- APT -

Last update 09.10.2017 12:41:24

Introduction  List  Kategorie  Subcategory 0  1  2  3  4  5 



China Tick APT group targeting air-gapped systems in Asia
26.6.2018 securityaffairs APT

Palo Alto Networks experts uncovered a new operation conducted by the cyber espionage group known as Tick APT that has been targeting a secure USB drive built by a South Korean defense company.
The Tick APT group has been active for at least a decade, tracked also as Bronze Butler, it was first spotted in 2016 by Symantec and experts believe it is a China-linked threat actor. Experts highlighted the ability of the group in discovering a zero-day flaw in a software used in a certain region, such as Japan and South Korea,

The group has been targeting a secure USB drive built by a South Korean defense company, likely with the intent of compromising air-gaped systems.

The expert reported that the Tick APT group is mainly targeting Japan and South Korea, but the threat actor also targeted organizations in Russia, Singapore, and China.

The group has been observed using a variety of proprietary tools and custom malware, including Minzen, Daserf (aka Nioupale), Datper, and HomamDownloader.

“Recently, Palo Alto Networks Unit 42 discovered the Tick group targeted a specific type of secure USB drive created by a South Korean defense company.” reads the analysis published by PaloAlto Networks.

“The weaponization of a secure USB drive is an uncommon attack technique and likely done in an effort to spread to air-gapped systems, which are systems that do not connect to the public internet.”

The malicious code used in the recent attacks conducted by the Tick APT were specifically developed to target systems running Windows XP or Windows Server 2003.

According to the experts, the malware was developed with the intent of infecting older, out-of-support versions of Microsoft Windows running on Air-gapped systems that often used in government and defense environments.

The experts added that they haven’t found public reports of the attack until now, likely because the threat actor used it many years ago.

“We have not identified any public reporting on this attack, and we suspect the Tick group used the malware described in this report in attacks multiple years ago. Based on the data collected, we do not believe this malware is part of any active threat campaign.” continues the report.

The experts believe the hackers managed to compromise the secure USB drive model to install the malware on a number of infected devices, that are supposed to be certified as secure by the South Korean ITSCC.

PaloAlto Networks reported that the APT group also developed a strain of malware dubbed SymonLoader that once installed on older Windows systems machines looks for specific USB drives.

The SymonLoader was used by attackers to load and execute the malware from the secure USB drive. At the time it is not clear how the attackers have compromised the USB drives.

“Because we do not have either a compromised USB drive or the unknown malicious file, we are also unable to determine how these USB drives have been compromised.” continues Palo Alto.

“Specifically, we do not know if there has been a successful compromise in the supply-chain making these devices, or if these have been compromised post-manufacturing and distributed using other means such as social engineering.”

tick APT malware

During the investigation, experts at Palo Alto Networks discovered an interesting sample of the malware on January 21, 2018, it is a Trojanized version of a Japanese language GO game and drops malware.

Experts associated this sample with the Tick group because the shellcode in the Trojanized Japanese game is exactly the same as that found in the Trojanized Korean programs.

“The attacker encrypted the unknown executable file and concealed it at the ending part of the secure USB storage in advance. The hidden data is not accessible through logical file operation APIs, such as ReadFile(). Instead, SymonLoader uses Logical Block Addressing (LBA) and SCSI commands to read the data physically from the particular expected location on the removable drive,” the researchers explain.

Further details, including the IoCs are reported in the analysis published by the experts.


Lazarus APT hackers leverages HWP Documents in a recent string of attacks
26.6.2018 securityaffairs APT

Security researchers at AlienVault uncovered a series of cyber attacks on cryptocurrency exchanges leveraging weaponized Hangul Word Processor HWP documents (Hangul Word Processor documents).
The string of attacks involving the HWP documents has been attributed to the North Korea-linked Lazarus APT group, and includes the hack of the South Korean virtual currency exchange Bithumb. The hackers managed to steal roughly $32 million worth of cryptocurrencies, it was the second security breach suffered by the cryptocurrency exchange that caused the shutdown of the service. The first attack was also attributed to the Lazarus APT group.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind recent attacks on banks, including the Bangladesh cyber heist.

According to security experts, the group was behind, other large-scale cyber espionage campaigns against targets worldwide, including the Troy Operation, the DarkSeoul Operation, and the Sony Picture hack.

Recently the group hit several banks in Latin America stealing tens of millions of dollars.

Earlier this month, experts at AlienVault reported that Lazarus APT has been leveraging an ActiveX zero-day vulnerability in attacks on South Korean targets.

A couple of days ago, experts at Alien Vault discovered a series of weaponized documents to target members of a recent G20 Financial Meeting.

“One malicious document appears to be targeting members of a recent G20 Financial Meeting, seeking coordination of the economic policies between the wealthiest countries. Another is reportedly related to the recent theft of $30 million from the Bithumb crypto-currency exchange in South Korea.” reads the analysis published by Alien Vault.

The HWP documents used in recent attacks include a malicious postscript code that downloads the second stage malware (either a 32 or 64 bit version of Manuscrypt).

lazarus hwp documents

Reports published by South Korean organizations suggest the cyberheist form Bithumb leverages malicious HWP files and started earlier in May and June. The documents involved fake resumes and are linked to previous attacks by Lazarus.

“A report by a South Korean news organisation into the investigation by a South Korean security company into the thefts shows some very familiar looking malware samples that were sent to cryptocurrency organisations” continues Alien Vault.

“Whilst we can’t be certain this malware is responsible for the thefts from Bithumb, it seems a likely suspect,”

According to the experts, malicious HWP documents from Lazarus have been reportedly targeting crypto-currency users in South Korea in June.

The attackers are also launching phishing campaigns against the users of the exchange, the Lazarus APT registered a number of cryptocurrency phishing domains, this is an anomaly considering that hackers compromised legitimate sites in past attacks. The hackers used the same phone number as a domain (itaddnet[.]com).

“It’s clear that the thefts from Lazarus won’t stop anytime soon given the gains available – the (partially successful) attempt to steal $1 billion dollars from the Bank of Bangladesh represents 3% of North Korea’s reported GDP. Thefts from South Korean organisations have the double impact of weakening their closest competitor.” concluded AlienVault

Further details, including IoCs are reported in the analysis published by AlienVault.


According to the experts, North Korea is behind the SWIFT attacks in Latin America
24.6.2018 securityaffairs APT Hacking

SWIFT hackers continue to target banks worldwide, the last string of attacks hit financial institutions across Latin America.
According to three people with knowledge of the matter cited by Cyberscoop the attacks were carried by North Korea-linked APT groups that targeted also other banks

Recent attacks hit Mexico’s Bancomext and Chile’s Bank of Chile, in both cases the attackers used a variant of the dreaded disk wiper KilllDisk to infect the systems of the banks and steal funds through the SWIFT payment system.

“North Korea was involved in both breaches, the sources said, adding that they were tied to others that haven’t yet been disclosed.” states Cyberscoop.

“Two sources reviewed inside information about the breach investigations, which are still ongoing. Confidential technical reports about the incidents are already being shared within private information sharing groups comprised of other financial institutions.”

Investigations conducted by many security firms on past security breaches always linked North Korea to the attacks against the SWIFT systems.

At the time it is not clear attack vector, but experts believe hackers targeted the banks with spear phishing campaigns or using credentials obtained from other breaches.

Bancomtext and Bank of Chile aren’t the only victims of the hackers, the Mexican financial institution Banorte suffered a similar security breach.

North Korea-linked hackers appeared as focused on financial institutions in Latin America, Eastern Europe, and Southeast Asia.

“SWIFT doesn’t comment on the attribution of cyberattacks – that is a question for law enforcement – but we can say that the cyber threat facing the financial community is fast increasing in terms of sophistication … [we’re unaware of] evidence that SWIFT’s own network or core messaging services have ever been compromised. Rather, in each of the incidents customers first suffered security breaches within their local environments.” reads statement send by a SWIFT spokesperson via email.

Once the hackers have penetrated the organizations, they will usually exploit vulnerabilities in a banks funds’ “transfer initiation environments,” to steal credentials and make fraudulent and irrevocable transfers.

Attackers also adopted “diversionary smokescreens” by using wiper malware to make hard the attribution of the attack and the response to the incidents.

“Shared malware variants between the multiple incidents, known as”MBR Killer” and “Bootwreck/killdisk,” caused systems to wipe boot data and other forensic records. The North Korean hackers have been seen using a combination of different wipers in their attacks.” added CyberScoop.

“The group who attacked the Mexican bank used both in their attack,” said Fernando Merces, a senior threat researcher with Trend Micro, an international cybersecurity firm. “There was also an MBR Killer used in a Taiwanese bank a few years ago … The financial sector sees these attacks most frequently. The attacks have been seen globally.”

The use of the MBR Killer alone doesn’t represent an evidence of the involvement of a specific threat actor because its code was posted to a cybercrime forum and was reused by a wide range of actors.

In this case, forensic experts collected other indicators suggesting the involvement of the North Korea’s “Lazarus Group” in Latin America.

“CyberScoop obtained a confidential intelligence report, labelled “TLP: Amber,” authored May 29 by New York-based intelligence firm Flashpoint. That report further connected MBR Killer to the Chile case. The report states that this module had been “leveraged to hide the evidence of successful bank network penetrations.”” concludes CyberScoop.

Even if the attackers attempted to destroy any evidence, the analysis of TTPs allows attributing the attack to Pyongyang.

“Attackers often delete any evidence of fraudulent transactions on victim’s local system, but SWIFT can … [provide] the header data of the messages that SWIFT received from the impacted organization,” the SWIFT spokesperson added.

According to the Mexican financial media outlet, El Financiero hackers compromised Mexico’s interbank transfer system, aka “Sistema de Pagos Electrónicos Interbancarios” (SPEI), with the FALLCHILL, a RAT associated with North Korea-linked APT groups.


China-linked Thrip APT group target defense and satellite firms
21.6.2018 securityaffairs  APT

Symantec tracked a new APT group named Thrip that targeted0 satellite operators, telco companies and defense contractors in the US and Southeast Asia.
Chinese APT groups are always very active, experts at Symantec have tracked a new APT group named Thrip that has breached the systems of satellite operators, telecommunications companies and defense contractors in the United States and Southeast Asia.

The Thrip group has been active since 2013, but this is the first time Symantec publicly shared details of its activities.

“We’ve been monitoring Thrip since 2013 when we uncovered a spying campaign being orchestrated from systems based in China. Since our initial discovery, the group has changed its tactics and broadened the range of tools it used. Initially, it relied heavily on custom malware, but in this most recent wave of attacks, which began in 2017, the group has switched to a mixture of custom malware and living off the land tools. ” reads the analysis published by Symantec.

Thrip APT

Thrip APT used a combination of custom malware and legitimate tools in its attacks, the list of victims is long and include a satellite communications operator.

The hackers targeted devices involved in operations and infected computers running software that monitors and controls satellites, this circumstance suggests the attackers may also interested in sabotage.

Another victim of the group is a company specializing in geospatial imaging and mapping.

“[Thrip] targeted computers running MapXtreme GIS (Geographic Information System) software which is used for tasks such as developing custom geospatial applications or integrating location-based data into other applications. It also targeted machines running Google Earth Server and Garmin imaging software.” continues the analysis.

“The satellite operator wasn’t the only communications target Thrip was interested in. The group had also targeted three different telecoms operators, all based in Southeast Asia.”

The group also targeted three telecoms firms in Southeast Asia and a defense contractor.

The arsenal of the group includes the data stealer Trojan.Rikamanu and its evolution Infostealer.Catchamas that implements more sophisticated data strealing features and evasion capabilities.

The APT group also used the Trojan.Mycicil, a keylogger that is available for sale on Chinese underground marketplaces, and the Backdoor.Spedear and Trojan.Syndicasec malware.

The Thrip APT also many legitimate tools, including the Windows SysInternals utility PSExec, PowerShell, Mimikatz, and the LogMeIn remote access software.

Further details, including IoCs are reported in the analysis published by Symantec.


China-Linked APT15 is still very active, experts found its new malware tracked as ‘MirageFox’
18.6.2018 securityaffairs APT

Following the recent hack of a US Navy contractor security experts found evidence of very recent activity by the China-linked APT group tracked as APT15.
The China-linked APT15 group (aka Ke3chang, Mirage, Vixen Panda, Royal APT and Playful Dragon) has developed a new strain of malware borrowing the code from one of the tool he used in past operations.

APT15 has been active since at least 2010, it conducted cyber espionage campaigns against targets in defense, high tech, energy, government, aerospace, manufacturing industries worldwide. The attackers demonstrated an increasing level of sophistication across the years, they used a custom-malware and various exploits in their attacks.

Across the years, security firms identified many hacking tools associated with APT15 such as Mirage, BS2005, RoyalCLI, RoyalDNS, TidePool, BMW and MyWeb.

The group has been known to target organizations in the defense, high tech, energy, government, aerospace, manufacturing and other sectors.

In March 2018, APT15 used new backdoors is an attack that was likely part of a wider operation aimed at contractors at various UK government departments and military organizations.

One of the attacks aimed at a UK-based customer of NCC Group, an organization that provides a wide range of services to the United Kingdom government. The hackers focused on government departments and military technology by targeting the customer of the company.

NCC noted at the time that the APT15 used two new backdoors, tracked as RoyalCLI and RoyalDNS.

APT15

One of the backdoors has been tracked as RoyalCLI due to a debugging path left in the binary, it is the successor of BS2005 backdoor used by the group. Both RoyalCLI and BS2005 communicate with command and control (C&C) servers via Internet Explorer using the COM interface IWebBrowser2.

The attackers utilized Windows commands to conduct reconnaissance activities, the lateral movement was conducted by using a combination of net command, mounting the C$ share of hosts and manually copying files to or from compromised hosts.

The second backdoor, tracked as RoyalDNS, uses DNS to communicate with the C&C server, once executed the command the backdoor returns output through DNS.

Researchers from security firm Intezer, has recently identified a new piece of malware linked to APT15. The discovery was casual, the experts in fact discovered the malware while searching the Mirage malware based on YARA rules created for Mirage, one of the oldest tools used by the APT15 and for the Reaver malware that was linked to cyber espionage campaigns conducted by China-linked APT groups.

“Coincidentally, following the recent hack of a US Navy contractor and theft of highly sensitive data on submarine warfare, we have found evidence of very recent activity by a group referred to as APT15, known for committing cyber espionage which is believed to be affiliated with the Chinese government.” reads the analysis published by Intezer.

“The malware involved in this recent campaign, MirageFox, looks to be an upgraded version of a tool, a RAT believed to originate in 2012, known as Mirage.”

The new malware was tracked by the researchers as MirageFox, the name comes from a string found in one of the components that borrows code from both Mirage and Reaver.

The original Mirage malware includes the code for a remote shell and the function for decrypting command and control (C&C) configuration data.

Mirage also shares code with other malware attributed to APT15, including BMW, BS2005, and particularly MyWeb. Code similarities suggest the Reaver malware was developed by the APT15.

APT15 malware comparison

“MirageFox functions similarly to previous malware created by APT15, first collecting information about the computer like the username, CPU information, architecture, and so forth.” continues the analysis published by Intezer.

“Then it sends this information to the C&C, opens a backdoor, and sits waiting for commands from the C&C with functionality such as modifying files, launching processes, terminating itself, and more functionality typically seen in APT15’s RATs,”

The sample analyzed by the experts was compiled on June 8 and it was uploaded to VirusTotal on June 9.

