).

The experts who analyzed the command and control infrastructure and malicious codes used by the hackers (i.e. Gh0st RAT) speculate the return of the Iron Tiger APT group.

The Iron Tiger APT (aka Panda Emissary or TG-3390) is active at least since 2010 and targeted organization in APAC, but since 2013 it is attacking high-technology targets in the US.

The experts found many similarities between the Gh0stRat samples used in the Operation PZChao and the ones used in past campaigns associated with the Iron Tiger APT.

Attackers behind the Operation PZChao targeted victims with spear-phishing messages using a malicious VBS file attachment that once executed will download the malicious payloads to Windows systems from a distribution server. The researchers determined the IP address of the server, it is “125.7.152.55” in South Korea and hosts the “down.pzchao.com”.

Experts highlighted that new components are downloaded and executed on the target system in every stage of the attack.

Operation PZChao

The experts discovered that the first payload dropped onto compromised systems is a bitcoin miner.

The miner is disguised as a ‘java.exe’ file and used every three weeks at 3 am to avoid being noticed while mining cryptocurrency likely to fund the campaign.

But don’t forget that the main goal of the Operation PZChao is cyber espionage, the malicious code leverages two versions of the Mimikatz tool to gather credentials from the infected host.

The most important component in the arsenal of the attacker remains the powerful Gh0sT RAT malware that allows controlling every aspect of the infected system.

“this remote access Torjan’s espionage capabilities and extensive intelligence harvesting from victims turns it into an extremely powerful tool that is very difficult to identify,” concluded Bitdefender. “The C&C rotation during the Trojan’s lifecycle also helps evade detection at the network level, while the impersonation of legitimate, known applications takes care of the rest.”


Iran-linked APT OilRig target IIS Web Servers with new RGDoor Backdoor
28.1.2018 securityweek APT

The Iran-linked cyber-espionage group tracked as OilRig started using a backdoor subbed RGDoor to target Internet Information Services (IIS) Web servers.

The OilRig hacker group is an Iran-linked APT that has been around since at least 2015, when targeted mainly organizations in the financial and government sectors, in the United States and Middle Eastern countries.

The hackers used the RGDoor backdoor to target Middle Eastern government organizations and financial and educational institutions.

According to the researchers, RGDoor is a secondary backdoor that allows the hackers to regain access to a compromised Web server when primary TwoFace webshell is discovered and removed.

OilRig hackers are using the TwoFace webshell since at least June 2016, the backdoor

“Unlike TwoFace, the actors did not develop RGDoor in C# to be interacted with at specific URLs hosted by the targeted IIS web server. Instead, the developer created RGDoor using C++, which results in a compiled dynamic link library (DLL).” states the analysis from PaloAlto Networks.

“The DLL has an exported function named “RegisterModule”, which is important as it led us to believe that this DLL was used as a custom native-code HTTP module that the threat actor would load into IIS.”

The attackers exploited the IIS 7 functionality that allows developers to create modules in C++ to extend IIS’ capabilities, in this way they could carry out custom actions on requests

The “native-code modules can be installed either in the IIS Manager GUI or via the command-line using the ‘appcmd’ application,” Palo Alto has explains.

OilRig%20RGDoor

Malware researchers from Paloalto Networks discovered that the code calls the RegisterModule function with arguments that ignore inbound HTTP GET requests, but act on all HTTP POST requests.

When the IIS server receives an inbound HTTP POST request, the backdoor parses the requests searching for the string in HTTP “Cookie” field.

The find was used to issue cmd$ [command to execute], upload$ [path to file], or download$ [path to file] commands.

“RGDoor then constructs its own HTTP response by first setting the “Content-Type” field within the HTTP header to “text/plain”.” continues the analysis.

The choice of the Cookie fields makes it hard to analyze inbound requests related to RGDoor backdoor because IIS does not log the values within these specific fields of inbound HTTP requests by default.

“This backdoor has a rather limited set of commands, however, the three commands provide plenty of functionality for a competent backdoor, as they allow an actor to upload and download files to the sever, as well as run commands via command prompt. The use of RGDoor suggests that this group has contingency plans to regain access to a compromised network in the event their webshells are discovered and remediated.” concluded Palo Alto Networks.

Technical details, including IoCs are reported in the analysis published by PaloAlto Networks.


A look into the cyber arsenal used by Lazarus APT hackers in recent attacks against financial institutions
25.1.2018 securityaffairs APT

Security experts at Trend Micro have analyzed malware and a tool used by the Lazarus APT group in the recent attacks against financial institutions.
Security experts at Trend Micro have analyzed the attacks conducted by the notorious Lazarus APT group against financial institutions.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind attacks on banks, including the Bangladesh cyber heist.

In the last campaigns against financial firms, the cyber spies launched watering hole attacks and leveraged a variant of the Lazarus-linked RATANKBA Trojan.

“The malware known as RATANKBA is just one of the weapons in Lazarus’ arsenal. This malicious software, which could have been active since late 2016, was used in a recent campaign targeting financial institutions using watering hole attacks. The variant used during these attacks (TROJ_RATANKBA.A) delivered multiple payloads that include hacking tools and software targeting banking systems.” reads the analysis published by Trend Micro.

“We analyzed a new RATANKBA variant (BKDR_RATANKBA.ZAEL–A), discovered in June 2017, that uses a PowerShell script instead of its more traditional PE executable form—a version that other researchers also recently identified.“

The researchers identified and hacked in some servers used by the cyber spies for temporarily storing stolen data, the analysis of the backend revealed that around 55% of the victims were located in India and neighboring countries.

The majority of the victims were not using enterprise versions of Microsoft software, less than 5% of the victims were Microsoft Windows Enterprise users.

The IP addresses of the victims don’t belong to a large bank or a financial institution, according to Trend Micro victims are likely employees of three web software development companies in India and one in South Korea.

The RATANKBA Trojan is delivered via weaponized Office documents (containing topics related to cryptocurrencies and software development), CHM files, and script downloaders.

Experts noticed that attackers don’t implement a real-time communication with the malware. Once compromised a target machine, the attackers will use a Remote Controller tool to send jobs to the system, the queue of jobs is then processed by RATANKBA.

“During our analysis, we collected a copy of the RATANKBA malware’s Lazarus Remote Controller tool. The remote controller provides a user interface that allows attackers to send jobs to any compromised endpoint. The controller gives the attackers the ability to manipulate the victims’ host by queueing tasks on the main server. RATANKBA retrieves and executes the tasks, and retrieves the collected information.” continues the analysis.

The controller tools used by the Lazarus APT implements a graphical UI interface that allows hackers to push code to the server and download victim profiles from it.

Lazarus%20APT%20group%202

Trend Micro also provided a profile of the members of the Lazarus APT group, the hackers appear to be native Korean speakers and at least one of them is believed to also understand Chinese.

“Given Lazarus’ use of a wide array of tools and techniques in their operations, it’s reasonable to assume that the group will continue to use ever-evolving tactics in their malicious activities.” concluded Trend Micro.


Dark Caracal APT – Lebanese intelligence is spying on targets for years
19.1.2018 securityaffairs APT

A new long-running player emerged in the cyber arena, it is the Dark Caracal APT, a hacking crew associated with to the Lebanese General Directorate of General Security that already conducted many stealth hacking campaigns.
Cyber spies belonging to Lebanese General Directorate of General Security are behind a number of stealth hacking campaigns that in the last six years, aimed to steal text messages, call logs, and files from journalists, military staff, corporations, and other targets in 21 countries worldwide.

New nation-state actors continue to improve offensive cyber capabilities and almost any state-sponsored group is able to conduct widespread multi-platform cyber-espionage campaigns.

This discovery confirms that the barrier to entry in the cyber-warfare arena has continued to
decrease and new players are becoming even more dangerous.

The news was reported in a detailed joint report published by security firm Lookout and digital civil rights group the Electronic Frontier Foundation.

The APT group was tracked as Dark Caracal by the researchers, its campaigns leverage a custom Android malware included in fake versions of secure messaging apps like Signal and WhatsApp.
“Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal2, a persistent and prolific actor, who at the time of writing is believed to be administered out of a building belonging to the Lebanese General Security Directorate in Beirut. At present, we have knowledge of hundreds of gigabytes of exfiltrated data, in 21+ countries, across thousands of victims. Stolen
data includes enterprise intellectual property and personally identifiable information.” states the report.
The attack chain implemented by Dark Caracal relies primarily on social engineering, the hackers used messages sent to the victims via Facebook group and WhatsApp messages. At a high-level, the hackers have designed three different kinds of phishing messages to trick victims into visiting a compromised website, a typical watering hole attack.

%20Dark%20caracal

The malicious app could exfiltrate text messages, including two-factor authentication codes, and other data from the victim’s device. Dark Caracal malware is also able to use devices cameras and the microphone to spy on the victims.

Unfortunately, the APT group also used another powerful surveillance software in its campaign, the malware is the dreaded FinFisher, a spyware that is often marketed to law enforcement and government agencies.

Researchers from Lookout and the EFF discovered a number of test devices that appeared to be located in the Beirut building of the Lebanese General Directorate of General Security, suggesting that Dark Caracal APT is linked to the Government
“Devices for testing and operating the campaign were traced back to a building belonging to the Lebanese General Directorate of General Security (GDGS), one of Lebanon’s intelligence agencies. Based on the available evidence, it is likely that the GDGS is associated with or directly supporting the actors behind Dark Caracal. ” continues the report.

Dark Caracal also has a Windows malware in its arsenal, the malicious code was able to collect screenshots and files from the infected PCs.

Dark%20Caracal

Lookout and the EFF launched their investigation in July 2017, the researchers were able to identify the Command and Control infrastructure and determined that the Dark Caracal hackers were running six unique campaigns. Some of the hacking campaigns had been ongoing for years targeting a large number of targets in many countries, including China, the United States, India, and Russia.

“Since we first gained visibility into attacker infrastructure in July 2017, we have seen millions of requests being made to it from infected devices. This demonstrates that Dark Caracal is likely running upwards of six distinct campaigns in parallel, some of which have been operational since January 2012. Dark Caracal targets a broad range of victims.” states the analysis. “Thus far, we have identified members of the military, government officials, medical practitioners, education professionals, academics, civilians from numerous other fields, and commercial enterprises as targets.”

Further details are provided in the technical report that includes more than 90 indicators of
compromise (IOC).


Russia-Linked Attacks on Political Organizations Continue
19.1.2018 securityweek APT

The cyber-espionage group known as Fancy Bear was highly active in the second half of 2017, hitting political organizations worldwide, Trend Micro said this week.

Also known as APT28, Pawn Storm, Sofacy, Group 74, Sednit, Tsar Team, and Strontium, the group is said to have ties with the Russian government. Since 2015, the group has been associated with attacks on political organizations in France, Germany, Montenegro, Turkey, Ukraine, and the United States.

During the second half of 2017, such attacks continued, without revealing much technical innovation over time. However, the attacks are well prepared, persistent, and often hard to defend against, the security researchers say.

“Pawn Storm has a large toolset full of social engineering tricks, malware and exploits, and therefore doesn’t need much innovation apart from occasionally using their own zero-days and quickly abusing software vulnerabilities shortly after a security patch is released,” Trend Micro points out.

During the second half of 2017, the group was observed targeting organizations with credential phishing and spear phishing attacks. In August and September, the hackers used tabnabbing against Yahoo! users, a method that involves changing a browser tab to point to a phishing site after distracting the target.

In attacks observed in October and November 2017, the group used credential phishing emails to target specific organizations. One incident employed an email claiming to inform the target of an expired password, while the other claimed a new file was present on the company’s OneDrive system.

During the past six months, Pawn Storm also targeted several International Olympic Wintersport Federations, including the European Ice Hockey Federation, the International Ski Federation, the International Biathlon Union, the International Bobsleigh and Skeleton Federation, and the International Luge Federation.

The attacks appear to be related to several Russian Olympic players being banned for life in fall 2017. A recent incident involving the leak of emails exchanged between officials of the International Olympic Committee (IOC) and other individuals involved with the Olympics also appears to be related to the state-sponsored actor.

Some of the group’s political targets included chmail.ir webmail users, who received credential phishing emails on May 18, 2017, one day before the presidential elections in Iran. Similar incidents were observed targeting political organizations globally, Trend Micro says.

In June 2017, the actor set up phishing sites mimicking the ADFS (Active Directory Federation Services) of the U.S. Senate. In attacks observed during fall 2017, the group was abusing Google’s Blogspot service to target Bellingcat, a group of investigative journalists that uses open source information to report on various events taking place around the world.

Individuals interested in the CyCon U.S. conference organized by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in collaboration with the Army Cyber Institute at West Point were also targeted by Pawn Storm last year.