The malware leverages a legitimate McAfee binary to load malicious processes through DLL hijacking, a technique already used by in past attacks.

Intezer experts also noticed that the C&C server is configured as an internal IP address, a circumstance that confirms the sample was configured to target organization.

“If you look at it the decrypted configuration, you may notice that the IP being used for the C&C is an internal IP address. If you read the report mentioned above about RoyalAPT by NCC Group, it is mentioned that APT15 infiltrated an organization again after stealing a VPN private key, therefore we can assume this version was tailor made to an organization they have already infiltrated and are connecting to the internal network using a VPN.” continues the report.

At the time the attack vector it is still unclear, further technical details including IoCs are reported in the analysis published by the company.

“There is high confidence that MirageFox can be attributed to APT15 due to code and other similarities in the MirageFox binaries.” concludes Intezer.

“As is known about APT15, after infiltrating their target, they conduct a lot of reconnaissance work, send the commands from the C&C manually, and will customize their malware components to best suit the environment they have infected.”


China-Linked APT15 Develops New 'MirageFox' Malware
18.6.2018 securityweek APT 

A cyber-espionage group believed to be operating out of China has developed a new piece of malware that appears to be based on one of the first tools used by the threat actor.

The actor is known as APT15, Ke3chang, Mirage, Vixen Panda, Royal APT and Playful Dragon, and its tools are tracked by various cybersecurity companies as Mirage, BS2005, RoyalCLI, RoyalDNS, TidePool, BMW and MyWeb. The group has been known to target organizations in the defense, high tech, energy, government, aerospace, manufacturing and other sectors.

One of APT15’s more recent attacks was uncovered last year when the hackers targeted a UK-based customer of NCC Group. The organization provides a wide range of services to the United Kingdom government and NCC believes the attackers may have targeted government departments and military technology through its customer.

NCC noted at the time that the group had improved its tools and techniques. The company had uncovered two new backdoors used by APT15, including RoyalCLI, a successor of BS2005, and RoyalDNS.

Intezer, a cybersecurity firm that specializes in recognizing code reuse, reported last week that it had identified a new piece of malware linked to APT15 based on YARA rules created for Mirage, the oldest tool used by the threat actor, and Reaver, another piece of malware previously linked by researchers to China.

The new malware, dubbed by Intezer MirageFox based on a string found in one of the components, shares code with both Mirage and Reaver. Experts have found significant similarities to the original Mirage malware, including in the code used for a remote shell and the function for decrypting command and control (C&C) configuration data.

Code similarities between Mirage and MirageFox

“MirageFox functions similarly to previous malware created by APT15, first collecting information about the computer like the username, CPU information, architecture, and so forth. Then it sends this information to the C&C, opens a backdoor, and sits waiting for commands from the C&C with functionality such as modifying files, launching processes, terminating itself, and more functionality typically seen in APT15’s RATs,” Jay Rosenberg, senior security researcher at Intezer, explained in a blog post.

The sample analyzed by the security firm was compiled on June 8 and uploaded to VirusTotal one day later. While it’s unclear how the malware has been distributed to victims, Intezer has made some interesting observations about MirageFox.

The malware appears to abuse a legitimate McAfee binary to load malicious processes through DLL hijacking. APT15 has been known to use DLL hijacking in its campaigns.

Intezer also noticed that a C&C server has an internal IP address, which suggests that the sample was specifically configured for the targeted organization and that, similar to the attack described earlier this year by NCC Group, the attackers gained access to the victim’s internal network using a VPN.

It’s unclear if they are connected, but Intezer pointed out that the discovery of MirageFox coincides with reports of an attack in which hackers believed to be sponsored by China stole sensitive information from a US Navy contractor.

While previous public reports on APT15 claim the group has been around since at least 2010, Rosenberg told SecurityWeek over the weekend that he has identified a Mirage sample uploaded to VirusTotal in 2009.

Rosenberg also noted that Mirage shares code with other pieces of malware attributed to APT15, including BMW, BS2005, and particularly MyWeb. The expert also believes, based on the code they share, that the developers of APT15 malware may have also created Reaver.


LuckyMouse hits national data center to organize country-level waterholing campaign
17.6.2018 Kaspersky  APT 
Virus
In March 2018 we detected an ongoing campaign targeting a national data center in the Central Asia that we believe has been active since autumn 2017. The choice of target made this campaign especially significant – it meant the attackers gained access to a wide range of government resources at one fell swoop. We believe this access was abused, for example, by inserting malicious scripts in the country’s official websites in order to conduct watering hole attacks.

The operators used the HyperBro Trojan as their last-stage in-memory remote administration tool (RAT). The timestamps for these modules are from December 2017 until January 2018. The anti-detection launcher and decompressor make extensive use of Metasploit’s shikata_ga_nai encoder as well as LZNT1 compression.

Kaspersky Lab products detect the different artifacts used in this campaign with the following verdicts: Trojan.Win32.Generic, Trojan-Downloader.Win32.Upatre and Backdoor.Win32.HyperBro. A full technical report, IoCs and YARA rules are available from our intelligence reporting service (contact us intelligence@kaspersky.com).

Who’s behind it?
Due to tools and tactics in use we attribute the campaign to LuckyMouse Chinese-speaking actor (also known as EmissaryPanda and APT27). Also the C2 domain update.iaacstudio[.]com was previously used in their campaigns. The tools found in this campaign, such as the HyperBro Trojan, are regularly used by a variety of Chinese-speaking actors. Regarding Metasploit’s shikata_ga_nai encoder – although it’s available for everyone and couldn’t be the basis for attribution, we know this encoder has been used by LuckyMouse previously.

Government entities, including the Central Asian ones also were a target for this actor before. Due to LuckyMouse’s ongoing waterholing of government websites and the corresponding dates, we suspect that one of the aims of this campaign is to access web pages via the data center and inject JavaScripts into them.

How did the malware spread?
The initial infection vector used in the attack against the data center is unclear. Even when we observed LuckyMouse using weaponized documents with CVE-2017-118822 (Microsoft Office Equation Editor, widely used by Chinese-speaking actors since December 2017), we can´t prove they were related to this particular attack. It’s possible the actor used a waterhole to infect data center employees.

The main C2 used in this campaign is bbs.sonypsps[.]com, which resolved to IP-address, that belongs to the Ukrainian ISP network, held by a Mikrotik router using firmware version 6.34.4 (from March 2016) with SMBv1 on board. We suspect this router was hacked as part of the campaign in order to process the malware’s HTTP requests. The Sonypsps[.]com domain was last updated using GoDaddy on 2017-05-05 until 2019-03-13.

FMikrotik router with two-year-old firmware and SMBv1 on board used in this campaign

In March 2017, Wikileaks published details about an exploit affecting Mikrotik called ChimayRed. According to the documentation, however, it doesn’t work for firmware versions higher than 6.30. This router uses version 6.34.

There were traces of HyperBro in the infected data center from mid-November 2017. Shortly after that different users in the country started being redirected to the malicious domain update.iaacstudio[.]com as a result of the waterholing of government websites. These events suggest that the data center infected with HyperBro and the waterholing campaign are connected.

What did the malware do in the data center?

Anti-detection stages. Different colors show the three dropped modules: legit app (blue), launcher (green), and decompressor with the Trojan embedded (red)

The initial module drops three files that are typical for Chinese-speaking actors: a legit Symantec pcAnywhere (IntgStat.exe) for DLL side loading, a .dll launcher (pcalocalresloader.dll) and the last-stage decompressor (thumb.db). As a result of all these steps, the last-stage Trojan is injected into svchost.exe’s process memory.

The launcher module, obfuscated with the notorious Metasploit’s shikata_ga_nai encoder, is the same for all the droppers. The resulting deobfuscated code performs typical side loading: it patches pcAnywhere’s image in memory at its entry point. The patched code jumps back to the decryptor’s second shikata_ga_nai iteration, but this time as part of the whitelisted application.

This Metasploit’s encoder obfuscates the last part of the launcher’s code, which in turn resolves the necessary API and maps thumb.db into the same process’s (pcAnywhere) memory. The first instructions in the mapped thumb.db are for a new shikata_ga_nai iteration. The decrypted code resolves the necessary API functions, decompresses the embedded PE file with RtlCompressBuffer() using LZNT1 and maps it into memory.

What does the resulting watering hole look like?
The websites were compromised to redirect visitors to instances of both ScanBox and BEeF. These redirects were implemented by adding two malicious scripts obfuscated by a tool similar to the Dean Edwards packer.

Resulting script on the compromised government websites

Users were redirected to https://google-updata[.]tk:443/hook.js, a BEeF instance, and https://windows-updata[.]tk:443/scanv1.8/i/?1, an empty ScanBox instance that answered a small piece of JavaScript code.

Conclusions
LuckyMouse appears to have been very active recently. The TTPs for this campaign are quite common for Chinese-speaking actors, where they typically provide new solid wrappers (launcher and decompressor protected with shikata_ga_nai in this case) around their RATs (HyperBro).

The most unusual and interesting point here is the target. A national data center is a valuable source of data that can also be abused to compromise official websites. Another interesting point is the Mikrotik router, which we believe was hacked specifically for the campaign. The reasons for this are not very clear: typically, Chinese-speaking actors don’t bother disguising their campaigns. Maybe these are the first steps in a new stealthier approach.

Some indicators of compromise
Droppers

22CBE2B0F1EF3F2B18B4C5AED6D7BB79
0D0320878946A73749111E6C94BF1525

Launcher
ac337bd5f6f18b8fe009e45d65a2b09b

HyperBro in-memory Trojan
04dece2662f648f619d9c0377a7ba7c0

Domains and IPs
bbs.sonypsps[.]com
update.iaacstudio[.]com
wh0am1.itbaydns[.]com
google-updata[.]tk
windows-updata[.]tk


A new MuddyWater Campaign spreads Powershell-based PRB-Backdoor
16.6.2018 securityaffairs APT

Trend Micro spotted a new attack relying on weaponized Word documents and PowerShell scripts that appears related to the MuddyWater APT.
Security experts at Trend Micro have spotted a new attack relying on weaponized Word documents and PowerShell scripts that appears related to the MuddyWater cyber-espionage campaign.

The first MuddyWater campaign was observed in late 2017, then researchers from Palo Alto Networks were investigating a mysterious wave of attacks in the Middle East.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing these attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

Threat actors used PowerShell-based first stage backdoor named POWERSTATS, across the time the hackers changed tools and techniques.

In March 2018, experts at FireEye uncovered a massive phishing campaign conducted by TEMP.Zagros group (another name used by the experts to track the MuddyWater), targeting Asia and Middle East regions from January 2018 to March 2018.

Attackers used weaponized documents typically having geopolitical themes, such as documents purporting to be from the National Assembly of Pakistan or the Institute for Development and Research in Banking Technology.

The attacks have been mistakenly associated with the FIN7 group, when Palo Alto discovered the first campaign reported that a C&C server delivering the FIN7-linked DNSMessenger tool was involved in MuddyWater attacks as well.

The new campaign discovered by the experts presents many similarities with previous ones conducted by the same threat actor, attackers attempted to distribute a backdoor through weaponized Word documents that execute PowerShell scripts.

“In May 2018, we found a new sample (Detected as W2KM_DLOADR.UHAOEEN) that may be related to this campaign. Like the previous campaigns, these samples again involve a Microsoft Word document embedded with a malicious macro that is capable of executing PowerShell (PS) scripts leading to a backdoor payload.” reads the analysis published by Trend Micro.

“One notable difference in the analyzed samples is that they do not directly download the Visual Basic Script(VBS) and PowerShell component files, and instead encode all the scripts on the document itself. The scripts will then be decoded and dropped to execute the payload without needing to download the component files.”

Unlike previous campaigns, the samples don’t directly download the malicious scripts because they are encoded in the document itself.

MuddyWater New

The bait document used in the campaign claims to be a reward or a promotion, a circumstance that suggests the hackers are targeting entities in other industries,

Once the victim opens the document, he is enticed into enabling the macro to view its full content.

“Once the macro is enabled, it will use the Document_Open() event to automatically execute the malicious routine if either a new document using the same template is opened or when the template itself is opened as a document0.” continues the analysis.

The code executes two PowerShell scripts, with the second is used by attackers to drop various components on the compromised machine.

The final payload delivered in the last campaign is the PRB-BackdoorRAT, it was controlled by the command and control (C&C) server at outl00k[.]net.

The backdoor can execute a broad range of commands, including gather browsing history from installed browsers, exfiltrate passwords found in the browser, read and write files, execute shell commands, log keystrokes and capture screenshots.

“If these samples are indeed related to MuddyWater, this means that the threat actors behind MuddyWater are continuously evolving their tools and techniques to make them more effective and persistent,” Trend Micro concludes.


China-linked Emissary Panda APT group targets National Data Center in Asia
14.6.2018 securityaffairs  APT

A China-linked APT group, LuckyMouse, Emissary Panda, APT27 and Threat Group 3390, has targeted a national data center in Central Asia.
The APT group has been active since at least 2010, the crew targeted U.S. defense contractors and financial services firms worldwide.

In March 2018, security experts at Kaspersky Lab have observed an attack powered by the Chinese APT group, the experts speculate the campaign was started in the fall of 2017.

The attack hit a national data center in an unnamed country in Central Asia, according to Kaspersky, the hackers were preparing a watering hole attack. The hackers attempted to inject malicious JavaScript code into the government websites connected to the data center.

“In March 2018 we detected an ongoing campaign targeting a national data center in the Central Asia that we believe has been active since autumn 2017. The choice of target made this campaign especially significant – it meant the attackers gained access to a wide range of government resources at one fell swoop.” reads the blog post published by Kaspersky.

“We believe this access was abused, for example, by inserting malicious scripts in the country’s official websites in order to conduct watering hole attacks.”

The attackers compromised the government website to deliver either the Browser Exploitation Framework (BeEF) or the ScanBox reconnaissance framework. At the time of the report, experts were not able to determine the way the hackers breached the government website.

“The websites were compromised to redirect visitors to instances of both ScanBox and BEeF. These redirects were implemented by adding two malicious scripts obfuscated by a tool similar to the Dean Edwards packer.” continues the post.

One of the hypotheses formulated by Kaspersky sees the hackers using weaponized Office documents to trigger the CVE-2017-11882 vulnerability, the same issue exploited by other APT groups like the Cobalt hacking group.

The campaign monitored by Kaspersky leveraged a RAT tracked by Kaspersky as HyperBro, the code was associated with other Chinese-speaking threat actors.

The timestamps for these modules are from December 2017 until January 2018.

Emissary Panda data center hack

The main command and control (C&C) server used in this campaign is bbs.sonypsps[.]com which is hosted on an IP address associated with a Ukrainian ISP. The IP address belongs to a MikroTik router running a firmware version 6.34.4 released in March 2016, the device with SMBv1 on board may have been hacked by the Emissary Panda hackers.

“The TTPs for this campaign are quite common for Chinese-speaking actors,” concludes Kaspersky.

“The most unusual and interesting point here is the target. A national data center is a valuable source of data that can also be abused to compromise official websites. Another interesting point is the Mikrotik router, which we believe was hacked specifically for the campaign. The reasons for this are not very clear: typically, Chinese-speaking actors don’t bother disguising their campaigns. Maybe these are the first steps in a new stealthier approach.”

Further details, including the IoCs are reported in the analysis published by Kaspersky.


Chinese Cyberspies Target National Data Center in Asia
13.6.2018 securityweek APT

A China-linked cyber espionage group has targeted a national data center in Central Asia and experts believe the goal is to conduct watering hole attacks on the country’s government websites.

The threat actor is tracked as LuckyMouse, Emissary Panda, APT27 and Threat Group 3390. The group has been active since at least 2010, targeting hundreds of organizations around the world, including U.S. defense contractors, financial services firms, a European drone maker, and the U.S.-based subsidiary of a French energy management company.

Researchers at Kaspersky Lab recently identified a new attack carried out by this actor. The security firm spotted the campaign in March 2018, but believes it was launched in the fall of 2017.Chinese hackers attack national data center in Central Asia

The attack targeted a national data center in an unnamed country in Central Asia. Researchers say the goal is likely to inject malicious JavaScript code into the government websites connected to the data center in order to conduct watering hole attacks.

When accessed, the compromised government websites served either the Browser Exploitation Framework (BeEF), a penetration testing suite that focuses on the web browser, or the ScanBox reconnaissance framework.

Kaspersky has not been able to determine how the national data center was breached, but believes the hackers may have used watering hole attacks aimed at the organization’s employees or through weaponized Office documents – the threat group has been spotted using CVE-2017-11882.

The attack involved a piece of malware tracked by Kaspersky as HyperBro, a RAT that has been used by several Chinese-speaking threat actors. The samples analyzed by Kaspersky had timestamps ranging from December 2017 to January 2018, with evidence found by experts suggesting that the malware had made its way to the data center sometime in mid-November 2017.

The main command and control (C&C) server used in this campaign is hosted on an IP address associated with a Ukrainian ISP. Specifically, the IP belongs to a MikroTik router running a firmware version released in March 2016.

“A national data center is a valuable source of data that can also be abused to compromise official websites,” Kaspersky researchers said in a blog post. “Another interesting point is the Mikrotik router, which we believe was hacked specifically for the campaign. The reasons for this are not very clear: typically, Chinese-speaking actors don’t bother disguising their campaigns. Maybe these are the first steps in a new stealthier approach.”


North Korea-linked Lazarus APT behind recent ActiveX attacks
13.6.2018 securityaffairs APT

North Korea-linked Lazarus APT group planted an ActiveX zero-day exploit on the website of a South Korean think tank focused on national security.
According to researchers at AlienVault, North Korea-linked hackers planted an ActiveX zero-day vulnerability on the website of a South Korean think tank focused on national security.

The experts attributed the attack to the notorious Lazarus APT group in attacks, they pointed out that ActiveX controls are usually disabled on most systems, but the South Korean government authorities demand citizens to enable them.

“Recently, an ActiveX zero-day was discovered on the website of a South Korea think tank that focuses on national security. Whilst ActiveX controls are disabled on most systems, they are still enabled on most South Korean machines due to mandates by the South Korean government.” reads the post published by Alien Vault.

“These attacks have been attributed to Lazarus, a group thought to be linked to North Korea.”

Of course, attackers that aimed at South Korean targets could leverage ActiveX controls in their attacks. Many attacks that abused these controls against South Korean targets were attributed to North Korean hackers.

Recently experts observed attacks where hackers leveraged JavaScript code to deploy ActiveX exploit codes.

Initially, local media attributed the attacks to the Andariel gang, a gang that is considered part Lazarus APT group.

The investigation conducted by AlienVault pointed out the Lazarus APT as the threat actor that launched the attacks that abused the ActiveX controls.

The recent attacks featured a profiling script used to gather intelligence on the targets, this attack scheme was commonly used by threat actors including the Lazarus group.

The attackers also used scripts capable of gathering additional information from the potential targets and deliver the ActiveX exploit.

Simon Choi, the founder of the Cyber Warfare Intelligence Center and IssueMakersLab, published a tweet with some details of these scripts.

The expert suggests the initial reconnaissance scripts were deployed in January 2017, while script the malicious ActiveX controls were injected in late April 2018.

Simon Choi
@issuemakerslab
North Korea's Watering Hole Attack History (case, Sejong Institute)

9:21 AM - May 24, 2018
31
17 people are talking about this
Twitter Ads info and privacy
The reconnaissance script allows to identify the browser and operating system running on the target computer, it is based on the PinLady’s Plugin-Detect code. The malicious code is able to detect if Internet Explorer is running on a machine, then to check if ActiveX is enabled, as well as the plugins running from a specific list of ActiveX components.

“Whilst these malicious files have been taken down, a record of the same infection is preserved on urlscan. The malicious script is hidden at http://www.sejong[.]org/js/jquery-1.5.3.min.js.” continues the analysis.

“This script is similar to typical exploit kits – it identifies which browser and operating system the user is running. Much of the code is taken from PinLady’s Plugin-Detect. If a target is running Internet Explorer, it checks if it is enabled to run ActiveX, and what plugins are enabled from a specific list of ActiveX components”

One of the profiling scripts used in the last attacks sends data to a website that was used as a command and control (C&C) server by Lazarus APT malware in 2015.

Choi also shared the ActiveX exploit on Twitter, it was used by attackers to download malware from peaceind[.]co.kr.

“If successful, it downloads malware from: http://www.peaceind[.]co.kr/board/skin_poll/gallery/poll.php” continues Alien Vault.

“To a file named splwow32.exe. Splwow32.exe is a fairly uncommon filename for malware, and was previously seen in the Taiwan bank heist which has been attributed to another sub-set of the Lazarus attackers. We also note that the peaceind[.]co.kr site has been previously identified as vulnerable.”

Experts noticed that the malicious code is a backdoor tracked as Akdoor that is designed to execute commands using Command Prompt.

Further details, including IoCs are reported in the analysis published by Alien Vault.


Russia-linked Sofacy APT group adopts new tactics and tools in last campaign
8.6.2018 securityaffairs APT

Sofacy APT group (APT28, Pawn Storm, Fancy Bear, Sednit, Tsar Team, and Strontium) continues to operate and thanks to rapid and continuously changes of tactics the hackers are able to remain under the radar.
According to experts from Palo Alto Networks, the hackers also used new tools in recent attacks, recently the APT group has shifted focus in their interest, from NATO member countries and Ukraine to towards the Middle East and Central Asia.

The researchers observed several attacks leveraging the SPLM and the Zebrocy tool between the second and fourth quarters of 2017 against organizations in Asia. The list of targeted countries included China, Mongolia, South Korea and Malaysia.

Back to the present, the Sofacy APT group is using a new version of the Zebrocy backdoor written in a C++, attackers adopted the Dynamic Data Exchange (DDE) attack technique to deliver malware.

The DDE attack technique was exploited to deliver payloads such as the Zebrocy backdoor and the open-source penetration testing toolkit Koadic.

This is the first time that the Russian APT uses the Koadic tool.

“Following up our most recent Sofacy research in February and March of 2018, we have found a new campaign that uses a lesser known tool widely attributed to the Sofacy group called Zebrocy. Zebrocy is delivered primarily via phishing attacks that contain malicious Microsoft Office documents with macros as well as simple executable file attachments.” reads the analysis published by Palo Alto Networks.

“This third campaign is consistent with two previously reported attack campaigns in terms of targeting: the targets were government organizations dealing with foreign affairs. In this case however the targets were in different geopolitical regions.”

Palo Alto noticed a change in the tactics used by the hackers, instead of targeting a handful of employees within an organization, they sent phishing messages to “an exponentially larger number of individuals” within the same organization.

Attackers obtained the list of individuals’ emails with simple queries to search engines, this method is also a novelty for the Sofacy APT group.

The researchers linked this campaign to previous attacks, in February Palo Alto Networks reported the Sofacy APT group was hiding infrastructure using random registrant and service provider information in each attack.

“In our February report, we discovered the Sofacy group using Microsoft Office documents with malicious macros to deliver the SofacyCarberp payload to multiple government entities.” continues Palo Alto.

“In that report, we documented our observation that the Sofacy group appeared to use conventional obfuscation techniques to mask their infrastructure attribution by using random registrant and service provider information for each of their attacks. In particular, we noted that the Sofacy group deployed a webpage on each of the domains.”

Sofacy APT

The investigation on this campaign allowed the experts to discover another campaign leveraging the DealersChoice exploit kit and a domain serving the Zebrocy AutoIT downloader.

The version of Zebrocy downloader delivered by this domain is the new one written in C++, the downloader was used to spread the Delphi backdoor hosted at IP address 185.25.50[.]93.

The experts discovered the following hard-coded user agent being used by many samples of Zebrocy targeting the foreign affairs ministry of a large Central Asian nation:

Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko
The experts found two weaponized Office documents implementing the DDE attack technique, the malicious files were used in attacks against a North American government organization dealing with foreign affairs.

Further details, including IoCs are reported in the analysis published by Palo Alto Networks.


North Korea-Linked Covellite APT group stopped targeting organizations in the U.S.
6.6.2018 securityaffairs APT

A North Korea-linked APT group, tracked by experts at industrial cybersecurity firm Dragos as Covellite, has stopped targeting US organizations.
Anyway, the group, that is believed to be linked to the notorious Lazarus APT group, is continuing to target organizations in Europe and East Asia.

The group has been around at least since 2017 and is still active, the APT has targeted civilian electric energy organizations to steal intellectual property and gather intelligence on industrial operations.

Differently, from other threat actors that are focused on industrial control systems, Covellite seems to be not interested in sabotage.

In September 2017, experts from FireEye spotted a wave of attacks launched by the APT group against U.S. electric companies, the phishing messages used weaponized Word documents to deliver a piece of malware.

“COVELLITE compromises networks associated with civilian electric energy worldwide and gathers intelligence on intellectual property and internal industrial operations. COVELLITE lacks an industrial control system (ICS) specific capability at this time.” reads the post published by Dragos.

“COVELLITE operates globally with targets primarily in Europe, East Asia, and North America. US targets emerged in September 2017 with a small, targeted phishing campaign directed at select U.S. electric companies.”

The experts linked the attacks to Pyongyang and confirmed that the group did not show the ability to disrupt power supply.

Covellite

According to Dragos, the infrastructure and the malicious code used by the COVELLITE group are similar to the ones used by the LAZARUS APT GROUP, aka Hidden Cobra.

“technical analysis of COVELLITE malware indicates an evolution from known LAZARUS toolkits. However, aside from technical overlap, it is not known how the capabilities and operations between COVELLITE and LAZARUS are related.” continues the post.

“Given the group’s specific interest in infrastructure operations, rapidly improving capabilities, and history of aggressive targeting, Dragos considers this group a primary threat to the ICS industry,”

Dragos experts have recently published reports on other hacker groups focused on ICS and SCADA systems, including Iran-linked Chrysene, Russia-linked Allanite, and Xenotime.


North Korea-linked Andariel APT Group exploited an ActiveX Zero-Day in recent attacks
1.6.2018 securityaffairs APT

A North Korea-linked APT group, tracked as Andariel Group, leveraged an ActiveX zero-day vulnerability in targeted attacks against South Korean entities.
According to a report published by South Korean cyber-security firm AhnLab, the Andariel Group is a division of the dreaded Lazarus APT Group, it already exploited ActiveX vulnerabilities in past attacks

The attackers exploited at least nine separate ActiveX vulnerabilities, including a new zero-day flaw, in a wave of watering hole attacks aimed to infect visitors of compromised websites with a backdoor trojan.

The zero-day vulnerability seems to be connected to a series of attacks against Samsung SDS Acube installations.

Acube is an application developed by Samsung’s enterprise division widely used in South Korean enterprises that supports ActiveX controls to implement interactive features.

“According to the security industry, from late last month until this month, attacks against North Korean research institutes and websites have been spotlighted.” reported the local media DDaily.

“The attacker, who is believed to be carrying the Andaleri Group, exploited about 9 ActiveX vulnerabilities, including Samsung SDS “eCube”, and tried to collect information through a water ring attack.”


The malicious code was used to control the infected systems and gather intelligence.

“The zero-day vulnerability has been found in this attack, but it is unclear whether the attacker actually used it,” said a government official from the Korea Internet & Security Agency (KISA).

Simon Choi
@issuemakerslab
Operation GoldenAxe. North Korea's cyber attack only on South Korea (using ActiveX vuln) from 2007 to 2018.

10:28 AM - May 29, 2018
36
30 people are talking about this
Twitter Ads info and privacy
Samsung addressed the Acube zero-day flaw with the release of an update, while South Korea’s CERT team has issued a security advisory for the zero-day issue.

North Korea-linked APT groups are among the most active threat actors, recently the US-CERT issued an alert on two malware associated with North Korea-linked APT Hidden Cobra, the Brambul and Joanap.


US-CERT issued an alert on two malware associated with North Korea-linked APT Hidden Cobra
30.5.2018 securityaffairs APT  

The Department of Homeland Security (DHS) and the FBI issued a joint Technical alert on two strain on malware, the Joanap backdoor Trojan and Brambul Server Message Block worm, associated with the HIDDEN COBRA North Korea-linked APT group.

The US-CERT alert reads:

“Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with two families of malware used by the North Korean government:

a remote access tool (RAT), commonly known as Joanap; and
a Server Message Block (SMB) worm, commonly known as Brambul.”
“The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.”

Hidden Cobra

The government experts have identified a range of IP addresses and other indicators of compromise (IOCs) associated with the two families of malware.

The first threat tracked as “Joanap” is a two-stage RAT that uses peer-to-peer communications to manage botnets and perform malicious activities such as data exfiltration, installation of further payloads and establish proxy communications on compromised Windows systems.

“Joanap is a two-stage malware used to establish peer-to-peer communications and to manage botnets designed to enable other operations. Joanap malware provides HIDDEN COBRA actors with the ability to exfiltrate data, drop and run secondary payloads, and initialize proxy communications on a compromised Windows device.” states the alert.

The second malware analyzed by the government researchers is a Windows 32-bit Server Message Block (SMB) worm called “Brambul”.

Brambul is used as a service dynamic link library file or a portable executable file often dropped and installed onto target networks by dropper malware.

“When executed, the malware attempts to establish contact with victim systems and IP addresses on victims’ local subnets. If successful, the application attempts to gain unauthorized access via the SMB protocol (ports 139 and 445) by launching brute-force password attacks using a list of embedded passwords. Additionally, the malware generates random IP addresses for further attacks.” states the ransomware.

Network administrators could use the IOCs included in the alert to detect both Joanap and Brambul malware and prevent infections.


Turla APT group leverages for the first time the Metasploit framework for the Mosquito campaign
24.5.2018 securityaffairs APT

Security experts from ESET observed the Turla APT group leveraging for the first time the Metasploit framework in the Mosquito campaign
The Russia-linked Turla APT group continues its cyber espionage campaigns shifting towards more generic tools to remain under the radar.
Turla is the name of a Russian cyber espionage APT group (also known as Waterbug, Venomous Bear and KRYPTON) that has been active since at least 2007 targeting government organizations and private businesses.

The list of victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

The Turla’s arsenal is composed of sophisticated hacking tools and malware tracked as Turla (Snake and Uroburos rootkit), Epic Turla (Wipbot and Tavdig) and Gloog Turla. In June 2016, researchers from Kaspersky reported that the Turla APT had started using rootkit), Epic Turla (Wipbot and Tavdig) and Gloog Turla.

In the most recent attacks, the group is packaging its macOS backdoor with a real Adobe Flash installer and downloading the malware on victim systems from endpoint systems that use a remote IP belonging to Akamai, the Content Delivery Network that is also used by Adobe for its supply chain. Legitimate Flash installer, in fact, are also distributed through the Akamai network.