Moving forth, the group is expected to continue targeting political organizations, while also likely focusing on influencing public opinion via social media, given that social media algorithms are “susceptible to abuse by various actors with bad intentions.”

“Publishing stolen data together with spreading fake news and rumors on social media gives malicious actors powerful tools. While a successful influence campaign might seem relatively easy to do, it needs a lot of planning, persistence, and resources to be successful. Some of the basic tools and services, like ones used to spread fake news on social media, are already being offered as a service in the underground economy,” Trend Micro notes.

Other actors too might start campaigns attempting to influence politics and issues of interest domestically and abroad, the researchers say. Pawn Storm, however, is expected to continue to be highly active, especially with the Olympics and several significant global elections taking place in 2018.


North Korea Group 123 involved in at least 6 different hacking campaigns in 2017
19.1.2018 securityaffairs APT

North Korean hackers belonging to the North Korea Group 123 have conducted at least six different massive malware campaigns during 2017.
North Korean hackers have conducted at least six different massive malware campaigns during 2017, most of them against targets in South Korea. Security researchers from Cisco’s Talos group who have monitored the situation for 12 months have identified a North Korean threat actor tracked by the experts as Group 123 that conducted numerous malware attacks against entities in the South.

In three differed phishing campaigns tracked as “Golden Time”, “Evil New Year” and “North Korean Human Rights” South Korean victims were specifically infected with the Remote Access Trojan ROKRAT.

“On January 2nd of 2018, the “Evil New Year 2018” was started. This campaign copies the approach of the 2017 “Evil New Year” campaign.

The links between the different campaigns include shared code and compiler artifacts such as PDB (Program DataBase) patterns which were present throughout these campaigns.” reads the analysis published by Talos.

“Based on our analysis, the “Golden Time”, both “Evil New Year” and the “North Korean Human Rights” campaigns specifically targeted South Korean users.”

The ROKRAT RAT was used to target Korean targets using the popular Korean Microsoft Word alternative Hangul Word Processor (HWP). In the past, we saw other attacks against people using the HWP application.

ROKRAT%20RAT

The three campaigns leveraged on a payload in the Hancom Hangul Office Suite, North Korean hackers exploited vulnerabilities such as the CVE-2013-0808 EPS viewer bug to deliver the RAT.

The attackers also used specially crafted files to trigger the arbitrary code execution vulnerability CVE-2017-0199. Group 123 also launched the FreeMilk campaign against financial institutions outside South Korea.

The hackers in this campaign used phishing message with a weaponized Microsoft Office document that was able to trigger the vulnerability CVE-2017-0199.

“Group 123 used this vulnerability less than one month after its public disclosure. During this campaign, the attackers used 2 different malicious binaries: PoohMilk and Freenki.” continues the analysis.”PoohMilk exists only to launch Freenki. Freenki is used to gather information about the infected system and to download a subsequent stage payload. This malware was used in several campaigns in 2016 and has some code overlap with ROKRAT.”

The last campaign analyzed by Talos group was tracked as “Are You Happy,” it is a sabotage campaign that targeted the victims using a module from ROKRAT designed to wipe the first sectors of the victim’s hard drive.

According to Talos, this actor was very active in 2017, and likely will continue its campaigns in the next months, especially against targets in the South.

“The actor has the following demonstrated capabilities:

To include exploits (for Hangul and Microsoft Office) in its workflows.
To modify its campaigns by splitting the payload in to multiple stages
To use compromised web servers or legitimate cloud based platforms.
To use HTTPS communications to make it harder to perform traffic analysis.
To compromise third parties to forge realistic spear phishing campaigns (i.e. Yonsei university in the “Golden Time” campaign).
To constantly evolve, the new fileless capability included in 2018 is a proof.” concluded Talos.
north%20korea%20phishing%20campaigns

The report includes the IoCs for each campaign.


Turla APT group’s espionage campaigns now employs Adobe Flash Installer and ingenious social engineering
10.1.2018 securityaffairs APT

Turla APT group’s espionage campaigns now employs Adobe Flash Installer and an ingenious social engineering technique, the backdoor is downloaded from what appears to be legitimate Adobe URLs and IP addresses.
Security researchers from ESET who have analyzed recent cyber espionage campaigns conducted by the dreaded Turla APT group reported that hackers leverage on malware downloaded from what appears to be legitimate Adobe URLs and IP addresses.

Turla is the name of a Russian cyber espionage APT group (also known as Waterbug, Venomous Bear and KRYPTON) that has been active since at least 2007 targeting government organizations and private businesses.

The list of victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

The Turla’s arsenal is composed of sophisticated hacking tools and malware tracked as Turla (Snake and Uroburos rootkit), Epic Turla (Wipbot and Tavdig) and Gloog Turla. In June 2016, researchers from Kaspersky reported that the Turla APT had started using rootkit), Epic Turla (Wipbot and Tavdig) and Gloog Turla.

In the most recent attacks, the group is packaging its macOS backdoor with a real Adobe Flash installer and downloading the malware on victim systems from endpoint systems that use a remote IP belonging to Akamai, the Content Delivery Network that is also used by Adobe for its supply chain. Legitimate Flash installer, in fact, are also distributed through the Akamai network.

“In recent months, we have observed a strange, new behavior, leading to compromise by one of Turla’s backdoors. Not only is it packaged with the real Flash installer, but it also appears to be downloaded from adobe.com.” reads the report published by ESET.

“From the endpoint’s perspective, the remote IP address belongs to Akamai, the official Content Delivery Network (CDN) used by Adobe to distribute their legitimate Flash
installer. “

Researchers noted that Turla installers were exfiltrating information to get.adobe.com URLs since at least July 2016, data were sent back to legitimate URLs at Adobe.com. The download attempts observed by ESET observed were made through HTTP and not via HTTPS, the researchers state with confidence that Adobe was not compromised.

The social engineering technique adopted by Turla group to trick victims into believing they are downloading a legitimate software from Adobe server is very ingenious.

Data collected by the experts revealed that most of the victims belong to the former USSR, targeted entities include embassies and consulates located in East Europe.

At the time of the report is still unclear how the Turla APT group distributed the backdoor through Adobe.com.

Experts speculate that this is possible by compromising a machine on the victim’s network to perform a local man-in-the-middle attack. In this attack scenario, the threat actors redirect traffic from a target system through the compromised server and modifying it on the fly. Another possibility is to leverage on a compromised local gateway that could allow the attackers to potentially intercept and modify traffic for the whole organization.

Other attacks scenarios see Turla executing a man-in-the-middle attack at the ISP level, or BGP hijacking.

“We quickly discarded the hypothesis of a rogue DNS server, since the IP address corresponds to the servers used by Adobe to distribute Flash.” continues the report. “Thus, these are the hypotheses that remain: ➊ a Man-in-theMiddle
(MitM) attack from an already-compromised machine in the local network, ➋ a compromised gateway or proxy of the organization, ➌ a MitM attack at the Internet Service Provider (ISP) level or ➍ a Border Gateway Protocol (BGP) hijack to redirect the traffic to Turla-controlled servers a MitM attack at the Internet Service Provider (ISP) level or ➍ a Border Gateway Protocol (BGP) hijack to redirect the traffic to Turla-controlled servers.”

Turla%20APT%20group%20Adobe

Researchers believe the most likely scenario sees attackers controlling the router for the traffic hijacking.

Such kind of attack is any way possible because the files are downloaded via HTTP, for this reason, it is important to avoid installing any update or software that was downloaded through unsecured connections.

Administrators must also check that Flash Player installers downloaded are properly signed with a valid Adobe certificate.

Further information, including the IOCs are included in the report published by ESET.


Force 47 – The Vietnamese brigade tasked with fighting “wrongful views” spreading online
2.1.2017 securityaffairs APT

Force 47 is a brigade composed of 10,000 cyber warriors to fight online dissent in Vietnam, a new threat to freedom of speech in the country.
Like many other Governments, also Vietnam is deploying a cyber army of 10000 cyber experts to fight online dissent in the country.

The news was revealed by a top Vietnamese general last week, the official that the brigade dubbed ‘Force 47’ has been tasked with fighting “wrongful views” spreading online.

More than half of the population (around 93 million people) has access to the Internet.

According to web watchdog Freedom House, the Internet in Vietnam is “not free”, the organization ranked it second only to China in Asia.

Human Rights Watch deputy Asia director Phil Robertson believes that the brigade Force 47 is a “shocking new dimension to Vietnam’s crackdown on dissent”.

“This is just the latest plank in a campaign to curb internet freedoms at all costs,” Shawn Crispin, Committee to Protect Journalists’ Southeast Asia representative, told AFP Friday.

“While they can’t unplug Facebook, Instagram and the likes outright, they can apply more and more pressure on those platforms and it looks like these cyber troops are their latest attempt to do that.”

The activist Nguyen Chi Tuyen (aka Anh Chi) said the new brigade is an important step in ahead of online repression.

“The main purpose for Force 47 is to try and control news and public opinion on the internet… they want to protect the party, not protect the country,” explained Tuyen.

The Vietnamese Government is applying a strict online monitoring, it continues to ask tech giants like Facebook and YouTube to remove any “toxic content” from their platforms.

The Vietnamese Government believes that hostile groups and foreign governments could use social media and the Internet to destabilize the country and threaten the “prestige of the party’s leaders and the state”.

According to Amnesty International, many dissidents have already been identified and arrested in the country, at least 15 people this year.

Madeline Earp, a senior research analyst with Freedom House, explained that the unit Force 47 is likely to include commentators tasked of spreading online pro-government content and counter critics.

“Vietnam very much follows China’s example when suppressing internet freedom, particularly when it comes to blocking websites and arresting dissidents,” she told AFP.

Vietnam had built up considerable cyber capabilities in across the years, according to the incident response firm Volexity, Vietnamese APT32 group is today one of the most advanced APTs in the threat landscape.


Happy IR in the New Year!
1.1.2018 Kaspersky  APT
At the end of last year Mr. Jake Williams from aka @MalwareJake asked a very important question about Lack of visibility during detecting APT intrusions in twitter. Results show us that endpoint analysis is the most important part of any research connected with APTs. Also, for sure endpoint forensics is critical during any Incident Response (IR) because in many cases the initial intrusion happened too far away in time so there are no relevant logs and no backups to identify the first victim and the way how attackers were moving from one computer to another. At least once a year we have such issues during IR activities with our customers. In these cases we use a very simple script that is uploaded to every Windows computer in the corporate network to collect logs, NTFS data, entries from the Windows registry and strings from the binary files to find out how exactly the attackers were moving through the network. It’s holiday season and it is our pleasure to share this script with you. We hope it will help to save a lot of time during IR and any malware/APT investigations providing the so much needed visibility into potentially infected endpoint PCs.

Let’s start with collecting the collect file system information from the computer using the wonderful forensics tool FLS (administrative privileges required) from the open source package Sleuthkit. The only thing that the official Windows build lacks is Windows XP/2003 support. If you are planning to run the tool on Windows XP/2003 machines then you may need to recompile FLS from sources using MinGW or download our our pre-compiled version (see the end of this blog post). We also do not want to write the results to the computers’ hard drive to avoid wiping its unallocated space. So the tool is going to utilize a big (approx. 300 MB free space for one corporate computer ) share folder that should be prepared in advance and should be accessible from all computer in the network that will execute the script:

set data_share=”\\corp_share\data_share”
net use y: %data_share%
mkdir y:\%COMPUTERNAME%_report
set dp=y:\%COMPUTERNAME%_report
echo %date% %time% %COMPUTERNAME% > %dp%\report.log
fls.exe -lpr \\.\c: >> %dp%\fls.log

It will take several (dozens of) minutes to create the full list of filesystem entries for the computer’s system drive. After that we are ready to extract the inode numbers of Windows registry files that are interesting to us. We will use the ICAT tool from the same Sleuthkit package and the RegLookup utility to grab modification timestamps of every windows registry key. At the end we want to collect all the strings (using the tools either by Mr. Mark Russinovich or from http://pubs.opengroup.org/onlinepubs/9699919799/utilities/strings.html tool (our choice)) from the registry files to search for any data from the unallocated space and deleted keys:

::Get Windows reg files
findstr /i “windows\/system32\/config\/system ” %dp%\fls.log | findstr /vi “profile” | findstr /vi log | cut -f2 -d” ” | cut -f1 -d”:” > %dp%\system.reg.inode
for /f “tokens=1” %%a in (%dp%\system.reg.inode) do icat \\.\c: %%a > %dp%\system.reg
findstr /i “windows\/system32\/config\/software ” %dp%\fls.log | findstr /vi “profile” | findstr /vi log | cut -f2 -d” ” | cut -f1 -d”:” > %dp%\software.reg.inode
for /f “tokens=1” %%a in (%dp%\software.reg.inode) do icat \\.\c: %%a > %dp%\software.reg
::Convert reg files
reglookup.exe %dp%\system.reg > %dp%\system.reg.log
reglookup.exe %dp%\software.reg > %dp%\\software.reg.log
::Get strings from reg files
strings -afel %dp%\system.reg > %dp%\system.str.log
strings -afeb %dp%\system.reg >> %dp%\system.str.log
strings -afel %dp%\software.reg > %dp%\software.str.log
strings -afeb %dp%\software.reg >> %dp%\software.str.log

Once finished, we are ready to do the same with the Windows system and security eventlog files. To parse log the files will we use the open source tools evtxexport and evtexport by Mr. Joachim Metz

::Get Logs
findstr -i “windows\/system32\/winevt/logs/system.evtx” %dp%\fls.log | cut -f2 -d” ” | cut -f1 -d”:” > %dp%\system.evtx.inode
for /f “tokens=1” %%a in (%dp%\system.evtx.inode) do icat \\.\c: %%a > %dp%\system.evtx
findstr /i “windows\/system32\/winevt/logs/security.evtx” %dp%\fls.log | cut -f2 -d” ” | cut -f1 -d”:” > %dp%\security.evtx.inode
for /f “tokens=1” %%a in (%dp%\security.evtx.inode) do icat \\.\c: %%a > %dp%\security.evtx
strings -afeb %dp%\system.evtx > %dp%\system.evtx.str.log
strings -afel %dp%\system.evtx >> %dp%\system.evtx.str.log
strings -afeb %dp%\security.evtx > %dp%\security.evtx.str.log
strings -afel %dp%\security.evtx >> %dp%\security.evtx.str.log
::Conv evtx
evtxexport.exe %dp%\system.evtx > %dp%\system.evtx.res.log
::get evt logs
findstr /i “windows\/system32\/config/SysEvent.Evt” %dp%\fls.log | cut -f2 -d” ” | cut -f1 -d”:” > %dp%\SysEvent.Evt.inode
for /f “tokens=1” %%a in (%dp%\SysEvent.Evt.inode) do icat \\.\c: %%a > %dp%\SysEvent.Evt
findstr /i “windows\/system32\/config/SecEvent.Evt” %dp%\fls.log | cut -f2 -d” ” | cut -f1 -d”:” > %dp%\SecEvent.Evt.inode
for /f “tokens=1” %%a in (%dp%\SecEvent.Evt.inode) do icat \\.\c: %%a > %dp%\SecEvent.Evt
::get strings from evt
strings -afeb %dp%\SysEvent.Evt > %dp%\SysEvent.Evt.str.log
strings -afel %dp%\SysEvent.Evt >> %dp%\SysEvent.Evt.str.log
strings -afeb %dp%\SecEvent.Evt > %dp%\SecEvent.Evt.str.log
strings -afel %dp%\SecEvent.Evt >> %dp%\SecEvent.Evt.str.log
::Conv evt
evtexport.exe %dp%\SysEvent.Evt > %dp%\SysEvent.Evt.res.log

Actually this is it. All logs will be collected in our share’s folder so we may search for something interesting. In the latest cases with Carbanak we were looking for mentions of the malicious Powershell scripts so let’s add the following string in our version of this script:

findstr /i “powershell” %dp%\*.log >> %dp%\report.log

This will provide us with a complete picture of how the attackers were moving from one computer to another with exact timestamps and artifacts on NTFS, registry and logs that is critical for fast and effective IR with no lack of endpoint visibility. GLHF and HAPPY IR in NEW YEAR!

PS. LINK 2 FILE

SHA256 (HappyNewYear.zip) = c166d1e150db24ea27014e1d4a9eeb79f9e317ded9918a623fee8e66a010f9fa


Financially motivated attacks reveal the interests of the Lazarus APT Group
25.12.2017 securityaffairs APT

Researchers at security firm Proofpoint collected evidence of the significant interest of the Lazarus APT group in cryptocurrencies, the group’s arsenal of tools, implants, and exploits is extensive and under constant development.
Researchers at security firm Proofpoint collected evidence of the significant interest of the Lazarus APT group in cryptocurrencies. The North Korea-Linked hackers launched several multistage attacks that use cryptocurrency-related lures to infect victims with malware.

The malicious code aims to steal credentials for cryptocurrency wallets and exchanges, but there is much more.

“Proofpoint researchers have uncovered a number of multistage attacks that use cryptocurrency-related lures to infect victims with sophisticated backdoors and reconnaissance malware that we attribute to the Lazarus Group.” reads the analysis published by Proofpoint. “Victims of interest are then infected with additional malware including Gh0st RAT to steal credentials for cryptocurrency wallets and exchanges, enabling the Lazarus Group to conduct lucrative operations stealing Bitcoin and other cryptocurrencies.”

The Lazarus APT group has increasingly focused on financially motivated attacks in the attempt to exploit the media interest in the skyrocketing prices for cryptocurrencies.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind recent attacks on banks, including the Bangladesh cyber heist.

According to security experts, the group was behind, other large-scale cyber espionage campaigns against targets worldwide, including the Troy Operation, the DarkSeoul Operation, and the Sony Picture hack.

Lazarus is believed to be the first nation state attacker that is targeting a point-of-sale using a framework to steal payment card data.

The timing is perfect, the hackers are intensifying their operation around Christmas shopping season.

The arsenal of the Lazarus APT group includes sophisticated custom-made malware, DDoS botnets, and wiper malware.

The research paper published by the experts detail a new implant dubbed PowerRatankba, a PowerShell-based malware variant that closely resembles the original Ratankba implant.

Experts also documented a new and emerging threat dubbed RatankbaPOS targeting the point-of-sale systems.

Lazarus%20APT%20group%20attacks

“The Lazarus Group is a sophisticated, state-sponsored APT group with a long history of successful destructive, disruptive, and costly attacks on worldwide targets. State-sponsored groups are generally focused on espionage and disruption. However, our findings on their recent activities relate to the financially motivated arm of Lazarus, the operations of which are peculiar to the North Korean group.” said Patrick Wheeler, director of threat intelligence, Proofpoint.

“These actions, including the targeting of cryptocurrency exchange credentials and point-of-sale infrastructure, are significant for a number of reasons:

This appears to be the first publicly documented instance of a state-sponsored actor attacking point-of-sale infrastructure for financial gain.

Cryptocurrencies are nothing new to threat actors, state-sponsored or otherwise. However, in this case we were able to extensively document the custom-built tools and procedures that Lazarus group is using to perform cryptocurrency theft.

This group now appears to be targeting individuals rather than just organisations: individuals are softer targets, often lacking resources and knowledge to defend themselves and providing new avenues of monetisation for a state-sponsored threat actor’s toolkit. Bringing the tools and resources of a state-sponsored attack group to bear against individuals and infrastructure used by large numbers of private citizens raises the stakes considerably when assessing potential impact.

We were able to differentiate the actions of the financially motivated team within Lazarus from those of their espionage and disruption groups that have recently grabbed headlines, providing better insight into their operations and the worldwide threat represented by Lazarus.”


Russian Fancy Bear APT Group improves its weapons in ongoing campaigns
24.12.2017 securityaffairs APT

Fancy Bear APT group refactored its backdoor and improved encryption to make it stealthier and harder to stop.
The operations conducted by Russian Fancy Bear APT group (aka Sednit, APT28, and Sofacy, Pawn Storm, and Strontium) are even more sophisticated and hard to detect due to.
According to a new report published by experts from security firm ESET, the APT group recently refurbished one of its most popular backdoor, Xagent, that was significantly improved by implementing new functionalities that make it more stealthier and harder to stop.
Vxers have redesigned the architecture of the malware so it has become harder to recognize previously discovered infection patterns.
The X-Agent backdoor (aka Sofacy) was associated with several espionage campaigns attributed to the APT group Fancy Bear, across the years, experts observed several strains of the X-Agent specifically designed to compromise Windows, Linux, iOS and Android OSs, and early 2017 researchers at Bitdefender spotted the first version of the X-Agent that was developed to compromise MAC OS systems.

The latest version of the X-Agent backdoor, the fourth one, implements new techniques for obfuscating strings and all run-time type information. Cyberspies upgraded some of the code used for C&C purposes and added a new domain generation algorithm (DGA) feature in the WinHttp channel for quickly creating fallback C&C domains.

ESET observed a significant improvement in the encryption algorithm and DGA implementation that makes domain takeover more difficult.

Fancy Bear also implemented internal improvements, including new commands that can be used for hiding malware configuration data and other data on an infected system.

The attack chain remained largely unchanged, the APT group Fancy Bear still relies heavily on “very cleverly crafted phishing emails.”

“The attack usually starts with an email containing either a malicious link or malicious attachment. We have seen a shift in the methods they use ‘in the course of the year’, though. Sedkit was their preferred attack vector in the past, but that exploit kit has completely disappeared since late 2016.” reads the report published by ESET. “The DealersChoice exploit platform has been their preferred method since the publication of our white paper, but we saw other methods being used by this group, such as macros or the use of Microsoft Word Dynamic Data Exchange.”

Fancy Bear mail_merrychristmas

The group stopped using Sedkit exploit kit and has increasingly begun using a platform called DealersChoice, a Flash exploit framework also used by the group against Montenegro.

DealersChoice generates documents with embedded Adobe Flash Player exploits based on the target’ s configuration.

Fancy Bear’s operations are still focused on government departments and embassies all over the world.


The thin line between BlackEnergy, DragonFly and TeamSpy attacks
19.12.2017 securityaffairs APT

Experts from McAfee Labs collected evidence that links DragonFly malware to other hacking campaigns, like BlackEnergy and TeamSpy attacks.
On September 6, Symantec published a detailed analysis of the Dragonfly 2.0 campaign that targeted dozens of energy companies this year. Threat actor is the same behind the Dragonfly campaign observed in 2014.

Further analysis conducted by McAfee Labs lead the experts into believing that the Operation Dragonfly is linked to earlier attacks.

The investigation conducted by McAfee Labs and the Advanced Threat Research team uncovered related attacks targeting the pharmaceutical, financial, and accounting industries.

The experts noticed the same techniques, tactics, and procedures (i.e. spear phishing, watering holes, and exploits of supply-chain technologies) were the same used in previous campaigns.

“By compromising well-established software vulnerabilities and embedding within them “backdoor” malware, the victims think they are installing software from a trusted vendor, while unaware of the supply-side compromise.” reads the analysis published by McAfee Labs.

Once compromised the target network, attackers used remote-desktop protocol to hop among internal or external systems, they connect either to a control server or use an internal compromised server to conduct operations.

Researchers observed threat actors using several backdoors and utilities, in one case a Trojan used in 2017 attacks was also used in a July 2013 attack.

Experts correlated the malware by analyzing their hashes, both contained the same TeamViewer that was spotted by the Hungarian security company Crysys in a report about the TeamSpy malware.

The TeamSpy hackers hit a large variety of high-level subjects including Russia-based Embassy for a not revealed undisclosed country belonging to both NATO and the European Union, multiple research and educational organizations in France and Belgium, an electronics company located in Iran and an industrial manufacturer located in Russia

Crysys researchers mentioned the same hash used in the recent attacks and correlated it to a sample that was compiled on 2011:09:07 – 09:27:58+01:00.

“Although the report attributes the attacks to a threat actor or actors and shared tactics and procedures, the motivations behind TeamSpy appear similar to those of the Dragonfly group. With identical code reuse, could the TeamSpy campaign be the work of Dragonfly?” continues McAfee Labs.

The experts discovered that the 2017 sample contained code blocks associated with BlackEnergy malware.

BlackEnergy code
BlackEnergy sample from 2016 (at left) alongside a Dragonfly sample from 2017. (Source McAfee)

“Self-deleting code is very common in malware, but it is usually implemented by creating a batch file and executing the batch instead of directly calling the delete command, as we see in the preceding examples.” continues the analysis.

“The BlackEnergy sample used in our comparison was captured in the Ukraine on October 31, 2015, and was mentioned in our post on the evolution of the BlackEnergy Trojan. It is remarkable that this piece of code is almost identical in both samples, and suggests a correlation between the BlackEnergy and Dragonfly campaigns.”

DragonFly

The experts pointed out an evolution of the code in the backdoors developed by the threat actors and the reuse of code in their campaigns.

The malicious code is fairly sophisticated in hiding details of their attacks, making hard the attribution through the use of false flags.


Triton malware was developed by Iran and used to target Saudi Arabia
16.12.2017 securityaffairs APT  ICS

CyberX who analyzed samples of the Triton malware believes it was likely developed by Iran and used to target an organization in Saudi Arabia.
Security experts from security firms FireEye and Dragos reported this week the discovery of a new strain of malware dubbed Triton (aka Trisis) specifically designed to target industrial control systems (ICS).

Both FireEye and Dragos would not attribute the Triton malware to a specific threat actor.

The Triton malware has been used in attacks aimed at an unnamed critical infrastructure organization, it caused a shutdown at a critical infrastructure organization somewhere in the Middle East.

“Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems. The targeted systems provided emergency shutdown capability for industrial processes.” reads the analysis published by FireEye.

“We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations. This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.”

Triton malware

According to report published by ICS cyber security firm Dragos, which tracked the threat as “TRISIS”, the victim was an industrial asset owner in the Middle East.

The Triton malware is designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers that are used in industrial environments to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation.

TRITON is designed to communicate using the proprietary TriStation protocol which is not publicly documented, this implies that the attackers reverse engineered the protocol to carry out the attack.

Now, security experts at CyberX who analyzed samples of the malware provided further details on the attack, revealing that Triton was likely developed by Iran and used to target an organization in Saudi Arabia.

Iranian hackers are becoming even more aggressive, but experts always highlighted that they are not particularly sophisticated.

In October, the OilRig gang was spotted using a new Trojan in attacks aimed at targets in the Middle East.

OilRig is just one of the Iran-linked hacker crews, other groups tracked by security experts are APT33, Rocket Kitten, Cobalt Gypsy (Magic Hound), Charming Kitten (aka Newscaster and NewsBeef) and CopyKittens.

In February, researchers at Palo Alto Networks have discovered a new cyber espionage campaign linked to Iran that targeted several organizations in the Middle East.

The espionage campaign dubbed Magic Hound, dates back at least mid-2016. Hackers targeted organizations in the energy, government, and technology industries, all the targets are located or have an interest in Saudi Arabia.

Iran was responsible for destructive attacks on Saudi Aramco systems in 2012, and now CyberX is attributing the Triton malware to the Government of Teheran.

According to the experts, the shutdown was likely an accident during the reconnaissance phase conducted by the threat actors whose final goal was the sabotage.

Schneider Electric is investigating the attack to discover if the threat actors exploited any vulnerability in the Triconex product.

Schneider published a security advisory to warn its customers, it suggests avoiding leaving the front panel key position in “Program” mode when the controller is not being configured. The malicious code can only deliver its payload if the key switch is set to this mode.

“Schneider Electric is aware of a directed incident targeting a single customer’s Triconex Tricon safety shutdown system. We are working closely with our customer, independent cybersecurity organizations and ICSCERT to investigate and mitigate the risks of this type of attack.” reads the security advisory.

“The modules of this malware are designed to disrupt Triconex safety controllers, which are used widely in critical infrastructure. The malware requires the keyswitch to be in the “PROGRAM” mode in order to deliver its payload. Among others, the reported malware has the capability to scan and map the industrial control system environment to provide reconnaissance and issue commands directly to Tricon safety controllers.”

According to Phil Neray, VP of Industrial Cybersecurity for CyberX OT environments are ‘vulnerable by design’ for this reason they are a privileged target for hackers that could use them as an entry point in industrial environment.

“I think it’s a little comical that Schneider Electric felt obliged to state that the attack did not leverage any vulnerabilities in the Tritex product,” Phil Neray told SecurityWeek. “OT environments are ‘vulnerable by design’ because they lack many of the controls we now take for granted in IT networks such as strong authentication. As a result, once an attacker gets into the OT network — by stealing credentials or connecting an infected laptop or USB, for example — they have almost free reign to connect to any control device they choose, and then reprogram them with malicious ladder logic to cause unsafe conditions. Based on the FireEye report, this appears to be exactly what the TRITON attackers did, similar to the way Industroyer modified ABB configuration files to perform its attack on the Ukrainian grid.”


Lazarus APT Group targets a London cryptocurrency company
16.12.2017 securityaffairs APT

Security experts from Secureworks revealed the Lazarus APT group launched a spearphishing campaign against a London cryptocurrency company.
The dreaded Lazarus APT group is back and launched a spearphishing campaign against a London cryptocurrency company to steal employee credentials.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind recent attacks on banks, including the Bangladesh cyber heist.

According to security experts, the group was behind, other large-scale cyber espionage campaigns against targets worldwide, including the Troy Operation, the DarkSeoul Operation, and the Sony Picture hack.

Many experts believe the WannaCry ransomware was developed by the Lazarus Group due to similarities in the attack codes. UK Government also linked the WannaCry attack that crippled NHS to North Korea.

Lazarus targets Bitcoin company

According to the experts at Secureworks, the Lazarus APT group is behind a targeted email campaign aiming to trick victims into clicking on a compromised link for a job opening for a chief financial officer role at a London cryptocurrency company.
“Those who clicked on the hiring link were infected by malicious code from an attached document in the email that installed software to take remote control of a victim’s device, allowing hackers to download further malware or steal data.” reported the Reuters.

“This malware shares technical links with former campaigns staged by the mysterious cybercrime group Lazarus, which Secureworks has labeled “Nickel Academy”. Secureworks did not say whether anyone who received the email actually clicked on the link.”

Researchers found many similarities between the TTPs (techniques, tactics, and procedures) observed in this attack and previous ones attributed to the Lazarus APT group.

“The so-called “spearphishing” attempt appears to have been delivered on October 25, but initial activity was observed by Secureworks researchers dating back to 2016. The researchers said in a statement they believe the efforts to steal credentials are still on-going.” reported the Reuters.

“Recent intrusions into several bitcoin exchanges in South Korea have been tentatively attributed to North Korea, it said.”

Secureworks found evidence dating back to 2013 of North Korean interest in bitcoin, when multiple states sponsored hackers used a collection of usernames originating from computers using North Korean internet addresses were found researching bitcoin.

The same internet addresses were linked to previous North Korean operations.

The researchers believe the Lazarus phishing campaign is still ongoing and is warning of potential effects.

“Given the current rise in bitcoin prices, CTU suspects that North Korea’s interest in cryptocurrency remains high and (it) is likely continuing its activities surrounding the cryptocurrency,” Secureworks said in a statement to Reuters.

Secureworks announced the publishing of a detailed report.


HBO hacker linked to the Iranian Charming Kitten APT group
7.12.2017 securityweek APT

A new report published by ClearSky linked a man accused by U.S. authorities of hacking into the systems of HBO to the Iranian cyber espionage group Charming Kitten.
Experts from the security firm ClearSky have published a new detailed report on the activities of Charming Kitten APT group, also known as Newscaster and NewsBeef.

The Newscaster group made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.

Iranian Hackers used a network of fake accounts (NEWSCASTER network) on principal social media to spy on US officials and political staff worldwide, this is reported in an analysis done by iSIGHTPartners. The Charming Kitten group is also known for the abuse of Open Source Security Tools, including the BeEF.

The threat actor targeted numerous entities in Iran, the U.S., Israel, the U.K. and other countries. The hackers also hit individuals involved in academic research, human rights, and the media.

ClearSky detailed the group’s activities during 2016-2017, the report includes information related to the infrastructure used by the APT and to a new strain of malware dubbed DownPaper.

The report also linked the hacker behind the HBO security breach to the Charming Kitten, and reveals the identities of two other alleged members of the group.

Last month, the United States charged the Iranian computer expert Behzad Mesri of ‘Games of Thrones‘ HBO Hack, the man was charged with stealing scripts and plot summaries for ‘Games of Thrones’.

The Manhattan US attorney Joon Kim said Mesri is “had previously hacked computer systems for the Iranian military”. The man threatened to release stolen data unless HBO paid a $6 million ransom in Bitcoin.

Prosecutors confirmed that the Iranian man was a member of the Iranian-based Turk Black Hat Security hacking group that targeted hundreds of websites in the United States and around the world.

“MESRI is an Iran-based computer hacker who had previously worked on behalf of the Iranian military to conduct computer network attacks that targeted military systems, nuclear software systems, and Israeli infrastructure.” continues the DoJ.

“At certain times, MESRI has been a member of an Iran-based hacking group called the Turk Black Hat security team and, as a member of that group, conducted hundreds of website defacements using the online hacker pseudonym “Skote Vahshat” against websites in the United States and elsewhere.”

Experts discovered that Masri and Charming Kitten were linked through the member of Turk Black Hat group “ArYaIeIrAN.” another member of Turk Black Hat.

Charming Kitten

The email addresses associated with this individual have been used to register several domains used by the Charming Kitten. ClearSky also discovered that the same email address was also used by threat actors to registered a domain for an Iranian hosting firm named MahanServer, which has hosted Charming Kitten infrastructure.

“To sum up, the HBO hacker – Behzad Mesri is a member of Turk Black Hat along with ArYaIeIrAn, who provides infrastructure for Charming Kitten activity via PersianDNS / Mahanserver together with Mohammad Rasoul Akbari, who is a Facebook friend of Behzad Mesri’s.” states the report. “We tend to identify ArYaIeIrAn with Mohammadamin Keshvari, because the latter is the only other employee of Mahanserver and works in a company whose domain was registered by the former (and both have a similar and unique profile picture). We estimate with medium certainty that the three are directly connected to Charming Kitten, and potentially, along with others – are Charming Kitten”

Iranian hackers are becoming even more aggressive even if experts believe that they are not particularly sophisticated.

Recently we discussed the OilRig gang has been using a new Trojan in attacks aimed at targets in the Middle East.

OilRig is just one of the Iran-linked hacker crews, other groups tracked by security experts are APT33, Rocket Kitten, Cobalt Gypsy (Magic Hound), Charming Kitten (aka Newscaster and NewsBeef) and CopyKittens.


US indicts Chinese hackers belonging to APT3 for espionage on Siemens and Moody’s
28.11.2017 securityaffairs APT

US authorities have filed official charges against three Chinese hackers part of the elite cyber-espionage unit APT3.
US authorities charged three China-based hackers for stealing sensitive information from US based companies, including Siemens AG, and accessing a high-profile email account at Moody’s.

The three Chinese citizens, Wu Yingzhuo, Dong Hao and Xia Lei, work for the Chinese cybersecurity company Guangzhou Bo Yu Information Technology Company Limited, also known as “Boyusec.”

While Wu and Dong are founding members and shareholders of the China-based company, Xia is just an employee.

Do you remember the Boyusec name?

Several reports published in May 2017 linked the Boyusec firm to the infamous APT3 group, a cyber-espionage group under the control of the Chinese Government.

The APT3, also known as UPS, Gothic Panda, and TG-011, has been active since 2010.

APT3 China

On May 9th, 2017, an unknown party using the alias ‘intrusiontruth’ published a series of blogs posts describing connections between the Pirpi RAT command and control components and shareholders of the Chinese security contractor Guangzhou Boyu Information Technology Company, aka Boyusec.

The names of two specific shareholders of Boyusec appear in the domain registration for the Pirpi C&C servers. This is particularly interesting because Boyusec supports the Chinese Ministry of State Security (MSS) by collecting civilian human intelligence. Think of them as an outsourcer for a government agency like the United States’ National Security Agency (NSA).

Also interesting is that in 2016 a Pentagon report described the relationship between Boyusec and network equipment manufacturer, Huawei. According to the report, the two companies were colluding to develop security equipment with embedded backdoors which would likely be used by Boyusec to compromise Huawei customers.

“In November 2016, the Washington Free Beacon reported that a Pentagon internal intelligence report had exposed a product that Boyusec and Huawei were jointly producing.” continues the analysis.”According to the Pentagon’s report, the two companies were working together to produce security products, likely containing a backdoor, that would allow Chinese intelligence “to capture data and control computer and telecommunications equipment.” The article quotes government officials and analysts stating that Boyusec and the MSS are “closely connected,” and that Boyusec appears to be a cover company for the MSS.”

The Chinese men have been charged in Pittsburgh with using malware to steal data from the international corporations, including Siemens AG, which has Pittsburgh offices.

The federal indictment filed in September was unsealed Monday, the men were charged by a grand jury for cyber-attacks against three corporations in the financial, engineering and technology industries between 2011 and May 2017. Victims are Moody’s Analytics, Siemens, and GPS technology firm Trimble.

“The primary goal of the co-conspirators’ unauthorized access to victim computers was to search for, identify, copy, package, and steal data from those computers, including confidential business and commercial information, work product, and sensitive victim employee information, such as usernames and passwords that could be used to extend unauthorized access within the victim systems,” the DOJ said. “For the three victim entities listed in the Indictment, such information included hundreds of gigabytes of data regarding the housing finance, energy, technology, transportation, construction, land survey, and agricultural sectors.”

According to the indictment, the hackers:

• Stole approximately 407 gigabytes of proprietary commercial data pertaining to Siemens’s energy, technology and transportation businesses.