In January experts observed the APT group employing Adobe Flash Installer and an ingenious social engineering technique, to deliver a backdoor served from what appears to be legitimate Adobe URLs and IP addresses.

Starting in March 2018, the experts from ESET observed a significant change in the campaign: the hackers are leveraging the popular open source exploitation framework Metasploit in a campaign that spread the Mosquito backdoor.
This is the first time the Turla has used Metasploit as a first stage backdoor, instead of relying on one of its own tools such as Skipper.
Mosquito campaign still leverages fake Flash installer that hides the Turla backdoor.

When victims download the Flash installer from get.adobe.com through HTTP attackers intercept the traffic to serve a tainted version of the legitimate Flash executable.

Turla APT

“At the beginning of March 2018, as part of our regular tracking of Turla’s activities, we observed some changes in the Mosquito campaign.”

“Recently, we observed a change in the way in which the final backdoor is dropped. Turla’s campaign still relies on a fake Flash installer but, instead of directly dropping the two malicious DLLs, it executes a Metasploit shellcode and drops, or downloads from Google Drive, a legitimate Flash installer.” reads the report published by ESET. “Then, the shellcode downloads a Meterpreter, which is a typical Metasploit payload [6], allowing the attacker to control the compromised machine. Finally, the machine may receive the typical Mosquito backdoor.”

Turla APT 2.png

Attackers control the exploitation process manually through the use of the Metasploit framework, the overall time frame of the attack was relatively short. According to ESET, the attackers are able to deliver the final backdoor in just thirty minutes.

“The shellcode is a typical Metasploit shellcode, protected using the shikata_ga_nai encoder [7] with seven iterations. Once the shellcode is decoded, it contacts its C&C at https://209.239.115[.]91/6OHEJ, which directs the download of an additional shellcode.” continues the report.

“Based on our telemetry, we identified the next stage to be a Meterpreter. That IP address is already known as a previously seen Mosquito C&C domain, psychology-blog.ezua[.]com, was resolving to it in October 2017. Finally, the fake Flash installer downloads a legitimate Adobe installer, from a Google Drive URL, and executes it to lull the user into thinking all went correctly.”

Experts noticed that in addition to the new fake Flash installer and Meterpreter, the hackers used many other tools, including:

A custom executable that only contains the Metasploit shellcode. This is used to maintain access to a Meterpreter session. It is saved to C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msupdateconf.exe, granting the executable persistence.
Another custom executable used to execute PowerShell scripts.
The Mosquito JScript backdoor that uses Google Apps Script as its C&C server.
Privilege escalation using the Metasploit module ext_server_priv.x86.dll [8].
Further details, including IoC are included in the report.


Justice Department announces actions to disrupt the VPNFilter botnet
24.5.2018 securityaffairs APT 
Virus

The Justice Department announced an effort to disrupt the VPNFilter botnet of hundreds of thousands of infected home and office (SOHO) routers and other networked devices under the control of a Russia-linked APT group.
Yesterday Talos and other security firm revealed the discovery of a huge botnet tracked as VPNFilter composed of more than 500,000 compromised routers and network-attached storage (NAS) devices, now more details emerged on the case.

The experts believe the VPNFilter was developed by Russia, the associated malware compromised devices across 54 countries, most of them in Ukraine.

On May 8, Talos researchers observed a spike in VPNFilter infection activity, most infections in Ukraine and the majority of compromised devices contacted a separate stage 2 C2 infrastructure at the IP 46.151.209[.]33.

The experts discovered the VPNFilter malware has infected devices manufactured by Linksys, MikroTik, Netgear, QNAP, and TP-Link.

The US Justice Department announced it had seized a domain used as part of the command and control infrastructure, it explicitly refers the Russian APT groups (APT28, Pawn Storm, Sandworm, Fancy Bear and the Sofacy Group) as the operators behind the huge botnet,

“The Justice Department today announced an effort to disrupt a global botnet of hundreds of thousands of infected home and office (SOHO) routers and other networked devices under the control of a group of actors known as the “Sofacy Group” (also known as “apt28,” “sandworm,” “x-agent,” “pawn storm,” “fancy bear” and “sednit”).” reads the press release published by the DoJ.

“Today’s announcement highlights the FBI’s ability to take swift action in the fight against cybercrime and our commitment to protecting the American people and their devices,” said Assistant Director Scott Smith. “By seizing a domain used by malicious cyber actors in their botnet campaign, the FBI has taken a critical step in minimizing the impact of the malware attack. While this is an important first step, the FBI’s work is not done. The FBI, along with our domestic and international partners, will continue our efforts to identify and expose those responsible for this wave of malware.”

The VPNFilter botnet targets SOHO routers and network-access storage (NAS) devices and uses several stages of malware. The experts highlighted that the second stage of malware that implements malicious capabilities can be cleared from a device by rebooting it, while the first stage of malware implements a persistence mechanism.

The Justice Department had obtained a warrant authorizing the FBI to seize the domain that is part of the command and control infrastructure of the VPNFilter botnet.

Technically the operation conducted by the US authorities is called “sink holing,” the seizure of the domain will allow law enforcement and security experts to analyze the traffic associated with the botnet to gather further info on the threat and temporarily neutralize it.

“In order to identify infected devices and facilitate their remediation, the U.S. Attorney’s Office for the Western District of Pennsylvania applied for and obtained court orders, authorizing the FBI to seize a domain that is part of the malware’s command-and-control infrastructure.” continues the DoJ.

“This will redirect attempts by stage one of the malware to reinfect the device to an FBI-controlled server, which will capture the Internet Protocol (IP) address of infected devices, pursuant to legal process. A non-profit partner organization, The Shadowserver Foundation, will disseminate the IP addresses to those who can assist with remediating the VPNFilter botnet, including foreign CERTs and internet service providers (ISPs).”

The owners of the compromised SOHO and NAS devices should reboot their devices as soon as possible, the operation will temporarily remove the second stage malware and will cause the first stage malware to connect the C&C domain for instructions.

“Although devices will remain vulnerable to reinfection with the second stage malware while connected to the Internet, these efforts maximize opportunities to identify and remediate the infection worldwide in the time available before Sofacy actors learn of the vulnerability in their command-and-control infrastructure.” continues the DoJ.

VPNFilter malware

Experts are particularly concerned by the destructive features implemented by the malware that could allow attackers to burn users’ devices to cover up their tracks.

Experts believe that the attack could be launched by threat actors during the Ukrainian celebration of the Constitution Day, last year the NotPetya wiper attack was launched on the same period.

Both Justice and Cisco said they were releasing details of the problem before having found a strong, permanent fix. Justice said that by seizing control of one of the domains involved in running VNPFilter, it will give owners of infected routers a chance to reboot them, forcing them to begin communicating with the now-neutralized command domain.

The vulnerability will remain, Justice said, but the move will allow them more time to identify and intervene in other parts of the network.


North Korea-linked Sun Team APT group targets deflectors with Android Malware
23.5.2018 securityaffairs  APT

A North Korea-linked APT group tracked as Sun Team has targeted North Korean deflectors with a malicious app that was published in the official Google Play store.

The campaign, named RedDawn by security experts at McAfee, is the second campaign attributed conducted by the same APT group this year.

Experts noticed that this is the first time the APT abused the legitimate Google Play Store as the distribution channel. In a past campaign spotted in January, a group of North Korean deflectors and journalists was targeted via social networks, email, and chat apps.

Researchers at McAfee discovered that the malware was on Google Play as ‘unreleased’ versions and it accounts for only around 100 infections, they also notified it to Google that has already removed the threat from the store.

Once installed, the malware starts copying sensitive information from the device, including personal photos, contacts, and SMS messages, and then sends them to the threat actors.

McAfee found that the hackers managed to upload three applications to Google Play – based on the email accounts and Android devices used in the previous attack. The apps include Food Ingredients Info, Fast AppLock, and AppLockFree. They stayed in Google Play for about 2 months before being removed.

“Our recent discovery of the campaign we have named RedDawn on Google Play just a few weeks after the release of our report proves that targeted attacks on mobile devices are here to stay.” reads the post published by the security firm.

“We found three apps uploaded by the actor we named Sun Team, based on email accounts and Android devices used in the previous attack.”

The experts discovered three apps in the app store, the first one named 음식궁합 (Food Ingredients Info), provides information about food, the remaining apps, Fast AppLock and AppLockFree, are security applications.

While the 음식궁합 and Fast AppLock apps are data stealer malware that receives commands and additional executable (.dex) files from a cloud control server, the AppLockFree is a reconnaissance malware that prepares the installations to further payloads.

The malware spread to friends, asking them to install the malicious apps and offer feedback via a Facebook account with a fake profile promoted 음식궁합.

“After infecting a device, the malware uses Dropbox and Yandex to upload data and issue commands, including additional plug-in dex files; this is a similar tactic to earlier Sun Team attacks.” continues the report. “From these cloud storage sites, we found information logs from the same test Android devices that Sun Team used for the malware campaign we reported in January,”

The logs collected by the malicious apps appear similar to other logs associated with the Sun Team APT group, in an apparently poor opsec the attackers used email addresses for malware’ developers associated with the North Korea group.

Sun Team malware-campaign

Of course, we cannot exclude that this is an intentional false flag to make hard the attribution of the attack.

The malware used in this campaign has been active at least since 2017, researchers observed numerous versions of the same code.

Threat actors are not native South Korean, but familiar with the culture and language.

“In the new malware on Google Play, we again see that the Korean writing in the description is awkward. As in the previous operation, the Dropbox account name follows a similar pattern of using names of celebrities, such as Jack Black, who appeared on Korean TV.” continues the analysis published by McAfee,

“These features are strong evidence that the actors behind these campaigns are not native South Koreans but are familiar with the culture and language. These elements are suggestive though not a confirmation of the nationality of the actors behind these malware campaigns.”

The attackers tested their malware in with mobile devices from several while the exploit code found in a cloud storage revealed modified “versions of publicly available sandbox escape, privilege escalation, code execution exploits.”

Some of the exploits were modified by the attackers, but experts believe that developers are currently not skillful enough to develop their own zero-day exploits,

The Sun Team hackers were observed creating fake accounts using photos from social networks and the identities of South Koreans. In addition to stealing identities, the hackers are using texting and calling services to generate virtual phone numbers that allow them to sign up for online services in South Korea.


Russia-linked Hackers Exploit Lojack Recovery Tool in Attacks
7.5.2018 securityweek APT 
Exploit  CyberSpy

Recently discovered “Lojack” agents containing malicious command and control (C&C) servers point to the Russian cyber-espionage group Sofacy, according to NETSCOUT Arbor.

Previously known as Computrace, Lojack is a legitimate laptop recovery solution used by companies looking to protect assets should they be lost or stolen. It can be used to locate and lock devices remotely, as well as to delete files.

Lojack represents a great double-agent because it is usually considered legitimate software but also allows for remote code execution, NETSCOUT Arbor's Security Engineering and Research Team (ASERT) points out. Moreover, the tool can survive hard drive replacements and operating system re-imaging.

Many of the anti-virus vendors in VirusTotal don’t flag the Lojack executable as malicious, but rather consider it as “not-a-virus” or “Risk Tool.” Additionally, with binary modification of the “small agent” considered trivial, it’s clear that attackers would consider the tool a viable target.

“With low AV detection, the attacker now has an executable hiding in plain sight, a double-agent. The attacker simply needs to stand up a rogue C&C server that simulates the Lojack communication protocols. Finally, Lojack’s ‘small agent’ allows for memory reads and writes which grant it remote backdoor functionality when coupled with a rogue C&C server,” ASERT notes.

The ASERT security researchers observed five Lojack agents that were pointing to four different suspected domains, three of which have been tied to Sofacy.

Also known as APT28, Fancy Bear, Pawn Storm, Sednit and Strontium, the threat actor is believed to have targeted the 2016 U.S. presidential election, as well as Ukraine and NATO countries. In fact, the group heavily targeted NATO in early 2017, including with zero-day exploits. The group was also observed shifting focus towards the Middle East and Central Asia last year.

In March 2018, a security researcher revealed that Sofacy attacks overlap with other state-sponsored operations, after the group’s Zerbrocy malware was found on machines compromised by Mosquito, a backdoor associated with the Turla threat actor.

“ASERT assesses with moderate confidence that the rogue Lojack agents are attributed to Fancy Bear based on shared infrastructure with previous operations,” the security researchers say.

Only the presence of a rogue C&C makes the samples malicious, as attackers are merely hijacking the communication used by Lojack, the researchers say. Several of the domains extracted from the rogue agents trace back to Sofacy operations: elaxo[.]org, ikmtrust[.]com, and lxwo[.]org (tied to the group last year), and sysanalyticweb[.]com (spotted only recently).

Although the hijack of the software for malicious purposes is a publicly known tactic, similarities in the binary comparisons and infrastructure analysis increase the possibility that the same actor was behind them.

The domains are associated with the same Lojack agent utilizing the same compile time, contain nonsensical Registrant information (the same information found in multiple fields), a similar nonsensical word used in the Registrant Name field is also used for the Registrant Organization (the field is often skipped, but this actor regularly utilizes both fields).

“Hijacking legitimate software is a common enough tactic for malicious actors. What makes this activity so devious is the binaries hijacked being labeled as legitimate or simple ‘Risk Tool’, rather than malware. As a result, rogue Lojack samples fly under the radar and give attackers a stealthy backdoor into victim systems,” ASERT concludes.


A new report sheds the lights on state-sponsored Chinese APTs under Winnti umbrella
7.5.2018 securityaffairs APT

Security experts at 401TRG, the threat research and analysis team at ProtectWise, have discovered links between several Chinese APT groups under the Winnti umbrella.
The experts analyzed several campaigns conducted by the cyber espionage groups over the last years and associated their activities with the Chinese Government, in one case the nation-state actor was working from the Xicheng District of Beijing.

According to the report published by ProtectWise, various threat groups previously attributed to Chinese-speaking actors are all linked to Chinese Intelligence and are referenced as ‘Winnti umbrella.’

“These operations and the groups that perform them are all linked to the Winnti umbrella and operate under the Chinese state intelligence apparatus.” reads the report.

“The Chinese intelligence apparatus has been reported on under many names, including Winnti, PassCV, APT17, Axiom, LEAD, BARIUM, Wicked Panda, and GREF.”

The experts believe that under the Winnti umbrella there are several APT groups, including Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, BARIUM, LEAD, PassCV, Wicked Panda, and ShadowPad. The groups show similar tactics, techniques, and Procedures (TTPs) and in some cases shared portions of the same hacking infrastructure.

“We assess with medium to high confidence that the various operations described in this report are the work of individual teams, including contractors external to the Chinese government, with varying levels of expertise, cooperating on a specific agenda.” continues the report.

The APT groups have been active since at least 2009 and initially targeted organizations in the gaming sector and high-tech firms in the United States, Japan, South Korea and China. The main targets of the Winnti umbrella are political, such as Uyghur and Tibetan activists, Tibetan and Chinese journalists, the government of Thailand and major international tech companies.

“The primary goal of these attacks was likely to find code-signing certificates for signing future malware. The secondary goals of the attackers depended on the type of victim organization, but were often financial.” reads the report.

The Winnti umbrella attackers are very active, one of the most recent phishing campaigns, uncovered in March, targeted at Office 365 and Gmail accounts instead delivering a malware.

Winnti Umbrella

In general, hackers aim to obtain credentials to a victim’s cloud storage that could be used for attacks later in presence of valueless cloud storage.