• Accessed the internal email server of Moody’s Analytics and placed a forwarding rule in the email account of a prominent employee, and set it to forward all emails to and from the account to web-based email accounts controlled by the attackers.

• Stole at least 275 megabytes of data, including compressed data, which included hundreds of files that would have assisted a Trimble competitor in developing, providing and marketing a similar product without incurring millions of dollars in research and development costs.

All three indicted suspects are still at large and currently residing in China.


Lazarus APT uses an Android app to target Samsung users in the South Korea
22.11.2017 securityaffairs APT

The North Korea linked group Lazarus APT has been using a new strain of Android malware to target smartphone users in South Korea.
The hacking campaign was spotted by McAfee and Palo Alto Networks, both security firms attributed the attacks to the Hidden Cobra APT.

The activity of the Lazarus APT Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind recent attacks on banks, including the Bangladesh cyber heist.

According to security experts, the group was behind, other large-scale cyber espionage campaigns against targets worldwide, including the Troy Operation, the DarkSeoul Operation, and the Sony Picture hack.

The malicious code used in this last campaign is an Android malware delivered as an APK file that has been designed to mimic a Korean bible app that was published in the Google Play by a developer named GODpeople.

The malicious APK wasn’t available on the Google Play store and it is still unclear how the APT distributed it.

“The McAfee Mobile Research team recently examined a new threat, Android malware that contains a backdoor file in the executable and linkable format (ELF). The ELF file is similar to several executables that have been reported to belong to the Lazarus cybercrime group. (For more on Lazarus, read this post from our Advanced Threat Research Team.)” states McAfee.

“The malware poses as a legitimate APK, available from Google Play, for reading the Bible in Korean. The legit app has been installed more than 1,300 times. The malware has never appeared on Google Play, and we do not know how the repackaged APK is spread in the wild.”

Lazarus APT APK

According to McAfee, the malware delivers a backdoor as an executable and linkable format (ELF) file, it allows to take full control of the infected device.

The list of command and control (C&C) servers used by the Android backdoor includes IP addresses previously associated with to the Lazarus group.

Lazarus APT APK 2.png

Experts from Palo Alto Networks pointed out that the campaign appears to be aimed at Samsung device owners in South Korea.

“Unit 42 has discovered a new cluster of malware samples, which targets Samsung devices and Korean language speakers, with relationships to the malware used in Operation Blockbuster. The specific points of connection between these new samples and Operation Blockbuster include:

payloads delivered by the macros discussed in Operation Blockbuster Sequel
malware used by the HiddenCobra threat group
malware used in the 2016 attack on the Bangladesh SWIFT banking system
APK samples mimicking legitimate APKs hosted on Google Play”
states the analysis from Palo alto Networks.

Experts from Unit 42 analyzed a PE file uploaded to VirusTotal that was used to deliver ELF ARM files and APK files from an HTTP server. The APK allows the attacker to gain full control on the target device.

Palo Alto Networks has collected evidence that links the malware with the Lazarus’s attack on the SWIFT banking system and the on Operation Blockbuster. The C&C infrastructure used in the latest attack is the same used in Lazarus’s campaigns.

“It is clear that source code was reused between previously reported samples and the cluster of new samples outlined by Unit 42. Additionally, command and control IPv4 addresses were reused by the malware discussed in this analysis. Technical indicators as well as soft indicators, such as APK themes and names, provide soft and tenable ties to the actors behind Operation Blockbuster and the HiddenCobra group.” concluded Palo alto Networks.


APT Trends report Q3 2017
16.11.2017 Kaspersky Analysis  APT
Beginning in the second quarter of 2017, Kaspersky’s Global Research and Analysis Team (GReAT) began publishing summaries of the quarter’s private threat intelligence reports in an effort to make the public aware of what research we have been conducting. This report serves as the next installment, focusing on important reports produced during Q3 of 2017.

As stated last quarter, these reports will serve as a representative snapshot of what has been offered in greater detail in our private reports in order to highlight significant events and findings we feel most should be aware of. For brevity’s sake, we are choosing not to publish indicators associated with the reports highlighted. However, if you would like to learn more about our intelligence reports or request more information for a specific report, readers are encouraged to contact: intelreports@kaspersky.com.

Chinese-Speaking Actors
The third quarter demonstrated to us that Chinese-speaking actors have not “disappeared” and are still very much active, conducting espionage against a wide range of countries and industry verticals. In total, 10 of the 24 reports produced centered around activity attributed to multiple actors in this region.

The most interesting of these reports focused on two specific supply chain attacks; Netsarang / ShadowPad and CCleaner. In July 2017, we discovered a previously unknown malware framework (ShadowPad) embedded inside the installation packages hosted on the Netsarang distribution site. Netsarang is a popular server management software used throughout the world. The ShadowPad framework contained a remotely activated backdoor which could be triggered by the threat actor through a specific value in a DNS TXT record. Others in the research community have loosely attributed this attack to the threat actor Microsoft refers to as BARIUM. Following up on this supply chain attack, another was reported initially by Cisco Talos in September involving CCleaner, a popular cleaner / optimization tool for PCs. The actors responsible signed the malicious installation packages with a legitimate Piriform code signing certificate and pushed the malware between August and September.

Q3 also showed China is very interested in policies and negotiations involving Russia with other countries. We reported on two separate campaigns demonstrating this interest. To date, we have observed three separate incidents where Russia and another country hold talks and are targeted shortly thereafter, IndigoZebra being the first. IronHusky was a campaign we first discovered in July targeting Russian and Mongolian government, aviation companies, and research institutes. Earlier in April, both conducted talks related to modernizing the Mongolian air defenses with Russia’s help. Shortly after these talks, the two countries were targeted with a Poison Ivy variant from a Chinese-speaking threat actor. In June, India and Russia signed a much awaited agreement to expand a nuclear power plant in India, as well as further define the defense cooperation between the two countries. Very soon after, both countries energy sector were targeted with a new piece of malware we refer to as “H2ODecomposition”. In some case this malware was masquerading as a popular Indian antivirus solution (QuickHeal). The name of the malware was derived from an initial RC5 string used in the encryption process (2H2O=2H2+O2) which describes a chemical reaction used in hydrogen fuel cells.

Other reports published in the third quarter under chinese-speaking actors were mainly updates to TTPs by known adversaries such as Spring Dragon, Ocean Lotus, Blue Termite, and Bald Knight. The Spring Dragon report summarized the evolution of their malware to date. Ocean Lotus was observed conducting watering hole attacks on the ASEAN website (as done previously) but with a new toolkit. A new testing version of Emdivi was discovered in use by Blue Termite as well as their testing of CVE-2017-0199 for use. Finally, Bald Knight (AKA – Tick) was seen using their popular XXMM malware family to target Japan and South Korea.

Below is a summary of report titles produced for the Chinese region. As stated above, if you would like to learn more about our threat intelligence products or request more information on a specific report, please direct inquiries to intelreports@kaspersky.com.

Analysis and evolution of Spring Dragon tools
EnergyMobster – Campaign targeting Russian-Indian energy project
IronHusky – Intelligence of Russian-Mongolian military negotiations
The Bald Knight Rises
Massive watering holes campaign targeting Asia-Pacific
Massive Watering Holes Campaign Targeting AsiaPacific – The Toolset
NetSarang software backdoored in supply chain attack – early warning
ShadowPad – popular server management software hit in supply chain attack
New BlueTermite samples and potential new wave of attacks
CCleaner backdoored – more supply chain attacks
Russian-Speaking Actors
The third quarter was a bit slower with respect to Russian speaking threat actors. We produced four total reports, two of which focused on ATM malware, one on financial targeting in Ukraine and Russia, and finally a sort of wrap-up of Sofacy activity over the summer.

The ATM related reports centered around Russian speaking actors using two previously unknown pieces of malware designed specifically for certain models. “Cutlet Maker” and “ATMProxy” both ultimately allowed the users to dispense cash at will from a chosen cartridge within the ATMs. ATMProxy was interesting since it would sit dormant on an ATM until a card with a specific hard coded number was inserted, at which point it would dispense more cash than what was requested.

Another report discussed a new technique utilizing highly targeted watering holes to target financial entities in Ukraine and Russia with Buhtrap. Buhtrap has been around since at least 2014, but this new wave of attacks was leveraging search engine optimization (SEO) to float malicious watering hole sites to the top of search results, thus providing more of a chance for valid targets to visit the malicious sites.

Finally, we produced a summary report on Sofacy’s summertime activity. Nothing here was groundbreaking, but rather showed the group remained active with their payloads of choice; SPLM, GAMEFISH, and XTUNNEL. Targeting also remained the same, focusing on European defense entities, Turkey, and former republics.

Below is a list of report titles for reference:

ATMProxy – A new way to rob ATMs
Cutlet maker – Newly identified ATM malware families sold on Darknet
Summertime Sofacy – July 2017
Buhtrap – New wave of attacks on financial targets
English-Speaking Actors
The last quarter also had us reporting on yet another member of the Lamberts family. Red Lambert was discovered during our previous analysis of Grey Lambert and utilized hard coded SSL certificates in its command and control communications. What was most interesting about the Red Lambert is that we discovered a possible operational security (OPSEC) failure on the actor’s part, leading us to a specific company who may have been responsible, in whole or in part, for the development of this Lambert malware.

The Red Lambert
Korean-Speaking Actors
We were also able to produce two reports on Korean speaking actors, specifically involving Scarcruft and Bluenoroff. Scarcruft was seen targeting high profile, political entities in South Korea using both destructive malware as well as malware designed more for espionage. Bluenoroff, the financially motivated arm of Lazarus, targeted a Costa Rican casino using Manuscrypt. Interestingly enough, this casino was compromised by Bluenoroff six months prior as well, indicating they potentially lost access and were attempting to get back in.

Report titles focusing on Korean-speaking actors:

Scent of ScarCruft
Bluenoroff hit Casino with Manuscrypt
Other Activity
Finally, we also wrote seven other reports on “uncategorized” actors in the third quarter. Without going into detail on each of these reports, we will focus on two. The first being a report on the Shadowbrokers’ June 2017 malware dump. An anonymous “customer” who paid to get access to the dump of files posted the hashes of the files for the month, mainly due to their displeasure in what was provided for the money. We were only able to verify one of nine file hashes, which ended up being an already known version of Triple Fantasy.

The other report we’d like to highlight (“Pisco Gone Sour”) is one involving an unknown actor targeting Chilean critical institutions with Veil , Meterpreter, and Powershell Empire. We are constantly searching for new adversaries in our daily routine and this appears to be just that. The use of publicly available tools makes it difficult to attribute this activity to a specific group, but our current assessment based on targeting is that the actor may be based somewhere in South America.

Dark Cyrene – politically motivated campaign in the Middle East
Pisco Gone Sour – Cyber Espionage Campaign Targeting Chile
Crystal Finance Millennium website used to launch a new wave of attacks in Ukraine
New Machete activity – August 2017
ATMii
Shadowbroker June 2017 Pack
The Silence – new trojan attacking financial organizations
Final Thoughts
Normally we would end this report with some predictions for the next quarter, but as it will be the end of the year soon, we will be doing a separate predictions report for 2018. Instead, we would like to point out one alarming trend we’ve observed over the last two quarters which is an increase in supply chain attacks. Since Q2, there have been at least five incidents where actors have targeted the supply chain to accomplish their goals instead of going directly after the end target; MeDoc, Netsarang, CCleaner, Crystal Finance, and Elmedia. While these incidents were not the result of just one group, it does show how the attention of many of the actors out there may be shifting in a direction that could be much more dangerous. Successfully compromising the supply chain provides easy access to a much wider target base than available through traditional means such as spear phishing. As an added benefit, these attacks can remain undetected for months, if not longer. It remains to be seen if this trend will continue into 2018, but given the successes from the five mentioned above, we feel we haven’t seen the last of this type of attack in the near future.


Russian 'Fancy Bear' Hackers Using (Unpatched) Microsoft Office DDE Exploit

10.11.2017 thehackernews APT

Cybercriminals, including state-sponsored hackers, have started actively exploiting a newly discovered Microsoft Office vulnerability that Microsoft does not consider as a security issue and has already denied to patch it.
Last month, we reported how hackers could leverage a built-in feature of Microsoft Office feature, called Dynamic Data Exchange (DDE), to perform code execution on the targeted device without requiring Macros enabled or memory corruption.
DDE protocol is one of the several methods that Microsoft uses to allow two running applications to share the same data.
The protocol is being used by thousands of apps, including MS Excel, MS Word, Quattro Pro, and Visual Basic for one-time data transfers and for continuous exchanges for sending updates to one another.
Soon after the details of DDE attack went public, several reports emerged about various widespread attack campaigns abusing this technique in the wild to target several organisations with malware.
Now, for the first time, this DDE attack technique has been found leveraging by an Advanced Persistent Threat (APT) hacking group—APT28, which is well known as Fancy Bear and is widely believed to be backed by the Russian government.
Russian Hackers Using New York Terror Attack to Lure Victims
While analyzing a new spear phishing campaign, security researchers discovered that the Fancy Bear hackers have been leveraging the DDE vulnerability since late October, according to a recent report published Tuesday by McAfee researchers.
The campaign involved documents referencing the recent terrorist attack in New York City in an attempt to trick victims into clicking on the malicious documents, which eventually infects their systems with malware.
Since DDE is a Microsoft's legitimate feature, most antivirus solutions don't flag any warning or block the documents with DDE fields.
Therefore, anyone who clicks on the malicious attachment (with names like SabreGuard2017.docx or IsisAttackInNewYork.docx) inadvertently runs malicious code on his/her computer without any restriction or detection.
Once opened, the document runs contacts a command-and-control server to install the first stage of the malware called Seduploader on victims' machines using PowerShell commands.
Seduploader then profiles prospective victims by pulling basic host information from the infected system to the hackers. If the system is of interest, the attackers later install a more fully featured piece of spyware—X-Agent and Sedreco.
"APT28 is a resourceful threat actor that not only capitalizes on recent events to trick potential victims into infections but can also rapidly incorporate new exploitation techniques to increase its success," Mcafee researchers concluded.
"Given the publicity the Cy Con U.S campaign received in the press, it is possible APT28 actors moved away from using the VBA script employed in past actions and chose to incorporate the DDE technique to bypass network defenses."
This is not first malware campaign that has been spotted abusing the DDE attack technique.
Soon after the details of DDE attack technique went public, Cisco's Talos threat research group uncovered an attack campaign that was actively exploiting this attack technique to target several organisations with a fileless remote access trojan called DNSMessenger.
Late last month, researchers discovered a campaign that spread Locky ransomware and TrickBot banking trojan via Word documents that leveraged the DDE technique.
Another separate malware spam campaign discovered by security researchers also found distributing Hancitor malware (also known as Chanitor and Tordal) using Microsoft Office DDE exploit.
Protection Against DDE Malware Attacks
Since Microsoft does not provide any protection against such attacks, you can easily prevent yourself from falling victim to any malicious document abusing the Microsoft's DDE feature by disabling it entirely.
If you use Microsoft Word 2016 or Microsoft Excel 2016, go to Options → Advanced, and then remove the checkmark from "Update automatic links at open" which is listed under the general group on the page.
In MS Excel, you can also consider checking "Ignore other applications that use Dynamic Data Exchange (DDE)."

Moreover, Disable DDEAuto is a Registry file maintained on GitHub that disables the "update links" as well as "embedded files" functionality in MS Office documents when run.
You can detect Office documents abusing the DDE feature via a set of YARA rules in Office Open XML files published by the researchers at NVISO Labs.
However, the best way to protect yourself from such malware attacks is always to be suspicious of uninvited documents sent via emails and never click on links inside those documents unless adequately verifying the source.


Russia-Linked APT28 group observed using DDE attack to deliver malware
9.11.2017 securityaffairs APT

Security experts at McAfee observed the Russian APT28 group using the recently reported the DDE attack technique to deliver malware in espionage campaign.
Security experts at McAfee observed the Russian APT group APT28 using the recently reported the DDE technique to deliver malware in targeted attacks.

The cyber spies were conducting a cyber espionage campaign that involved blank documents whose name referenced the recent terrorist attack in New York City.

“During our monitoring of activities around the APT28 threat group, McAfee Advanced Threat Research analysts identified a malicious Word document that appears to leverage the Microsoft Office Dynamic Data Exchange (DDE) technique that has been previously reported by Advanced Threat Research. This document likely marks the first observed use of this technique by APT28.” reported McAfee.

The Dynamic Data Exchange (DDE) is a protocol designed to allow data transferring between applications, attackers have devised a method to achieve the execution of malicious code embedded in Office documents without user’s interaction by using DDE.

The DDE protocol allows an Office application to load data from another Office application, it was replaced by Microsoft with Object Linking and Embedding (OLE), but it is still supported.

The DDE technique was implemented by several threat actors such as the FIN7 APT group in DNSMessenger malware attacks, and the operators behind the Hancitor malware campaign spotted and detailed by Internet Storm Center (ISC) handler Brad Duncan.

Recently the technique was used by threat actors behind the Necurs botnet to deliver the Locky ransomware.

Unfortunately, Microsoft doesn’t plan to introduce security countermeasures to mitigate the DDE attack because the tech giant considers the feature as legit.

In the recent campaign conducted by APT28, hackers used a document referencing the New York City attack to deliver the first-stage payload tracked as Seduploader.

The Seduploader malware, also known as GAMEFISH backdoor, Sednit, JHUHUGIT and Sofacy, is a strain of malware that has been already used by the threat actor in other campaigns against NATO representatives.

The Seduploader is a reconnaissance malware that was used for years by APT28, it is composed of 2 files: a dropper and a payload.

The malware is downloaded from a remote server using PowerShell commands, experts

The analysis of the malware and command and control (C&C) domains used in the campaign revealed the campaign involving DDE started on October 25.

According to the experts, the recent attacks are part of a campaign that also involved documents referencing Saber Guardian, a multinational military exercise involving approximately 25,000 military personnel from over 20 participating nations. The military exercise was conducted by the U.S. Army in Eastern Europe in an effort to deter an invasion (by Russia) into NATO territory.


Just two week ago, researchers with Cisco Talos have spotted another cyber espionage campaign conducted by the APT28 group targeting individuals with spear-phishing messages using documents referencing a NATO cybersecurity conference.

The hackers targeted individuals with a specific interest in the CyCon US cybersecurity conference organized by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in collaboration with the Army Cyber Institute at West Point on November 7-8 in Washington, D.C.

“APT28 is a resourceful threat actor that not only capitalizes on recent events to trick potential victims into infections, but can also rapidly incorporate new exploitation techniques to increase its success. Given the publicity the Cy Con U.S campaign received in the press, it is possible APT28 actors moved away from using the VBA script employed in past actions and chose to incorporate the DDE technique to bypass network defenses.” concluded McAfee. “Finally, the use of recent domestic events and a prominent US military exercise focused on deterring Russian aggression highlight APT28’s ability and interest in exploiting geopolitical events for their operations.”


Symantec uncovered a new APT, the cyber espionage Sowbug group
8.11.2017 securityaffairs APT

Malware researchers from Symantec have spotted a new cyber espionage APT dubbed Sowbug group that has been active at least since 2015.
A new cyber espionage group dubbed Sowbug appeared in the threat landscape, according to the experts it has been active since 2015 and was involved in highly targeted attacks against a host of government organizations in South America and Southeast Asia.

Sowbug group

“Symantec has identified a previously unknown group called Sowbug that has been conducting highly targeted cyber attacks against organizations in South America and Southeast Asia and appears to be heavily focused on foreign policy institutions and diplomatic targets. Sowbug has been seen mounting classic espionage attacks by stealing documents from the organizations it infiltrates. ” reads the analysis published by Symantec.

The group was spotted by experts from Symantec who uncovered clandestine attacks against foreign policy institutions, government bodies and diplomatic targets in countries, including Argentina, Brazil, Ecuador, Peru, and Malaysia.

The Sowbug group uses a strain of malware dubbed Felismus to compromise target systems. The malicious code was first detected in March by researchers at Forcepoint, but only Symantec experts linked it with the Sowbug group.

“Analysis shows the malware overall to be modular, well-written, and to go to great lengths to hinder both analysis efforts and the content of its communications. Its apparent scarcity in the wild implies that it is likely highly targeted. Furthermore, as discussed in this analysis, the good ‘operational hygiene’ relating to the re-use of email addresses and other similarly traceable artefacts similarly suggests the work of coordinated professionals.” stated Forcepoint.

Felismus is a sophisticated remote access Trojan (RAT) with a modular structure that allows the backdoor trojan to extend its capabilities.
“Symantec saw the first evidence of Sowbug-related activity with the discovery in March 2017 of an entirely new piece of malware called Felismus used against a target in Southeast Asia. ” continues Symantec. “We have subsequently identified further victims on both sides of the Pacific Ocean. While the Felismus tool was first identified in March of this year, its association with Sowbug was unknown until now. Symantec has also been able to connect earlier attack campaigns with Sowbug, demonstrating that it has been active since at least early-2015 and may have been operating even earlier.”
The Felismus backdoor allows attackers to take full control of an infected system, researchers were able to link previous attack campaigns with the Sowbug hacking group. They concluded that the group is at least active since early-2015.

“To date, Sowbug appears to be focused mainly on government entities in South America and Southeast Asia and has infiltrated organizations in Argentina, Brazil, Ecuador, Peru, Brunei and Malaysia,” reads the Symantec report.

“The group is well resourced, capable of infiltrating multiple targets simultaneously and will often operate outside the working hours of targeted organisations.”

According to the malware researchers, the Sowbug group uses fake, malicious software updates of Windows or Adobe Reader to compromise the target systems. In the arsenal of the group, there is also a tool called Starloader used by hackers to deploy additional malware and tools, such as credential dumpers and keyloggers on the target system.

The Starloader tool was spread as software updates entitled AdobeUpdate.exe, AcrobatUpdate.exe, and INTELUPDATE.EXE among others.
“Rather, it gives its tools file names similar to those used by the software and places them in directory trees that could be mistaken for those used by the legitimate software. This allows the attackers to hide in plain sight, as their appearance in process listings is unlikely to arouse suspicion.” states Symantec.
The Sowbug hackers took further measures to remain under the radar by operating outside of standard office hours. In one case, the hackers remained undetected on the target’s network for up to six months between September 2016 and March 2017.


Vietnamese APT32 group is one of the most advanced APTs in the threat landscape
7.11.2017 securityaffairs APT

According to the incident response firm Volexity, Vietnamese APT32 group is today one of the most advanced APTs in the threat landscape
According to the incident response firm Volexity, the cyber espionage campaigns associated with a group operating out of Vietnam and tracked as tracked as OceanLotus and APT32 have become increasingly sophisticated.
Researchers at Volexity has been tracking the threat actor since May 2017, they observed attacks aimed at the Association of Southeast Asian Nations (ASEAN), and media, human rights, and civil society organizations.

“In May 2017, Volexity identified and started tracking a very sophisticated and extremely widespread mass digital surveillance and attack campaign targeting several Asian nations, the ASEAN organization, and hundreds of individuals and organizations tied to media, human rights and civil society causes.” reads the analysis published by Volexity. “These attacks are being conducted through numerous strategically compromised websites and have occurred over several high-profile ASEAN summits. Volexity has tied this attack campaign to an advanced persistent threat (APT) group first identified as OceanLotus by SkyEye Labs in 2015.”

The researcher compared the hacker group with the dreaded s Russia-linked Turla APT.

APT32 group

The APT32 group, also known as OceanLotus Group, has been active since at least 2012, according to the experts it is a state-sponsored hacking group.

The hackers targeted organizations across multiple industries and foreign governments, dissidents, and journalists.

Since at least 2014, experts at FireEye have observed APT32 targeting foreign corporations with an interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. The APT32 is also targeted peripheral network security and technology infrastructure corporations, and security firms that may have connections with foreign investors.

“APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.” states the analysis published by FireEye in May.

FireEye highlighted that currently, it is impossible to precisely link the group to the Vietnamese government even if the information gathered by the hackers would be of very little use to any other state.

The APT32 has used both Windows and Mac malware in its campaign, the group devised sophisticated techniques to evade detection.

“Volexity believes the size and scale of this attack campaign have only previously been rivaled by a Russian APT group commonly referred to as Turla,” continues the firm.

APT32 conducted a large-scale campaign powering watering hole attacks the involved more than 100 compromised websites belonging to government, military, media, civil society, human rights and oil exploitation entities.

The attacks were surgical, the compromised websites only served malware to visitors who were on a whitelist. Victims have displayed a fake screen designed to trick them into authorizing a malicious Google app that could access their emails and contacts.

Other websites were used to deliver malicious code, including backdoors and custom malware.