According to the report, the attribution of the attack was possible thanks to some opsec mistakes.

“However, we have observed a few cases of the attackers mistakenly accessing victim machines without a proxy, potentially identifying the true location of the individual running the session. In all of these cases, the net block was 221.216.0.0/13, the China Unicom Beijing Network, Xicheng District.”

“the Winnti umbrella and its associated entities remain an advanced and potent threat. We hope that the information contained within this report will help defenders thwart this group in the future.” concluded the report.


Researchers Link Several State-Sponsored Chinese Spy Groups
7.5.2018 securityweek APT  BigBrothers

Researchers have discovered links between several cyber espionage groups believed to be sponsored by the Chinese government and found that at least some of them may be working from the Xicheng District of Beijing.

A report published last week by 401TRG, the threat research and analysis team at ProtectWise, revealed links between several campaigns conducted over the past decade. Researchers claim that various threat groups previously attributed to Chinese-speaking actors are all connected to China’s state intelligence apparatus under what they call the “Winnti umbrella.”

Threat actors such as Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, BARIUM, LEAD, PassCV, Wicked Panda, and ShadowPad are all believed to be part of the Winnti umbrella based on the use of similar tactics, techniques, and procedures (TTPs), and overlaps in infrastructure and operations. Experts believe they are “the work of individual teams, including contractors external to the Chinese government, with varying levels of expertise, cooperating on a specific agenda.”

These hacker groups have been active since at least 2009 – possibly as early as 2007 – and their initial targets are often gaming studios and high-tech companies located in countries such as the United States, Japan, South Korea and China. The main goal appears to be harvesting code-signing certificates and manipulating software, with a secondary objective of financial gain.

Researchers said the Winnti umbrella’s main targets appear to be political, such as Uyghur and Tibetan activists, Tibetan and Chinese journalists, the government of Thailand (e.g. Bookworm), and major international tech companies.

These groups continue to launch campaigns, with operations seen as recently as late March. In the attacks observed this year, the hackers have focused on phishing – particularly targeted at Office 365 and Gmail accounts – rather than malware and exploits.

The cyberspies often target cloud storage accounts from which they hope to obtain code-signing certificates. In some cases, they also seek files and documents that could help them escalate privileges and move laterally within the victim’s network.

While the attackers have taken steps to hide their identity, they have made some mistakes, providing investigators important clues about their possible location.

“In the attackers’ ideal situation, all remote access occurs through their own C2 infrastructure, which acts as a proxy and obscures their true location,” 401TRG said in its report. “However, we have observed a few cases of the attackers mistakenly accessing victim machines without a proxy, potentially identifying the true location of the individual running the session. In all of these cases, the net block was 221.216.0.0/13, the China Unicom Beijing Network, Xicheng District.”


New ZooPark APT targets Android users in Middle East since 2015
5.5.2018 securityaffairs APT

Security researchers from Kaspersky Lab have uncovered a new cyber-espionage APT group tracked ZooPark that targeted entities in the Middle East during the past three years.
ZooPark APT has been active at least since 2015 and has shown a growing level of sophistication across the years.

“ZooPark is a cyberespionage operation that has been focusing on Middle Eastern targets since at least June 2015. The threat actors behind ZooPark infect Android devices using several generations of malware we label from v1-v4, with v4 being the most recent version deployed in 2017.” reads the report published by Kaspersky

Hackers mainly used waterhole attacks as infection vector, the experts discovered several news websites that have been compromised to redirect visitors to a downloading site that delivered the final malware.

Most of the victims were located in Egypt, Jordan, Morocco, Lebanon, and Iran.

ZooPark infographic

“Some of the malicious ZooPark apps are being distributed from news and political websites popular in specific parts of the Middle East. They are disguised as legitimate apps with names like ‘TelegramGroups’ and ‘Alnaharegypt news’, among others, recognized in and relevant to some Middle Eastern countries” reads the press release published by Kaspersky.

Experts identified 4 different phases in the activity of the group:

2015 – pretty simple malware
ZooPark hackers distributed a very simple variant of the Android malware that was only able to steal accounts details registered on the victim device and contacts from the address book. The malicious app was disguised as the official Telegram application.

2016 – lightweight spyware
ZooPark implemented new features for its malware focused on cyber espionage.

“This new version is similar to the previous. The main difference is the inclusion of new
spying features such as exfiltrate GPS location, SMS messages, call logs and some extra general information” continues the report.

2016 – commercial fork
The APT fork a version of the Spymaster Pro commercial spyware app, experts noticed several similarities between the commercial malware and the APT Android malware.

The main difference is the usage of their own C&C server.

2017 – modern spyware
ZooPark developers dropped the 2016 version resulting from the commercial fork and added major changes and improvements to the 2016 lightweight spyware.

“This malware variant represents a significant improvement on version 2.0, which seems to indicate that version 3.0 was some kind of fork.” added Kaspersky.

“This last step is especially interesting, showing a big leap from straightforward code functionality to highly sophisticated malware,”

Kaspersky speculates the latest version was improved with the code bought from firms offering surveillance software.

“This suggests the latest version may have been bought from vendors of specialist surveillance tools. That wouldn’t be surprising, as the market for these espionage tools is growing, becoming popular among governments, with several known cases in the Middle East.” concluded the report.


Who’s who in the Zoo

4.5.2018 Kaspersky APT  CyberSpy
Cyberespionage operation targets Android users in the Middle East
ZooPark is a cyberespionage operation that has been focusing on Middle Eastern targets since at least June 2015. The threat actors behind the operation infect Android devices using several generations of malware, with the attackers including new features in each iteration. We label them from v1-v4, with v4 being the most recent version deployed in 2017. From the technical point of view, the evolution of ZooPark has shown notable progress: from the very basic first and second versions, the commercial spyware fork in its third version and then to the complex spyware that is version 4. This last step is especially interesting, showing a big leap from straightforward code functionality to highly sophisticated malware.

Evolution of ZooPark malware features

We have observed two main distribution vectors for ZooPark – Telegram channels and watering holes. The second one was the preferred vector: we found several news websites that have been hacked by the attackers to redirect visitors to a downloading site that serves malicious APKs. Some of the themes observed in campaign include “Kurdistan referendum”, “TelegramGroups” and “Alnaharegypt news”, among others.

Target profile has evolved during the last years of campaign, focusing on victims in Egypt, Jordan, Morocco, Lebanon and Iran.

ZOO. CYBERESPIONAGE OPERATION PDF


Fancy Bear abuses LoJack security software in targeted attacks
3.5.2018 securityaffairs APT

Recently, several LoJack agents were found to be connecting to servers that are believed to be controlled by the notorious Russia-linked Fancy Bear APT group.
LoJack for laptops is a security software designed to catch computer thieves, but it could be theoretically abused to spy on legitimate owners of the device.

LoJack could be used to locate a stolen laptop, lock it or wipe its content, it is a precious application for enterprises that want to implement an additional protection of their assets.

What about an intelligence agency or nation-state actors are able to hack into such kind of software?

According to experts at Netscout Arbor Networks, recently, several LoJack agents (rpcnetp.exe) were found to be connecting to servers that are believed to be controlled by the notorious Russia-linked Fancy Bear APT group.

“ASERT recently discovered Lojack agents containing malicious C2s. These hijacked agents pointed to suspected Fancy Bear (a.k.a. APT28, Pawn Storm) domains.” reads the report published by Netscout.

“ASERT has identified five Lojack agents (rpcnetp.exe) pointing to 4 different suspected domains. Fancy Bear has been tied to three of the domains in the past.”

Five LoJack agents discovered by the experts were pointing to four C&C servers, three of which have been associated with past campaigns conducted by the Fancy Bear APT group.

Lojack

This circumstance leads the experts into believing that nation-state hackers have installed a backdoor in certain copies of LoJack to use it as a surveillance tool, likely as a part of a cyber espionage campaign.

According to the experts, the analysis of the samples revealed that attackers haven’t added additional functionality into the binary. Researchers published yara rule to help administrators in identifying Lojack samples abused by hackers.

“The LoJack agent protects the hardcoded [command-and-control] URL using a single byte XOR key; however, according to researchers it blindly trusts the configuration content,” the report says. “Once an attacker properly modifies this value then the double-agent is ready to go.” continues the analysis.

The abuse of such kind of software for cyber espionage is very dangerous and insidious, common anti-malware products and security applications whitelist them.

“Hijacking legitimate software is a common enough tactic for malicious actors. What makes this activity so devious is the binaries hijacked being labeled as legitimate or simple “Risk Tool”, rather than malware. As a result, rogue Lojack samples fly under the radar and give attackers a stealthy backdoor into victim systems.” concluded the experts.

At the time of writing, the initial attack vector is still unclear.


Op GhostSecret – ThaiCERT seized a server used by North Korea Hidden Cobra APT group in the Sony Picture hack
30.4.2018 securityaffairs APT

The Thai authorities with the support of the ThaiCERT and security first McAfee have seized a server used by North Korean Hidden Cobra APT as part of the Op GhostSecret campaign.
The Thai authorities with the support of the ThaiCERT have seized a server used by North Korean hackers in the attack against Sony Picture.

The server was located in a Thai university and allegedly used as part of a North Korean hacking campaign conducted by the Hidden Cobra APT group.

According to the authorities, the server was used by the Hidden Cobra APT group as command and control in the GhostSecret campaign.

The identification of the server was the result of the investigation conducted by experts at McAfee that analyzed the Operation GhostSecret searching for infrastructures involved worldwide.

“Our investigation into this campaign reveals that the actor used multiple malware implants, including an unknown implant with capabilities similar to Bankshot. From March 18 to 26 we observed the malware operating in multiple areas of the world. This new variant resembles parts of the Destover malware, which was used in the 2014 Sony Pictures attack.” reads the report published by McAfee.

“Further investigation into the control server infrastructure reveals the SSL certificate d0cb9b2d4809575e1bc1f4657e0eb56f307c7a76, which is tied to the control server 203[.]131[.]222[.]83, used by the February 2018 implant. This server resides at Thammasat University in Bangkok, Thailand. The same entity hosted the control server for the Sony Pictures implants. This SSL certificate has been used in Hidden Cobra operations since the Sony Pictures attack.”

Op GhostSecret North Korea Hidden Cobra APT

According to a security advisory published by the ThaiCERT, the operation GhostSecret kicked off in February 2018. McAfee identified three IP addresses (203.131.222.95, 203.131.222.109, and 203.131.222.83) belonging to Thammasat University that are associated with the Thai activity.

Researchers at McAfee reported the IP addresses of the command and control servers involved in the GhostSecret.

GhostSecret operation first targeted the Turkish financial sector in February 2018, during the period from 14 to 18 March 2018 it targeted entities in more than 17 countries, including Thailand and according to the experts it is still active.

According to McAfee, the Operation GhostSecret is a global data reconnaissance campaign targeting critical infrastructure, entertainment, finance, healthcare, and telecommunications worldwide. The hackers behind Operation GhostSecret leverage multiple implants, tools, and malware variants associated with the state-sponsored cyber group Hidden Cobra.

McAfee has also discovered a new Destover malware implant variant with capabilities similar to the Bankshot malware and that resembles parts of the Destover malware.

Furthermore, the experts at the Advanced Threat Research team have discovered an undocumented implant tracked as Proxysvc that operated undetected since mid-2017.

ThaiCERT along with local authorities and McAfee researchers are currently analyzing the content of the seized server.


Researchers Dissect Tool Used by Infamous Russian Hacker Group
28.4.2018 securityweek  APT

Sofacy’s First-Stage Malware Zebrocy Analyzed

ESET security researchers have taken a deep dive into one of the tools heavily used by the Russian threat actor Sofacy over the past couple of years.

Dubbed Zebrocy, the tool serves as a first-stage malware in attacks and is comprised of a Delphi downloader, an AutoIt downloader and a Delphi backdoor. Used in multiple attacks, the malicious program often acts as a downloader for the actor’s main backdoor, Xagent.

Also referred to as APT28, Fancy Bear, Pawn Storm, Sednit, and Strontium, and active since around 2007, the group is focused on cyber espionage and has hit government, military, and defense organizations worldwide.

Supposedly the actor behind attacks targeting the 2016 presidential election in the United States, Sofacy has been known to target Ukraine and NATO countries, and has recently switched focus to targets in Asia.

Coexisting with another Sofacy first-stage tool, Seduploader, the Zebrocy malware has been used in attacks against victims in Azerbaijan, Bosnia and Herzegovina, Egypt, Georgia, Iran, Kazakhstan, Korea, Kyrgyzstan, Russia, Saudi Arabia, Serbia, Switzerland, Tajikistan, Turkey, Turkmenistan, Ukraine, Uruguay and Zimbabwe, ESET reveals.

Zebrocy is usually delivered via emails carrying malicious attachments and users are lured into opening them. These are either Microsoft Office documents that deliver the payload via VBA macros, exploits, or Dynamic Data Exchange (DDE), or archives containing executables with an icon and a document-like filename.

Once the malicious attachment is executed, the first stage of the Zebrocy family is delivered: a Delphi downloader (in some attacks the AutoIt stage was used directly). The downloader is usually masked using document or Windows library icons and some samples are packed with UPX.

When launched, the malware displays a splash window with a bogus error message to distract the user. In the background, however, the malware drops a file under %TEMP% and adds a Windows registry to achieve persistence. It also gathers information on the compromised system and sends it to the command and control (C&C) server via a HTTP POST request.

If the target is considered of interest, the C&C responds with the next stage, the AutoIt downloader, which acts as another layer of the reconnaissance phase. Packing all of the functionality of the Delphi downloader and even more, the AutoIt downloader is sometimes used as the first stage instead.

The tool can detect sandbox and virtual environments and retrieve system information such as: a list of installed software, Windows version (32-bit or 64-bit), process list, hard drive information, and screenshots, along with various details about the computer, gathered using Windows Management Instrumentation (WMI) objects.

The Delphi backdoor, which is the last stage of the Zebrocy chain of components, has an internal versioning number, unrelated to the campaign it is used in. It embeds configuration data such as: AES keys for C&C communication, URLs, malware version, persistence windows registry key/value, path to store temporary files, and the names of hidden directories to be created to store temporary files.

Once set up, the malware executes callback functions via the Windows API function SetTimer, allowing the attackers to handle features and commands: take a screenshot of the desktop, capture keystrokes, list drives/network resources, read/write into Windows registry, copy/move/delete a file system object, and execute files or create scheduled tasks.

The backdoor supports around 30 commands, which differ from one version to another. For communication purposes, the malware stores the report of these functions on a temp file, then reds the file content and sends it to the C&C.

Zebrocy might be the successor of another malware components written in Delphi that Sofacy is known have used, namely Downdelph. The tool was last seen in September 2015, two months before Zebrocy emerged and both malware families also use a similar deployment method, the researchers note.

“We have seen Zebrocy being heavily used by the Sednit group over the last two years. Our analysis of the many new variants that appeared on a regular basis since 2017 clearly indicates that Zebrocy is being actively maintained and improved by its author(s). We can consider it as one of the stable, mature tools in Sednit’s arsenal, a tool that deserves to be monitored closely,” ESET concludes.


Energetic Bear/Crouching Yeti: attacks on servers
24.4.18 Kaspersky APT

Energetic Bear/Crouching Yeti: attacks on servers PDF

Energetic Bear/Crouching Yeti is a widely known APT group active since at least 2010. The group tends to attack different companies with a strong focus on the energy and industrial sectors. Companies attacked by Energetic Bear/Crouching Yeti are geographically distributed worldwide with a more obvious concentration in Europe and the US. In 2016-2017, the number of attacks on companies in Turkey increased significantly.

The main tactics of the group include sending phishing emails with malicious documents and infecting various servers. The group uses some of the infected servers for auxiliary purposes – to host tools and logs. Others are deliberately infected to use them in waterhole attacks in order to reach the group’s main targets.

Recent activity of the group against US organizations was discussed in a US-CERT advisory, which linked the actor to the Russian government, as well as an advisory by the UK National Cyber Security Centre.

This report by Kaspersky Lab ICS CERT presents information on identified servers that have been infected and used by the group. The report also includes the findings of an analysis of several webservers compromised by the Energetic Bear group during 2016 and in early 2017.

Attack victims
The table below shows the distribution of compromised servers (based on the language of website content and/or the origins of the company renting the server at the time of compromise) by countries, attacked company types and the role of each server in the overall attack scheme. Victims of the threat actor’s attacks were not limited to industrial companies.

Table 1. Compromised servers

Country Description Role in the attack
Russia Opposition political website Waterhole
Real estate agency Auxiliary (collecting user data in the waterhole attack)
Football club Waterhole
Developer and integrator of secure automation systems and IS consultant Waterhole
Developers of software and equipment Auxiliary (collecting user data in the waterhole attack, tool hosting)
Investment website Auxiliary (collecting user data in the waterhole attack)
Ukraine Electric power sector company Waterhole
Bank Waterhole
UK Aerospace company Waterhole
Germany Software developer and integrator Waterhole
Unknown Auxiliary (collecting user data in the waterhole attack)
Turkey Oil and gas sector enterprise Waterhole
Industrial group Waterhole
Investment group Waterhole
Greece Server of a university Auxiliary (collecting user data in the waterhole attack)
USA Oil and gas sector enterprise Waterhole
Unknown Affiliate network site Auxiliary (collecting user data in the waterhole attack)
Waterhole
All waterhole servers are infected following the same pattern: injecting a link into a web page or JS file with the following file scheme: file://IP/filename.png.

Injected link with the file scheme

The link is used to initiate a request for an image, as a result of which the user connects to the remote server over the SMB protocol. In this attack type, the attackers’ goal is to extract the following data from the session:

user IP,
user name,
domain name,
NTLM hash of the user’s password.
It should be noted that the image requested using the link is not physically located on the remote server.

Scanned resources
Compromised servers are in some cases used to conduct attacks on other resources. In the process of analyzing infected servers, numerous websites and servers were identified that the attackers had scanned with various tools, such as nmap, dirsearch, sqlmap, etc. (tool descriptions are provided below).

Table 2. Resources that were scanned from one of the infected servers

Country
(based on the content) Description
Russia Non-profit organization
Sale of drugs
Travel/maps
Resources based on the Bump platform (platform for corporate social networks) – non-profit organization, social network for college/university alumni, communication platform for NGOs, etc.
Business – photographic studio
Industrial enterprise, construction company
Door manufacturing
Cryptocurrency exchange
Construction information and analysis portal
Personal website of a developer
Vainah Telecom IPs and Subnets (Chechen Republic)
Various Chechen resources (governmental organizations, universities, industrial enterprises, etc.)
Web server with numerous sites (alumni sites, sites of industrial and engineering companies, etc.)
Muslim dating site
Brazil Water treatment
Turkey Hotels
Embassy in Turkey
Software developer
Airport website
City council website
Cosmetics manufacturer
Religious website
Turktelekom subnet with a large number of sites
Telnet Telecom subnet with a large number of sites
Georgia Personal website of a journalist
Kazakhstan Unknown web server
Ukraine Office supplies online store
Floral business
Image hosting service
Online course on sales
Dealer of farming equipment and spare parts
Ukrainian civil servant’s personal website
Online store of parts for household appliance repair
Timber sales, construction
Tennis club website
Online store for farmers
Online store of massage equipment
Online clothes store
Website development and promotion
Online air conditioner store
Switzerland Analytical company
US Web server with many domains
France Web server with many domains
Vietnam Unknown server
International Flight tracker
The sites and servers on this list do not seem to have anything in common. Even though the scanned servers do not necessarily look like potential final victims, it is likely that the attackers scanned different resources to find a server that could be used to establish a foothold for hosting the attackers’ tools and, subsequently, to develop the attack.

Part of the sites scanned may have been of interest to the attackers as candidates for hosting waterhole resources.

In some cases, the domains scanned were hosted on the same server; sometimes the attackers went through the list of possible domains matching a given IP.

In most cases, multiple attempts to compromise a specific target were not identified – with the possible exception of sites on the Bump platform, flight tracker servers and servers of a Turkish hotel chain.

Curiously, the sites scanned included a web developer’s website, kashey.ru, and resources links to which were found on this site. These may have been links to resources developed by the site’s owner: www.esodedi.ru, www.i-stroy.ru, www.saledoor.ru

Toolset used
Utilities
Utilities found on compromised servers are open-source and publicly available on GitHub:

Nmap – an open-source utility for analyzing the network and verifying its security.
Dirsearch — a simple command-line tool for brute forcing (performing exhaustive searches of) directories and files on websites.
Sqlmap — an open-source penetration testing tool, which automates the process of identifying and exploiting SQL injection vulnerabilities and taking over database servers.
Sublist3r — a tool written in Python designed to enumerate website subdomains. The tool uses open-source intelligence (OSINT). Sublist3r supports many different search engines, such as Google, Yahoo, Bing, Baidu and Ask, as well as such services as Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS. The tool helps penetration testers to collect information on the subdomains of the domain they are researching.
Wpscan — a WordPress vulnerability scanner that uses the blackbox principle, i.e., works without access to the source code. It can be used to scan remote WordPress sites in search of security issues.
Impacket — a toolset for working with various network protocols, which is required by SMBTrap.
SMBTrap — a tool for logging data received over the SMB protocol (user IP address, user name, domain name, password NTLM hash).
Commix — a vulnerability search and command injection and exploitation tool written in Python.
Subbrute – a subdomain enumeration tool available for Python and Windows that uses an open name resolver as a proxy and does not send traffic to the target DNS server.
PHPMailer – a mail sending tool.
In addition, a custom Python script named ftpChecker.py was found on one of the servers. The script was designed to check FTP hosts from an incoming list.

Malicious php files
The following malicious php files were found in different directories in the nginx folder and in a working directory created by the attackers on an infected web servers:

File name Brief description md5sum Time of the latest file change (MSK) Size, bytes
ini.php wso shell+ mail f3e3e25a822012023c6e81b206711865 2016-07-01 15:57:38 28786
mysql.php wso shell+ mail f3e3e25a822012023c6e81b206711865 2016-06-12 13:35:30 28786
opts.php wso shell c76470e85b7f3da46539b40e5c552712 2016-06-12 12:23:28 36623
error_log.php wso shell 155385cc19e3092765bcfed034b82ccb 2016-06-12 10:59:39 36636
code29.php web shell 1644af9b6424e8f58f39c7fa5e76de51 2016-06-12 11:10:40 10724
proxy87.php web shell 1644af9b6424e8f58f39c7fa5e76de51 2016-06-12 14:31:13 10724
theme.php wso shell 2292f5db385068e161ae277531b2e114 2017-05-16 17:33:02 133104
sma.php PHPMailer 7ec514bbdc6dd8f606f803d39af8883f 2017-05-19 13:53:53 14696
media.php wso shell 78c31eff38fdb72ea3b1800ea917940f 2017-04-17 15:58:41 1762986
In the table above:

Web shell is a script that allows remote administration of the machine.
WSO is a popular web shell and file manager (it stands for “Web Shell by Orb”) that has the ability to masquerade as an error page containing a hidden login form. It is available on GitHub:
https://github.com/wso-shell/WSO

Two of the PHP scripts found, ini.php and mysql.php, contained a WSO shell concatenated with the following email spamming script:

https://github.com/bediger4000/php-malware-analysis/tree/master/db-config.php

All the scripts found are obfuscated.

wso shell – error_log.php

Deobfuscated wso shell – error_log.php

One of the web shells was found on the server under two different names (proxy87.php and code29.php). It uses the eval function to execute a command sent via HTTP cookies or a POST request:

Web shell – proxy87.php

Deobfuscated web shell – proxy87.php

Modified sshd
A modified sshd with a preinstalled backdoor was found in the process of analyzing the server.

Patches with some versions of backdoors for sshd that are similar to the backdoor found are available on GitHub, for example:

https://github.com/jivoi/openssh-backdoor-kit

Compilation is possible on any OS with binary compatibility.

As a result of replacing the original sshd file with a modified one on the infected server, an attacker can use a ‘master password’ to get authorized on the remote server, while leaving minimal traces (compared to an ordinary user connecting via ssh).

In addition, the modified sshd logs all legitimate ssh connections (this does not apply to the connection that uses the ‘master password’), including connection times, account names and passwords. The log is encrypted and is located at /var/tmp/.pipe.sock.

Decrypted log at /var/tmp/.pipe.sock

Activity of the attackers on compromised servers
In addition to using compromised servers to scan numerous resources, other attacker activity was also identified.

After gaining access to the server, the attackers installed the tools they needed at different times. Specifically, the following commands for third-party installations were identified on one of the servers:

apt install traceroute
apt-get install nmap
apt-get install screen
git clone https://github.com/sqlmapproject/sqlmap.git
Additionally, the attackers installed any packages and tools for Python they needed.

The diagram below shows times of illegitimate logons to one of the compromised servers during one month. The attackers checked the smbtrap log file on working days. In most cases, they logged on to the server at roughly the same time of day, probably in the morning hours:

Times of illegitimate connections with the server (GMT+3)

In addition, in the process of performing the analysis, an active process was identified that exploited SQL injection and collected data from a database of one of the victims.

Conclusion
The findings of the analysis of compromised servers and the attackers’ activity on these servers are as follows:

With rare exceptions, the group’s members get by with publicly available tools. The use of publicly available utilities by the group to conduct its attacks renders the task of attack attribution without any additional group ‘markers’ very difficult.
Potentially, any vulnerable server on the internet is of interest to the attackers when they want to establish a foothold in order to develop further attacks against target facilities.
In most cases that we have observed, the group performed tasks related to searching for vulnerabilities, gaining persistence on various hosts, and stealing authentication data.
The diversity of victims may indicate the diversity of the attackers’ interests.
It can be assumed with some degree of certainty that the group operates in the interests of or takes orders from customers that are external to it, performing initial data collection, the theft of authentication data and gaining persistence on resources that are suitable for the attack’s further development.
Appendix I – Indicators of Compromise
Filenames and Paths
Tools*
/usr/lib/libng/ftpChecker.py
/usr/bin/nmap/
/usr/lib/libng/dirsearch/
/usr/share/python2.7/dirsearch/
/usr/lib/libng/SMBTrap/
/usr/lib/libng/commix/
/usr/lib/libng/subbrute-master/
/usr/share/python2.7/sqlmap/
/usr/lib/libng/sqlmap-dev/
/usr/lib/libng/wpscan/
/usr/share/python2.7/wpscan/
/usr/share/python2.7/Sublist3r/

*Note that these tools can also be used by other threat actors.

PHP files:
/usr/share/python2.7/sma.php
/usr/share/python2.7/theme.php
/root/theme.php
/usr/lib/libng/media.php

Logs
/var/tmp/.pipe.sock

PHP file hashes
f3e3e25a822012023c6e81b206711865
c76470e85b7f3da46539b40e5c552712
155385cc19e3092765bcfed034b82ccb
1644af9b6424e8f58f39c7fa5e76de51
2292f5db385068e161ae277531b2e114
7ec514bbdc6dd8f606f803d39af8883f
78c31eff38fdb72ea3b1800ea917940f

Yara rules
rule Backdoored_ssh {
strings:
$a1 = “OpenSSH”
$a2 = “usage: ssh”
$a3 = “HISTFILE”
condition:
uint32(0) == 0x464c457f and filesize<1000000 and all of ($a*)
}

Appendix II – Shell script to check a server for tools
Shell script for Debian
cd /tmp
workdir=428c5fcf495396df04a459e317b70ca2
mkdir $workdir
cd $workdir
find / -type d -iname smbtrap > find-smbtrap.txt 2>/dev/null
find / -type d -iname dirsearch > find-dirsearch.txt 2>/dev/null
find / -type d -iname nmap > find-nmap.txt 2>/dev/null
find / -type d -iname wpscan > find-wpscan.txt 2>/dev/null
find / -type d -iname sublist3r > find-sublist3r.txt 2>/dev/null
dpkg -l | grep -E \(impacket\|pcapy\|nmap\) > dpkg-grep.txt
cp /var/lib/dpkg/info/openssh-server.md5sums . #retrieve initial hash for sshd
md5sum /usr/sbin/sshd > sshd.md5sum #calculate actual hash for sshd

Shell script for Centos
cd /tmp
workdir=428c5fcf495396df04a459e317b70ca2
mkdir $workdir
cd $workdir
find / -type d -iname smbtrap > find-smbtrap.txt 2>/dev/null
find / -type d -iname dirsearch > find-dirsearch.txt 2>/dev/null
find / -type d -iname nmap > find-nmap.txt 2>/dev/null
find / -type d -iname wpscan > find-wpscan.txt 2>/dev/null
find / -type d -iname sublist3r > find-sublist3r.txt 2>/dev/null
rpm -qa | grep -E \(impacket\|pcapy\|nmap\) > rpm-grep.txt
rpm -qa –dump | grep ssh > rpm-qa-dump.txt #retrieve initial hash for sshd
sha256sum /usr/sbin/sshd > sshd.sha256sum #calculate actual sha256 hash for sshd
md5sum /usr/sbin/sshd > sshd.md5sum #calculate actual md5 hash for sshd


Kaspersky’s analysis of servers compromised by Energetic Bear shows the APT operates on behalf of others
24.4.18 securityaffairs APT

Kaspersky analyzed the served compromised by the Energetic Bear APT and assumed with some degree of certainty that the group operates in the interests of or takes orders from customers that are external to it.
Security experts at Kaspersky Lab ICS CERT have published a detailed analysis of the server compromised by the notorious Energetic Bear APT group (Dragonfly and Crouching Yeti) across the years.

The Energetic Bear APT group has been active since at least 2010 most of the victims of the group are organizations in the energy and industrial sectors.

In March 2018, the Department of Homeland Security and Federal Bureau of Investigation issued a joint technical alert to warn of attacks on US critical infrastructure powered by Russian threat actors. The US-CERT blamed the APT group tracked as Dragonfly, Crouching Yeti, and Energetic Bear.

A week later, the US-CERT updated its alert by providing further info that and officially linking the above APT groups to the Kremlin.

The Alert (TA18-074A) warns of “Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors,” it labels the attackers as “Russian government cyber actors.”

“This alert provides information on Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.” reads the alert.

“It also contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by Russian government cyber actors on compromised victim networks.”

The analysis of indicators of compromise (IoCs) shows the Dragonfly threat actor is still very active and its attacks are ongoing.

“DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks.” continues the alert. “After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).”

“The main tactics of the group include sending phishing emails with malicious documents and infecting various servers. The group uses some of the infected servers for auxiliary purposes – to host tools and logs. Others are deliberately infected to use them in waterhole attacks in order to reach the group’s main targets.” reads the report published by Kaspersky.

Most of the compromised servers were used in waterhole attacks, the others were used to host hacking tools or as a repository for data exfiltrated from target machines.