Volexity published key findings of its analysis related to the last wave of attacks that are still ongoing:

Massive digital profiling and information collection campaign via strategically compromised websites
Over 100 websites of individuals and organizations tied to Government, Military, Human Rights, Civil Society, Media, State Oil Exploration, and more used to launch attacks around the globe
Use of whitelists to target only specific individuals and organizations
Custom Google Apps designed for gaining access to victim Gmail accounts to steal e-mail and contacts
Strategic and targeted JavaScript delivery to modify the view of compromised websites to facilitate social engineering of visitors to install malware or provide access to e-mail accounts
Large distributed attack infrastructure spanning numerous hosting providers and countries
Numerous attacker created domains designed to mimic legitimate online services and organizations such as AddThis, Disqus, Akamai, Baidu, Cloudflare, Facebook, Google, and others
Heavy uses of Let’s Encrypt SSL/TLS certificates
Use of multiple backdoors, such as Cobalt Strike and others, believed to be developed and solely used by OceanLotus
The APT32 has rapidly evolved and increased its capabilities, for this reason the experts consider this threat actor one of the most advanced in the current threat landscape.

“Volexity believes the OceanLotus threat group has rapidly advanced its capabilities and is now one of the more sophisticated APT actors currently in operation,” the company concluded.


Vietnamese Spies Rival Notorious Russian Group in Sophistication
7.11.2017 securityweek APT
The campaigns of a cyber espionage group believed to be operating out of Vietnam have become increasingly sophisticated, up to the point where they rival operations launched by the notorious Russia-linked advanced persistent threat (APT) actor known as Turla, incident response firm Volexity said on Monday.

The group, tracked as OceanLotus and APT32, has been around since at least 2012, targeting various types of organizations in Southeast Asian countries such as Vietnam, Philippines and China, with some campaigns extending to Europe and the United States. The list of targeted entities includes governments, journalists, activists, tech firms, consumer product manufacturers, banks, and organizations in the hospitality sector.

OceanLotus has used both Windows and Mac malware in its operations, along with some clever techniques that have allowed the group to evade detection.

Volexity has been tracking the threat actor since May 2017, specifically attacks aimed at the Association of Southeast Asian Nations (ASEAN), and media, human rights, and civil society organizations. The security firm agrees with FireEye’s previous assessment that OceanLotus is likely based in Vietnam.

“Volexity believes the size and scale of this attack campaign have only previously been rivaled by a Russian APT group commonly referred to as Turla,” the security firm said in a blog post.

Volexity’s analysis showed that OceanLotus’s watering hole attacks involved more than 100 compromised websites belonging to government, military, media, civil society, human rights and oil exploitation entities.

Researchers determined that the group’s attacks are highly targeted; the compromised sites served malicious code only to visitors who were on a whitelist. Targeted users are shown a fake screen designed to trick them into authorizing a malicious Google app that could access the victim’s emails and contacts. Some of the compromised websites were also set up to deliver backdoors and other types of tools, including legitimate software (e.g. Cobalt Strike) and custom malware.

Researchers also noticed that the attackers created many fake domains designed to mimic legitimate services such as AddThis, Akamai, Baidu, Cloudflare, Disqus, Facebook and Google. Many of these websites leveraged SSL certificates provided by Let’s Encrypt, whose services have been increasingly abused by cybercriminals.

“Volexity believes the OceanLotus threat group has rapidly advanced its capabilities and is now one of the more sophisticated APT actors currently in operation,” the company concluded.

OceanLotus’ sophistication was also described recently in a report from Cybereason, which detailed the group’s cat-and-mouse games within the systems of a global company operating in Asia.


Latest Russia-linked APT28 campaign targeting security experts
24.10.2017 securityaffairs APT

Russian cyber espionage group APT28 targeted individuals with spear-phishing messages using documents referencing a NATO cybersecurity conference.
Researchers with Cisco Talos have spotted a Russian cyber espionage group targeting individuals with spear-phishing messages using documents referencing a NATO cybersecurity conference.

Experts attributed the attack to the dreaded Russian APT28 group, aka Pawn Storm, Fancy Bear, Sofacy, Group 74, Sednit, Tsar Team and Strontium.

The hackers targeted individuals with a specific interest in the CyCon US cybersecurity conference organized by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in collaboration with the Army Cyber Institute at West Point on November 7-8 in Washington, D.C.

The state-sponsored hackers used bait documents containing content copied from the official CyCon U.S. website, the attackers were clearly interested in spying on cybersecurity experts.

“Cisco Talos discovered a new malicious campaign from the well known actor Group 74 (aka Tsar Team, Sofacy, APT28, Fancy Bear…). Ironically the decoy document is a deceptive flyer relating to the Cyber Conflict U.S. conference. CyCon US is a collaborative effort between the Army Cyber Institute at the United States Military Academy and the NATO Cooperative Cyber Military Academy and the NATO Cooperative Cyber Defence Centre of Excellence.” states the report published by CISCO Talos.

“Due to the nature of this document, we assume that this campaign targets people with an interest in cyber security.”

APT28

The technique to use cyber security conferences as a lure in cyber espionage operations is well known, other threat actors in the past used the same tactic. Last year, a Chinese cyber espionage group known as Lotus Blossom attempted to lure victims with fake invitations to a Palo Alto Networks’ Cybersecurity Summit.

The attackers didn’t use any zero-day vulnerabilities in this last campaign, instead, they relied on weaponized Office documents containing VBA scripts used to deliver a new variant of Seduploader (also known as GAMEFISH backdoor, Sednit, JHUHUGIT and Sofacy).

The Seduploader malware, also known as GAMEFISH backdoor, Sednit, JHUHUGIT and Sofacy, is a strain of malware that has been already used by the threat actor in other campaigns against NATO representatives.

“In the previous campaign where adversaries used Office document exploits as an infection vector, the payload was executed in the Office word process. In this campaign, adversaries did not use any exploit. Instead, the payload is executed in standalone mode by rundll32.exe,” continues the report.

The Seduploader is a reconnaissance malware that was used for years by APT28, it is composed of 2 files: a dropper and a payload. The experts noticed that dropper and the payload are quite similar to the previous versions but the author modified some public information such as MUTEX name, obfuscation keys.

Hackers made these modifications to avoid detection of security solutions.

The CCDCOE published an alert on its website to warn people interested in the CyCon conference about the attack.

“Information from CyCon U.S. website has been used in a Word document with an intent to deliver malware. This type of attack, where legitimate information is used to attract the attention of victims, is rather common and normally detected and prevented in information systems with widely used safeguards.” reads the alert.

“This is clearly an attempt to exploit the credibility of Army Cyber Institute and NATO CCDCOE in order to target high-ranking officials and experts of cyber security,”


APT28 group is rushing to exploit recent CVE-2017-11292 Flash 0-Day before users apply the patches
23.10.2017 securityaffairs APT

The APT28 group is trying to exploit the CVE-2017-11292 Flash zero-day before users receive patches or update their systems.
Security experts at Proofpoint collected evidence of several malware campaigns, powered by the Russian APT28 group, that rely on a Flash zero-day vulnerability that Adobe patched earlier this week.

According to the experts who observed attacks on organizations across Europe and in the US, the APT28 group is trying to exploit the CVE-2017-11292 zero-day before users receive patches or update their systems.

The state-sponsored hackers focused their attacks on state departments and private-sector businesses in the aerospace industry.

“On Tuesday, October 18, Proofpoint researchers detected a malicious Microsoft Word attachment exploiting a recently patched Adobe Flash vulnerability, CVE-2017-11292. We attributed this attack to APT28 (also known as Sofacy), a Russian state-sponsored group.” states the report published by Proofpoint.

“Targeting data for this campaign is limited but some emails were sent to foreign government entities equivalent to the State Department and private-sector businesses in the aerospace industry. The known geographical targeting appears broad, including Europe and the United States. The emails were sent from free email services.”

The patch was released on Monday, October 16, at that time Kaspersky detected attacks leveraging the CVE-2017-11292 allegedly conducted by the BlackOasis APT group.

Researchers believe that APT28 was also in possession of the exploit (whether purchased, discovered on their own, or reverse engineered from the BlackOasis attack), and is trying to use it in targeted attacks.

The APT28 rushed to assemble the exploit and the distribution campaign, reusing code from past attacks, the APT28 hackers did the same in May after Microsoft patched three zero-days flaws exploited by the Russian APT group.

Back to the present, researchers believe the APT28 found a way to exploit the CVE-2017-11292, it is unclear if they purchased the zero-day or reverse engineered it from the BlackOasis attack.

The researchers noticed that the recent attacks exploiting the CVE-2017-11292 flaw employed the same old DealersChoice malware, a Flash exploit framework also used by the APT28 group against Montenegro.

When the target user opens these the weaponized files, DealersChoice contacts the remote server to download the CVE-2017-11292 exploit code and execute it.

“The document “World War 3.docx” contacts DealersChoice.B, APT28’s attack framework that allows loading exploit code on-demand from a command and control (C&C) server. DealersChoice has previously been used to exploit a variety of Flash vulnerabilities, including CVE-2015-7645, CVE-2016-1019, CVE-2016-4117, and CVE-2016-7855 via embedded objects in crafted Microsoft Word documents.” continues the report.

apt28 CVE-2017-11292

The Proofpoint researcher Kafeine, confirmed his company currently trying to take down C&C servers associated with the DealersChoice attack framework used in the CVE-2017-11292 attacks.

“APT28 appears to be moving rapidly to exploit this newly documented vulnerability before the available patch is widely deployed. Because Flash is still present on a high percentage of systems and this vulnerability affects all major operating systems, it is critical that organizations and end users apply the Adobe patch immediately. ” concluded Proofpoint.

Further technical details are available in the report published by Proofpoint, including the IOCs.


BAE Systems report links Taiwan heist to North Korean LAZARUS APT
18.10.2017 securityaffairs APT

Researchers at BAE Systems investigated the recent cyber-heist that targeted a bank in Taiwan and linked the action to the notorious Lazarus APT group.
The activity of the Lazarus APT Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind recent attacks on banks, including the Bangladesh cyber heist.

According to security experts, the group was behind, other large-scale cyber espionage campaigns against targets worldwide, including the Troy Operation, the DarkSeoul Operation, and the Sony Picture hack.

The Lazarus group, tracked by the U.S. government as Hidden Cobra, seems to be behind recent attacks against U.S. defense contractors, likely in cooperation with other hacker groups.

Back to the recent attack, hackers exploited the SWIFT global financial network to steal roughly $60 million from Taiwan’s Far Eastern International Bank.

Reports of $60M being stolen are not correct, the overall amount actually stolen by the hackers were considerably lower.

The hackers transferred the money outside the island, but the bank claimed it had managed to recover most of it.

The Sri Lanka police have recently arrested two men allegedly involved in the cyberheist, the suspects are accused to have hacked into computers at a Taiwan bank and stole millions of dollars

Researchers at BAE Systems have identified some of the tools used in the cyber heist and linked them to the Lazarus‘s arsenal.

Researchers believe attackers used a piece of ransomware known as Hermes as a distraction tactic. According to researchers at McAfee, the Hermes variant used in the attack on the Taiwanese bank did not display a ransom note, a circumstance that suggests it wasn’t used for a different purpose, distraction.

“Was the ransomware used to distract the real purpose of this attack? We strongly believe so,” McAfee researchers said. “Based on our sources, the ransomware attack started in the network when the unauthorized payments were being sent.”

Lazarus operators likely used the Hermes ransomware on the bank’s network to interfere with the investigations and destroy evidence of their attack.

“The Hermes strain used on FEIB’s network did not change the infected computer’s wallpaper and didn’t leave a flashy ransom note behind, like the original Hermes note, portrayed below.” reported Bleeping computer.

“Instead, the Hermes version used in the FEIB attacks only showed a popup with the text “finish work” and left a file named “UNIQUE_ID_DO_NOT_REMOVE” in every directory.”

The Hermes samples analyzed by researchers at BAE Systems drop a ransom note in each encrypted folder.

The experts also analyzed another strain of malware used in the attack dubbed Bitsran, it is a loader used to spreads a malicious payload on the targeted network. The analysis of its code revealed the presence of hardcoded credentials for the network of the Far Eastern International Bank. The malware was likely used in a reconnaissance phase.

“Sample #2 [Bitsran] is designed to run and spread a malicious payload on the victim’s network.” states the report.

“The malware then enumerates all processes, searching for specific anti-virus processes and attempts to kill these using the command line tool taskkill.”

Other malware used by the attackers are the same used by the Lazarus group, including in attacks aimed at financial organizations in Poland and Mexico.

Lazarus APT Taiwan attack

The malicious code contains string written in the Russian Language, but researchers believe is a false flag to deceive them.

The sample of Hermes ransomware analyzed by the experts checks the infected machine’s language settings and stopped running if use Russian, Ukrainian or Belarusian languages. This feature widely adopted by Russian and Ukrainian vxers who often avoid targeting machines in their country. However, experts speculate this could also be a false flag.