The servers analyzed by Kaspersky were located in several countries, including Russia, Ukraine, UK, Germany, Turkey, Greece, and the United States.

Below the full list of compromised servers:

Country Description Role in the attack
Russia Opposition political website Waterhole
Real estate agency Auxiliary (collecting user data in the waterhole attack)
Football club Waterhole
Developer and integrator of secure automation systems and IS consultant Waterhole
Developers of software and equipment Auxiliary (collecting user data in the waterhole attack, tool hosting)
Investment website Auxiliary (collecting user data in the waterhole attack)
Ukraine Electric power sector company Waterhole
Bank Waterhole
UK Aerospace company Waterhole
Germany Software developer and integrator Waterhole
Unknown Auxiliary (collecting user data in the waterhole attack)
Turkey Oil and gas sector enterprise Waterhole
Industrial group Waterhole
Investment group Waterhole
Greece Server of a university Auxiliary (collecting user data in the waterhole attack)
USA Oil and gas sector enterprise Waterhole
Unknown Affiliate network site Auxiliary (collecting user data in the waterhole attack)
All the servers involved in waterhole attacks were infected following the same pattern, attackers injected a link into a web page or JS file with the following file scheme: file://IP/filename.png.

Energetic Bear

The injected link is used to request an image on a remote server over the SMB protocol, with this trick attackers are able to extract victims’ user IP, username, domain name, and NTLM hash of the user’s password.

Experts observed the compromised servers were also used to conduct attacks on other resources by using several tools to scan websites and servers located in Russia, Ukraine, and Turkey, with Brazil, Georgia, Kazakhstan, Switzerland, U.S., France, and Vietnam.

“Compromised servers are in some cases used to conduct attacks on other resources. In the process of analyzing infected servers, numerous websites and servers were identified that the attackers had scanned with various tools, such as nmap, dirsearch, sqlmap, etc. (tool descriptions are provided below).” continues the report.

“The sites and servers on this list do not seem to have anything in common. Even though the scanned servers do not necessarily look like potential final victims, it is likely that the attackers scanned different resources to find a server that could be used to establish a foothold for hosting the attackers’ tools and, subsequently, to develop the attack.

Part of the sites scanned may have been of interest to the attackers as candidates for hosting waterhole resources.”

The analysis of the server used by the Energetic Bear APT revealed that many of them were used to host open-source tools, including Nmap (network analysis), Dirsearch (brute forcing directories and files on websites), Sqlmap (SQL injection exploitation), Sublist3r (enumerates website subdomains), Wpscan (WordPress vulnerability scanner), Impacket, SMBTrap, Commix (vulnerability search and command injection), Subbrute (subdomain enumeration), and PHPMailer (mail sending).

On one server Kaspersky has found a Python script named ftpChecker.py that was used for checking FTP hosts from an incoming list.

The server also contains a series of malicious php files in different directories in the nginx folder and in a working directory created by attackers on an infected web server. Experts also discovered a modified sshd with a preinstalled backdoor that is similar to a tool publicly available on GitHub that can be compiled on any OS.

“As a result of replacing the original sshd file with a modified one on the infected server, an attacker can use a ‘master password’ to get authorized on the remote server, while leaving minimal traces (compared to an ordinary user connecting via ssh).” continues Kaspersky.

“In addition, the modified sshd logs all legitimate ssh connections (this does not apply to the connection that uses the ‘master password’), including connection times, account names and passwords. The log is encrypted and is located at /var/tmp/.pipe.sock.”

According to Kaspersky, the use of publicly available tools makes hard the attribution of the infrastructure to a specific threat actor.

“The diversity of victims may indicate the diversity of the attackers’ interests. It can be assumed with some degree of certainty that the group operates in the interests of or takes orders from customers that are external to it, performing initial data collection, the theft of authentication data and gaining persistence on resources that are suitable for the attack’s further development,” Kaspersky concludes.


Exclusive – APT group exploited still unpatched zero-day in IE dubbed ‘double play’
21.4.2018 securityaffairs APT

Security researchers at the 360 Core Security observed an APT group exploiting a zero-day vulnerability in IE, dubbed ‘double play’. The flaw is still unfixed.
Security researchers at the 360 Core Security uncovered a zero-day vulnerability in IE, dubbed ‘double play’, that was triggered by weaponized MS Office documents. The experts have been observing an APT group targeting a limited number of users exploiting the zero-day flaw.

At the time of writing the expert did not reveal the name of the APT because of ongoing investigation, most of the victims are located in ASIA.

360 Core Security
@360CoreSec
We uncovered an IE 0day vulnerability has been embedded in malicious MS Office document, targeting limited users by a known APT actor.Details reported to MSRC @msftsecresponse

9:18 AM - Apr 20, 2018
114
88 people are talking about this
Twitter Ads info and privacy
According to the experts at 360 Core Security, users may get hacked by simply opening a malicious document. Hackers can use the ‘double play’ flaw to implant a backdoor Trojan and take full control over the vulnerable machine.

Through source analysis, 360 Security experts were able to discover the attack chain and reported it to Microsoft.

The APT group was delivering an Office document with a malicious web page embedded, once the user opens the document, the exploit code and malicious payloads are downloaded and executed from a remote server. The later phase of this attack leverages a public UAC bypass technique and uses file steganography and memory reflection loading to avoid traffic monitoring and achieve loading with no files.

This ‘double play’ vulnerability may affect the latest versions of Internet Explorer and applications that are with IE kernel.

Experts at 360 Core Security are urgently promoting the release of the patch.

“At present, 360 is urgently promoting the release of the patch.” states 360 Core Security.

“We would like to remind users not to open any unfamiliar Office documents and use security software to protect against possible attacks.” states 360 Core Security.

double play zero day

Below the timeline of the zero-day:

April 18. 360 Core Security detected the attack;
April 19. Experts reported the flaw to Microsoft.
April 20. Microsoft confirmed the existence of the zero-day. Microsoft hasn’t yet released t patch.


APT Trends report Q1 2018
14.4.2018 Kaspersky Analysis  APT
In the second quarter of 2017, Kaspersky’s Global Research and Analysis Team (GReAT) began publishing summaries of the quarter’s private threat intelligence reports in an effort to make the public aware of the research we have been conducting. This report serves as the next installment, focusing on the relevant activities that we observed during Q1 2018.

These summaries serve as a representative snapshot of what has been discussed in greater detail in our private reports, in order to highlight the significant events and findings that we feel people should be aware of. For brevity’s sake, we are choosing not to publish indicators associated with the reports highlighted. However, if you would like to learn more about our intelligence reports or request more information on a specific report, readers are encouraged to contact: intelreports@kaspersky.com.

Remarkable new findings
We are always very interested in analyzing new techniques used by existing groups, or in finding new clusters of activity that might lead us to discover new actors. In Q1 2018 we observed a bit of both, which are briefly summarized in this section.

We would like to start by highlighting all the new exploitation techniques applicable for the Meltdown/Spectre vulnerabilities that affect different CPU architectures and vendors. Even though we haven’t seen any of them exploited in the wild so far (only several PoCs) and although vendors have provided various patches to mitigate them, there is still no real solution. The problem relies on the optimization methods used at the processor’s architecture level. Given that a massive hardware replacement is not a realistic solution, Meltdown and Spectre might very well open the door to new infection vectors and persistence methods that we will see in the future.

A similar case was the announcement of several flaws for AMD processors. Even when the full technical details were not yet available, AMD confirmed that these flaws could be exploited for privilege escalation and persistence once a target has been compromised.

We also observed an increasing interest from attackers, including sophisticated actors, in targeting routers and networking hardware. Some early examples of such attacks driven by advanced groups include Regin and CloudAtlas. Additionally, the US Government published an advisory on unusual reboots in a prominent router brand, which might indicate that these specific devices are being actively targeted.

In our Slingshot analysis, we described how the campaign was using Mikrotik routers as an infection vector, compromising the routers to later infect the final victim through the very peculiar mechanism that Mikrotik used for the remote management of devices. In actual fact, we recognised the interest of some actors in this particular brand when the Chimay-red exploit for Mikrotek was mentioned in Wikileak´s Vault7. This same exploit was later reused by the Hajime botnet in 2018, showing once again how dangerous leaked exploits can be. Even when the vulnerability was fixed by Mikrotik, networking hardware is rarely managed properly from a security perspective. Additionally, Mikrotik reported a zero day vulnerability (CVE-2018-7445) in March 2018.

We believe routers are still an excellent target for attackers, as demonstrated by the examples above, and will continue to be abused in order to get a foothold in the victim´s infrastructure.

One of the most relevant attacks during this first quarter of 2018 was the Olympic Destroyer malware, affecting several companies related to the Pyeongchang Olympic Games’ organization and some Olympic facilities. There are different aspects of this attack to highlight, including the fact that attackers compromised companies that were providing services to the games´ organization in order to gain access, continuing the dangerous supply chain trend.

Besides the technical considerations, one of the more open questions is related to the general perception that attackers could have done much more harm than they actually did, which opened some speculation as to what the real purpose of the attack was.

MZ DOS and Rich headers of both files (3c0d740347b0362331c882c2dee96dbf – OlympicDestroyer, 5d0ffbc8389f27b0649696f0ef5b3cfe – Bluenoroff) are exactly the same.

In addition, a very relevant aspect is the effort attackers put in to planting several elaborative false flags, making this attack one of the most difficult we have analyzed in terms of attribution.

In February, we published a report about a previously unknown advanced Android backdoor that we call Skygofree. It seems that the author could be an Italian company selling the product in a similar way to how Hacking Team did in the past, however we don’t yet have any proof of this. Interestingly, shortly after we detected the Android samples of this malware, we also found an early iOS version of the backdoor. In this case, attackers had abused a rogue MDM (Mobile Device Management) server in order to install their malware in victims’ devices, probably using social engineering techniques to trick them into connecting with the rogue MDM.

Finally, we would like to highlight three new actors that we have found, all of them focused in the Asia region:

Shaggypanther – A Chinese-speaking cluster of activity targeting government entities, mainly in Taiwan and Malaysia, active since 2008 and using hidden encrypted payloads in registry keys. We couldn’t relate this to any known actor.
Sidewinder – An actor mainly targeting Pakistan military targets, active since at least 2012. We have low confidence that this malware might be authored by an Indian company. To spread the malware, they use unique implementations to leverage the exploits of known vulnerabilities (such as CVE-2017-11882) and later deploy a Powershell payload in the final stages.
CardinalLizard – We are moderately confident that this is a new collection of Chinese-speaking activity targeting businesses, active since 2014. Over the last few years, the group has shown an interest in the Philippines, Russia, Mongolia and Malaysia, the latter especially prevalent during 2018. The hackers use a custom malware featuring some interesting anti-detection and anti-emulation techniques. The infrastructure used also shows some overlaps with RomaingTiger and previous PlugX campaigns, but this could just be due to infrastructure reuse under the Chinese-speaking umbrella.
Activity of well-known groups
Some of the most heavily tracked groups, especially those that are Russian-speaking, didn´t show any remarkable activity during the last three months, as far as we know.

We observed limited activity from Sofacy in distributing Gamefish, updating its Zebrocy toolset and potentially registering new domains that might be used for future campaigns. We also saw the group slowly shift its targeting to Asia during the last months.

In the case of Turla (Snake, Uroburos), the group was suspected of breaching the German Governmental networks, according to some reports. The breach was originally reported as Sofacy, but since then no additional technical details or official confirmation have been provided.

The apparent low activity of these groups – and some others such as The Dukes – could be related to some kind of internal reorganization, however this is purely speculative.

Asia – high activity
The ever-growing APT activity in this part of the World shouldn´t be a surprise, especially seeing as the Winter Olympic Games was hosted in South Korea in January 2018. More than 30% of our 27 reports during Q1 were focused on the region.

Probably one of the most interesting activities relates to Kimsuky, an actor with a North-Korean nexus interested in South Korean think tanks and political activities. The actor renewed its arsenal with a completely new framework designed for cyberespionage, which was used in a spear-phishing campaign against South Korean targets, similar to the one targeting KHNP in 2014. According to McAfee, this activity was related to attacks against companies involved in the organization of the Pyeongchang Olympic Games, however we cannot confirm this.

The Korean focus continues with our analysis of the Flash Player 0-day vulnerability (CVE-2018-4878), deployed by Scarcruft at the end of January and triggered by Microsoft Word documents distributed through at least one website. This vulnerability was quickly reported by the Korean CERT (KN-CERT), which we believe helped to quickly mitigate any aggressive spreading. At the time of our analysis, we could only detect one victim in South Africa.

Forgotten PDB path inside the malware used by Scarcruft with CVE-2018-4876

Furthermore, IronHusky is a Chinese-speaking actor that we first detected in summer 2017. It is very focused on tracking the geopolitical agenda of targets in central Asia with a special focus in Mongolia, which seems to be an unusual target. This actor crafts campaigns for upcoming events of interest. In this case, they prepared and launched one right before a meeting with the International Monetary Fund and the Mongolian government at the end of January 2018. At the same time, they stopped their previous operations targeting Russian military contractors, which speaks volumes about the group’s limitations. In this new campaign, they exploited CVE-2017-11882 to spread common RATs typically used by Chinese-speaking groups, such as PlugX and PoisonIvy.

The final remark for this section covers the apparently never-ending greed of BlueNoroff, which has been moving to new targets among cryptocurrencies companies and expanding its operations to target PoS’s. However, we haven´t observed any new remarkable changes in the modus operandi of the group.

Middle East – always under pressure
There was a remarkable peak in StrongPity’s activity at the beginning of the year, both in January and March. For this new wave of attacks, the group used a new version of its malware that we simply call StrongPity2. However, the most remarkable aspect is the use of MiTM techniques at the ISP level to spread the malware, redirecting legitimate downloads to their artifacts. The group combines this method with registering domains that are similar to the ones used for downloading legitimate software.

StrongPity also distributed FinFisher using the same MiTM method at the ISP level, more details of which were provided by CitizenLab.

Desert Falcons showed a peak of activity at the end of 2017 and the beginning of 2018. Their toolset for this new campaign included Android implants that they had previously used back in 2014. The group continues to heavily rely on social engineering methods for malware distribution, and use rudimentary artifacts for infecting their victims. In this new wave we observed high-profile victims based mostly in Palestine, Egypt, Jordan, Israel, Lebanon and Turkey.

A particularly interesting case we analyzed was the evolution of what we believe to be the Gaza Team actor. What makes us question whether this is the same actor that we have tracked in the past, is the fact that we observed a remarkable boost in the artifacts used by the group. We actually can´t be sure whether the group suddenly developed these new technical capabilities, or if they had some internal reorganization or acquired improved tools. Another possibility is that the group itself was somehow hacked and a third actor is now distributing their artifacts through them.

Final Thoughts
As a summary of what happened during the last 3 months, we have the impression that some well-known actors are rethinking their strategies and reorganizing their teams for future attacks. In addition, a whole new wave of attackers are becoming much more active. For all these new attackers we observe different levels of sophistication, but let´s admit that the entry barrier for cyberespionage is much lower than it used to be in terms of the availability of different tools that can be used for malicious activities. Powershell, for instance, is one of the most common resources used by any of them. In other cases, there seems to be a flourishing industry of malware development behind the authorship of the tools that have been used in several campaigns.