“The ransomware calls GetSystemDefaultLangID() to obtain language identifier for the system locale. It contains a list of three system language codes: 0x0419 (Russian), 0x0422 (Ukrainian), and 0x0423 (Belarusian). However, it only checks against the last two, and, if matching, the malware quits. Whether this is a false-flag or not is unknown.” states the analysis.

Below the hallmarks of the Lazarus group that were recognized by BAE experts in the attack on the Taiwanese Far Eastern International Bank:

Destination beneficiary accounts in Sri Lanka and Cambodia – both countries have been used previously as destinations for Lazarus’ bank heist activity;
Use of malware previously seen in Lazarus’ Poland and Mexico bank attacks. Where these files were found and the context of their use needs to be confirmed, but could provide a crucial attributive link;
Use of unusual ransomware, potentially as a distraction.
“Despite their continued success in getting onto payment systems in banks, the Lazarus group still struggle getting the cash in the end, with payments being reversed soon after the attacks are uncovered,” concluded BAE Systems.

“The group may be trying new tricks to disrupt victims and delay their ability to respond – such as different message formats, and the deployment of ransomware across the victim’s network as a smokescreen for their other activity. It’s likely they’ll continue their heist attempts against banks in the coming months and we expect they will evolve their modus operandi to incorporate new ways of disrupting victims (and possibly the wider community) from responding,”


BlackOasis APT leverages new Flash zero-day exploit to deploy FinSpy
17.10.2017 securityaffairs
Vulnerebility  APT

Security researchers from Kaspersky Labs spotted the BlackOasis APT group exploiting a new zero-day RCE vulnerability in Adobe Flash.
Security researchers from Kaspersky Labs have discovered a new zero-day remote code execution vulnerability in Adobe Flash, tracked as CVE-2017-11292, which was being actively exploited by hackers in the wild to deliver the surveillance software FinSpy.

BlackOasis APT

Hackers belonging to the APT group known as BlackOasis are leveraging the Adobe Flash zero-day exploit in attacks against high-profile targets.

The critical type confusion vulnerability affects Flash Player 21.0.0.226 for Windows, Macintosh, Linux and Chrome OS.

“On October 10, 2017, Kaspersky Lab’s advanced exploit prevention systems identified a new Adobe Flash zero day exploit used in the wild against our customers. The exploit was delivered through a Microsoft Office document and the final payload was the latest version of FinSpy malware. We have reported the bug to Adobe who assigned it CVE-2017-11292 and released a patch earlier today:” reads the analysis published by Kaspersky.

The experts speculate the BlackOasis APT group is the same crew that exploited another RCE zero-day vulnerability, tracked CVE-2017-8759, discovered by FireEye researchers in September 2017.

According to FireEye, the CVE-2017-8759 was actively been exploited by an APT group to deliver the surveillance malware FinFisher Spyware (FinSpy) to a Russian-speaking “entity” via malicious Microsoft Office RTF files in July.

In both attacks, the BlackOasis APT exploited a zero-day exploit to deliver the FinSpy spyware, the hackers shared the same command and control (C&C).

The experts who monitored the activity of the BlackOasis group across the year confirmed it has utilized at least five zero days since June 2015:

CVE-2015-5119 – June 2015
CVE-2016-0984 – June 2015
CVE-2016-4117 – May 2016
CVE-2017-8759 – Sept 2017
CVE-2017-11292 – Oct 2017
BlackOasis hackers targeted individuals in numerous countries, including Russia, Iraq, Afghanistan, Nigeria, Libya, Jordan, Tunisia, Saudi Arabia, Iran, the Netherlands, Bahrain, United Kingdom and Angola.

“BlackOasis’ interests span a wide gamut of figures involved in Middle Eastern politics and verticals disproportionately relevant to the region. This includes prominent figures in the United Nations, opposition bloggers and activists, and regional news correspondents.” continues the analysis. “During 2016, we observed a heavy interest in Angola, exemplified by lure documents indicating targets with suspected ties to oil, money laundering, and other illicit activities. There is also an interest in international activists and think tanks.”

Researchers reported the zero-day exploit is delivered through Microsoft Office documents, particularly Word, attached to a spam email. The documents include an ActiveX object which contains the Flash exploit used to deliver the FinSpy spyware.

“The Flash object contains an ActionScript which is responsible for extracting the exploit using a custom packer seen in other FinSpy exploits,” the Kaspersky Labs researchers say.

FinSpy leveraged various attack vectors, including spear phishing, manual installation with physical access to the affected device, zero-day exploits, and watering hole attacks.

According to the experts, the number of attacks relying on FinFisher software, supported by zero-day exploits will continue to grow.

“The attack using the recently discovered zero-day exploit is the third time this year we have seen FinSpy distribution through exploits to zero-day vulnerabilities,” conclude Kaspersky Lab lead malware analyst Anton Ivanov

“Previously, actors deploying this malware abused critical issues in Microsoft Word and Adobe products. We believe the number of attacks relying on FinSpy software, supported by zero day exploits such as the one described here, will continue to grow.”

Kaspersky Lab reported the flaw to Adobe that addressed it with the release of Adobe Flash Player versions 27.0.0.159 and 27.0.0.130.


CSE CybSec ZLAB Malware Analysis Report: APT28 Hospitality malware
5.10.2017 securityaffairs APT

The CSE CybSec Z-Lab Malware Lab analyzed the Hospitality malware used by the Russian APT28 group to target hotels in several European countries.
The Russian hacker group APT28, also known as Sofacy or Fancy Bear, is believed to be behind a series of attacks in last July against travelers staying in hotels in Europe and Middle East.

This attack is performed by sending spear phishing emails to the victims, masquerading as a hotel reservation form that, if opened and macros are enabled, installs a malware in the machine’s victim.

Why should Fancy bear do this? According to FireEye and other security firms, Sofacy is a cyberespionage group and a good tool to get info about people (possibly businessmen and politicians) hosted in important hotels, is to deceive them to install a spyware with a Command and Control that monitors the actions of all the victims.

APT28

Figure 1 – Screen of Word dropper.

The above figure shows an example of the weaponized document used by hackers as an attachment in spear phishing emails. The document contains a payload achievable when macro is enabled. In fact, the macro is a Visual Basic script used to decode the malicious payload and to create a series of files, according to the following scheme:


Figure 2 – Files’ creation and execution scheme

The file “mvtband.dat” is the core of the malware that contains a C2C client, which tries to connect to servers, “mvtband.net” and “mvband.net” in order to send the info gathered about the victim’s host and receive new commands to execute on it. In particular, the malware contacts these C&C servers with POST request on a random path. The body contains some info, among them the list of the executing processes, info about system settings, browser preferences, encrypted using its own algorithm. Moreover, from our advanced analysis, we discovered that Hospitality Malware takes screenshots of the machine that most likely it sends to the C2C together with other info. But, nowadays, these servers are blacklisted so we can’t analyze all the complete behavior of Hospitality Malware.

You can download the full ZLAB Malware Analysis Report at the following URL:

PDF


Intezer researchers link CCleaner hack to Chinese APT17 hackers
4.10.2017 securityaffairs  APT

Researchers from security firm Intezer speculate that the attack was powered by nation-state actor, likely the Chinese APT17 group.
Security experts continue to investigate the recent attack against the supply chain of the popular software CCleaner.

The hackers first compromised in July a CCleaner server, then exploited it to deliver a backdoored version of the 32-bit CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191. It has been estimated that between August 15 and September 12, over 2.27 million users downloaded the tainted version of CCleaner application.

The experts at Cisco Talos team that investigated the incident, while analyzing the command-and-control (C2) server used by the threat actor discovered a lightweight backdoor module (GeeSetup_x86.dll) that was delivered to a specific list of machines used by certain organizations.

The experts discovered that the threat actor that recently compromised the supply chain of the CCleaner software to distribute a tainted version of the popular software targeted at least 20 major international technology firms with a second-stage malware.

The experts analyzed a backup of a deleted database containing information on the infected machines, they discovered that the malicious code infected a total of 1,646,536 machines (based on MAC addresses), but just 40 of them received the second-stage backdoor.

Security experts who investigated the case discovered a link with a Chinese group of hackers.

Now, researchers from Intezer speculate that the attack was powered by nation-state actor, likely Chinese hackers belonging to the Axiom group, also known as APT17 or DeputyDog.

The most popular campaign attributed to the APT17 group is the attack on the Google’s infrastructure, also known as Operation Aurora. For almost a decade the APT17 targeted government organizations in several Southeast Asian countries and the US, NGOs, defense contractors, law firms, IT firms, and mining companies.

According to malware experts at Intezer, the first payload has many similarities with the code used by the Axiom group.

“Not only did the first payload have shared code between the Axiom group and CCBkdr, but the second did as well.” reads the analysis published by Intezer.

The stage 2 payload contains the same portion of code found in APT17 malware and that isn’t included in any public repository.

APT17 code CCleaner

“The author probably copied and pasted the code, which is what often happens to avoid duplicative efforts: rewriting the same code for the same functionality twice. Due to the uniqueness of the shared code, we strongly concluded that the code was written by the same attacker,” said Intezer.

The researchers concluded that the level of complexity of the attack suggests the involvement of a state-sponsored actor, likely the APT17 group.

“The complexity and quality of this particular attack has led our team to conclude that it was most likely state-sponsored. Considering this new evidence, the malware can be attributed to the Axiom group due to both the nature of the attack itself and the specific code reuse throughout that our technology was able to uncover,” concluded Intezer.


Iranian cyber spies APT33 target aerospace and energy organizations
21.9.2017 securityaffairs APT

The Iran-linked APT33 group has been targeting aerospace and energy organizations in the United States, Saudi Arabia, and South Korea.
According to security firm FireEye, a cyber espionage group linked to the Iranian Government, dubbed APT33, has been targeting aerospace and energy organizations in the United States, Saudi Arabia, and South Korea.

The APT33 group has been around since at least 2013, since mid-2016, the group targeted the aviation industry and energy companies with connections to petrochemical production.

“From mid-2016 through early 2017, APT33 compromised a U.S. organization in the aerospace sector and targeted a business conglomerate located in Saudi Arabia with aviation holdings.” reads a blog post published by FireEye.

“During the same time period, APT33 also targeted a South Korean company involved in oil refining and petrochemicals. More recently, in May 2017, APT33 appeared to target a Saudi organization and a South Korean business conglomerate using a malicious file that attempted to entice victims with job vacancies for a Saudi Arabian petrochemical company.”

According to the experts, the APT33 group is gathering information on Saudi Arabia’s military aviation capabilities to gain insight into rivals in the MiddleEast.

“We assess the targeting of multiple companies with aviation-related partnerships to Saudi Arabia indicates that APT33 may possibly be looking to gain insights on Saudi Arabia’s military aviation capabilities to enhance Iran’s domestic aviation capabilities or to support Iran’s military and strategic decision making vis a vis Saudi Arabia,” continues FireEye.

“We believe the targeting of the Saudi organization may have been an attempt to gain insight into regional rivals, while the targeting of South Korean companies may be due to South Korea’s recent partnerships with Iran’s petrochemical industry as well as South Korea’s relationships with Saudi petrochemical companies,”

The cyberspies leverage spear phishing emails sent to employees whose jobs related to the aviation industry.

APT33 phishing

The recruitment themed messages contained links to malicious HTML application (.hta) files. The .hta files contained job descriptions and links to legitimate job postings on popular employment websites that would be of interest for the victims.

The experts noticed APT33 used a built-in phishing module within the publicly available ALFA TEaM Shell (aka ALFASHELL) to send phishing messages to targeted individuals in 2016.

The attackers set up several domains that appeared as belonging to Saudi aviation firms and other companies that work with them, including Alsalam Aircraft Company, Boeing and Northrop Grumman Aviation Arabia.

The malware used by the APT33 group includes a dropper dubbed DROPSHOT that has been linked to the wiper malware SHAPESHIFT, tracked by Kaspersky as StoneDrill, used in targeted attacks against organizations in Saudi Arabia. The arsenal of the group also includes a backdoor called TURNEDUP.

Kaspersky experts linked the StoneDrill malware to the Shamoon 2 and Charming Kitten (aka Newscaster and NewsBeef), a threat actor believed to be operating out of Iran.

The researchers identified an actor using the handle “xman_1365_x” that has been involved in the development and use of the TURNEDUP backdoor.

“Xman_1365_x was also a community manager in the Barnamenevis Iranian programming and software engineering forum, and registered accounts in the well-known Iranian Shabgard and Ashiyane forums, though we did not find evidence to suggest that this actor was ever a formal member of the Shabgard or Ashiyane hacktivist groups.” continues FireEye.

FireEye cited open source reporting links the “xman_1365_x” actor to the “Nasr Institute,” which is the equivalent to Iran’s “cyber army” and directly controlled by the Iranian government.