Some of the big stories like Olympic Destroyer teach us what kind of difficulties we will likely find in the future in terms of attribution, while also illustrating how effective supply chain attacks still are. Speaking of new infection vectors, some of the CPU vulnerabilities discovered in the last few months will open new possibilities for attackers; unfortunately there is not an easy, universal protection mechanism for all of them. Routing hardware is already an infection vector for some actors, which should make us think whether we are following all the best practices in protecting such devices.


APT33 devised a code injection technique dubbed Early Bird to evade detection by anti-malware tools
13.4.2018 securityaffairs APT

The Iran-linked APT33 group continues to be very active, security researchers at Cyberbit have discovered an Early Bird code injection technique used by the group.
The Early Bird method was used to inject the TurnedUp malware into the infected systems evading security solutions.

The technique allows injecting a malicious code into a legitimate process, it allows execution of malware before the entry point of the main thread of a process.

“We saw this technique used by various malware. Among them – the “TurnedUp” backdoor written by APT33 – An Iranian hackers group, A variant of the notorious “Carberp” banking malware and by the DorkBot malware.” reads the analysis published by the experts.

“The malware code injection flow works as follows:

Create a suspended process (most likely to be a legitimate windows process)
Allocate and write malicious code into that process
Queue an asynchronous procedure call (APC) to that process
Resume the main thread of the process to execute the APC”
Anti-malware tools insert hooks when a process starts running, the code sections placed on specific Windows API calls allows security solution to detect the threats while invoking the API.

APT33 Early Bird technique allows bypassing the anti-malware hooking mechanism.

The Early Bird technique “loads the malicious code in a very early stage of thread initialization, before many security products place their hooks – which allows the malware to perform its malicious actions without being detected,” continues the analysis published by Cyberbit.

Experts noticed that during the initialization phase of the main thread, immediately after the call to NtResumeThread, a function called NtTestAlert checks the APC queue to delay the code of the main threat until the APC code is finished.

“During the initialization phase of the main thread (Right after the call to NtResumeThread), a function called NtTestAlert checks the APC queue. If the APC queue is not empty – NtTestAlert will notify the kernel which in return jump to KiUserApcDispatcher which will execute the APC. The code of the main thread itself will not execute until the code of the APC is finished executing,” continues the analysis.

“Before returning to user-mode, the kernel prepares the user-mode thread to jump to KiUserApcDispatcher which will execute the malicious code in our case,”

early bird injection

Differently from other methods, the Early Bird technique aims to hide the malicious actions executed post-injection.

The APT33 group has been around since at least 2013, since mid-2016, the group targeted the aviation industry and energy companies with connections to petrochemical production.


OSX_OCEANLOTUS.D, a new macOS backdoor linked to APT 32 group
6.4.2018 securityaffairs APT  Apple

Security experts at Trend Micro have discovered a new macOS backdoor that they linked to the APT 32 (OceanLotus, APT-C-00, SeaLotus, and Cobalt Kitty) cyber espionage group.
The APT32 group has been active since at least 2013, according to the experts it is a state-sponsored hacking group. The hackers hit organizations across multiple industries and have also targeted foreign governments, dissidents, and journalists.

Since at least 2014, experts at FireEye have observed APT32 targeting foreign corporations with an interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. The APT32 is also targeting peripheral network security and technology infrastructure corporations, and security firms that may have connections with foreign investors.

The APT32 group uses custom-built malware for its attacks, the newly discovered macOS backdoor was tracked by experts at Trend Micro as OSX_OCEANLOTUS.D.

The researchers found the backdoor on macOS systems that have the Perl programming language installed.

“We identified a MacOS backdoor (detected by Trend Micro as OSX_OCEANLOTUS.D) that we believe is the latest version of a threat used by OceanLotus (a.k.a. APT 32, APT-C-00, SeaLotus, and Cobalt Kitty).” reads the analysis published by Trend Micro.

“The attackers behind OSX_OCEANLOTUS.D target MacOS computers which have the Perl programming language installed.”

The hackers used spear-phishing messages as attack vectors, the backdoor is distributed via weaponized documents attached to emails. The bait document masquerades as the registration form for an event with HDMC, an organization in Vietnam that advertises national independence and democracy.

APT 32 _MacOS_backdoor

The malicious document contains an obfuscated macros with a Perl payload. The macro extracts an XML file (theme0.xml) from the document, it is a Mach-O 32-bit executable with a 0xFEEDFACE signature that acts as a dropper for the final OSX_OCEANLOTUS.D backdoor.

“All strings within the dropper, as well as the backdoor, are encrypted using a hardcoded RSA256 key. There are two forms of encrypted strings: an RSA256-encrypted string, and custom base64-encoded and RSA256-encrypted string.” continues the report.

“Using the setStartup() method, the dropper first checks if it is running as a root or not. Based on that, the GET_PROCESSPATH and GET_PROCESSNAME methods will decrypt the hardcoded path and filename where the backdoor should be installed.”

Once the dropper has installed the backdoor, it will set its attributes to “hidden” and set file date and time to random values using the touch command:

touch –t YYMMDDMM “/path/filename” > /dev/null.

It also changes the permissions to 0x1ed = 755, which is equal to u=rwx,go=rx.

The backdoor loops on two main functions, infoClient and runHandle; infoClient is used to collect platform information and send them to the command and control (C&C) server, meanwhile runHandle implements backdoor capabilities.

The discovery of a new backdoor linked to the APT32 group confirms that the state-sponsored crew was very active in the last months.


North Korea-Linked Lazarus APT suspected for online Casino assault
5.4.2018 securityaffairs APT

The North Korea-linked APT group known as Lazarus made the headlines again for attacking an online casino in Central America and other targets.
The activity of the Lazarus Group (aka Hidden Cobra) surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind attacks on banks, including the Bangladesh cyber heist.

Now security experts from ESET uncovered a cyber attack against an online casino in Central America and on other targets, in all the assaults hackers used similar hacking tools, including the dreaded KillDisk disk-wiper.

The experts found several backdoors and a simple command line tool that was designed to inject into/kill processes, terminate/reinstall services, and drop/remove files.

Most of the tools were specifically designed to run as a Windows service and require administrator privileges for their execution.

ESET detailed a TCP backdoor dubbed Win64/NukeSped, a console application that is installed in the system as a service.

The backdoor implements a set of 20 commands whose functionality is similar to previously analyzed Lazarus samples.

“Win64/NukeSped.W is a console application that is installed in the system as a service. One of the initial execution steps is dynamically resolving the required DLL names, on the stack:” states the analysis published by ESET.

“Likewise, procedure names of Windows APIs are constructed dynamically. In this particular sample, they are visible in plaintext; in other past samples that we’ve analyzed they were base64-encoded, encrypted or resolved on the stack character by character”

Lazarus backdoor code

The backdoor allows attackers to gather information on the system, create processes, search for files, drop files on the infected systems, and inject code into processes, including Explorer.

Researchers from ESET also detailed session hijacker, dubbed Win64/NukeSped.AB, that is a console application capable of creating a process as another currently–logged-in user on the target system.

The session hijacker was spotted in the attack against the casino, researchers at ESET believe it is the same malware used in the attacks against Polish banks and Mexican entities.

ESET pointed out that at least two variants of the KillDisk malware were used in the attack that appear not linked to past wiper-based attacks, like the ones that hit Ukraine in December 2015 and December 2016.

“KillDisk is a generic detection name that ESET uses for destructive malware with disk wiping capabilities, such as damaging boot sectors and overwriting then deleting (system) files, followed by a reboot to render the machine unusable.” continues the report.

“Sub-family variants that do have strong code similarities, are sometimes seen separate cyberattacks and thus can help us make connections, as here. Other cases, for example the directed cyberattacks against high-value targets in Ukraine in December 2015 and December 2016, also employed KillDisk malware, but those samples were from different KillDisk sub-families, so are most likely unrelated to these attacks.”

According to ESET, more than 100 machines belonging to the Central American online casino were infected with the two variants of Win32/KillDisk.NBO.

It is still unclear if the attackers used the KillDisk wiper to cover the tracks of an espionage campaign, or if the malicious code was used in an extortion schema or sabotage.

The presence of the KillDisk wipers and various Lazarus-linked malware suggests that the APT group was responsible for the attack.

Experts also found that both variants present many similarities with the ones that previously targeted financial organizations in Latin America.

The attackers also used the Mimikatz tool to extract Windows credentials, a tool designed to recover passwords from major web browsers, malicious droppers and loaders to download and execute their tools onto the victim systems.

The hackers leveraged Radmin 3 and LogMeIn as remote access tools.

“This recent attack against an online casino in Central America suggests that hacking tools from the Lazarus toolset are recompiled with every attack (we didn’t see these exact samples anywhere else).” concluded ESET.

“The attack itself was very complex, consisted of several steps, and involved tens of protected tools that, being stand-alone, would reveal little from their dynamics.”


Your new friend, KLara

29.3.2018 Kaspersky APT
GReAT’s distributed YARA scanner
While doing threat research, teams need a lot of tools and systems to aid their hunting efforts – from systems storing Passive DNS data and automated malware classification to systems allowing researchers to pattern-match a large volume of data in a relatively short period of time. These tools are extremely useful when working on APT campaigns where research is very agile and spans multiple months. One of the most frequently used tools for hunting new variants of malware is called YARA and was developed by Victor Manuel Alvarez while working for VirusTotal, now part of Alphabet.

In R&D we use a lot of open-source projects and we believe giving back to the community is our way of saying ‘Thank you’. More and more security companies are releasing their open-source projects and we would like to contribute with our distributed YARA scanner.

What is YARA?
YARA is defined as “a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples”. In other words, it is a pattern-matching tool, but on steroids. It can support complex matching rules as well as searching files with specific metadata (for example, it can search all files that use a certificate containing the string “Microsoft Corporation” but is not signed by “Microsoft”).

How can YARA help you find the next APT in your network?
YARA’s usefulness is amazing, especially given traditional protection measures are no longer enough in today’s complex threat landscape. Modern protection systems, combined with constant network monitoring and incident response have to be deployed in order to successfully protect equipment.

Protective measures that were effective yesterday don’t guarantee the same level of security tomorrow. Indicators of compromise (IoCs) can help you search for footprints of known malware or for an active infection. But serious threat actors have started to tailor their tools to fit each victim, thus making IoCs much less effective. Good YARA detection rules still allow analysts to find malware, exploits and 0-days which couldn’t be found any other way. The rules can be deployed in networks and on various multi-scanner systems.

That’s why, as part of our Threat Intelligence services, we offer a range of training courses, one of them being our world-famous YARA Training, held by our GReAT ninjas: Costin Raiu, Vitaly Kamluk and Sergey Mineev.

Finding exploits in the wild
One of the most remarkable cases in which Kaspersky Lab’s GReAT used YARA was the much publicized Silverlight 0-day. The team started hunting for it after Hacking Team, the Italian company selling “legal surveillance tools” for governments and LEAs, was hacked. One of the stories in the media attracted our researchers’ attention — according to the article, a programmer offered to sell Hacking Team a Silverlight 0-day, an exploit for an obsolete Microsoft plug-in which at one time had been installed on a huge number of computers.

GReAT decided to create a YARA rule based on this programmer’s older, publicly available proof-of-concept exploits. Our researchers found that he had a very particular style when coding the exploits, using very specific comments, shell code and function names. All of this unique information was used to write a YARA rule — the experts set it to carry out a clear task, basically saying “Go and hunt for any piece of malware that shows the characteristics described in the rule”. Eventually it caught a new sample, a 0-day, and the team immediately reported it to Microsoft.

KLara, GReAT’s distributed YARA scanner
As mentioned above, any team carrying out threat intelligence needs to have powerful tools in their arsenal in order to find the latest threats and detect attacks as soon as possible. Within our R&D department we have built a lot of tools internally, but we believe most progress is made when useful tools are shared with the community. As such, we are releasing our internal tool for running YARA rules over a large set of data (malware/virus collections).

What is KLara?
In order to hunt efficiently for malware, you need a large collection of samples to search through. Researchers usually need to fire a YARA rule over a collection/set of malicious files and then get the results back. In some cases, the rule needs adjusting. Unfortunately, scanning a large collection of files takes time. However, if a custom architecture is used instead, scanning 10TB of files can take around 30 minutes. Of course, if there are multiple YARA rules that need to be run simultaneously, it’s important the system is also distributed. And this is where KLara comes in. KLara is a distributed system written in Python, allowing researchers to scan one or more YARA rules over collections with samples, getting notifications by email and in the web interface when the scan results are ready. Systems like KLara are important when large collections of data are involved. Of course, researchers will have their own small virus collections on their computers in order to make sure their YARA rules are sound, but when searching for viruses in the wild, this task requires a lot of processing power and this can only be achieved with a cloud system.

Why is it important to have a distributed YARA scanner?
Attacks using APTs are extremely dangerous, regardless of whether the target belongs to the public, private or government sector. From our experience, constant monitoring of logs, netflow, alerts and any suspicious files helps mitigate an attack during reconnaissance stages. There are some projects similar to KLara that SOC teams can leverage, but most of them are private, meaning either the virus collection or rules exist somewhere in the cloud, outside the team’s direct control.

KLara, on the other hand, allows anyone running any kind of hardware to set up their own private YARA scanner, keeping TLP RED YARA rules local.

KLara under the hood
The project uses the dispatcher/worker model, with the usual architecture of one dispatcher and multiple workers. Worker and dispatcher agents are written in Python. Because the worker agents are written in Python, they can be deployed in any compatible ecosystem (Windows or UNIX). The same logic applies to the YARA scanner (used by KLara): it can be compiled on both platforms.

Jobs can be submitted and their status retrieved using a web-based portal, while each user has their own personal account allowing them to be part of a group, as well as share their KLara jobs with any other valid account.

Accounts have multiple properties that can be set by the administrator: what group they are part of, what scan repositories they can run their YARA rules over (based on group membership), if they can see other groups’ jobs, or the maximum number of jobs that can be submitted monthly (individual quotas).

By using the dashboard, authenticated users can submit jobs on the ‘Add a new job’ page:

And check their status on the ‘Current jobs’ page:

Once a user submits a task, they can view its status, resubmit it or delete it. One of the workers will fetch the job from the dispatcher and if it has eligible scan repositories on its file systems, will start the YARA scan. Once finished, the user is notified by email of the results.

Each job’s metadata consists of one or multiple YARA rules, the submitter’s account info and a set of scan repositories that can be selected:

On the main page, a summary is displayed:

Job status: New/Assigned/Finished/Error
Job management: Restart/Delete job
How many files have been matched
Name of the first rule in the rules set
The repository path over which YARA scanned for matches.
A more detailed status can be seen once we click on a job:

Any YARA results will be displayed at the bottom, as well as a list of matched MD5s.

Each user can have a search quota and be part of a group. Groups can choose to restrict users (preventing them from seeing what other jobs group members submit).

Finally, each user can change their email address if they want notifications to be sent to another email account.

API access
In order to facilitate automatic job submissions as well as automatic results retrieval, KLara implements a simple REST API allowing any valid account with a valid API Key to query any allowed job’s status. It allows scripts to:

Submit new tasks
Get the job results as well as job details (if it’s still scanning or assigned, finished or if there’s an unprocessed (new) job)
Get all the YARA results from a specific job.
Get all the matched MD5 hashes
More info about using the API can be found in the repository.

How can you get KLara?
The software was released on our official Kaspersky Lab GitHub account on 9 March, 2018.

We welcome anyone who wants to contribute to this project to submit pull requests. As we said before, we believe in giving back to the community the best tools we can provide in order to fight malware.

The software is open-sourced under GNU General Public License v3.0 and available with no warranty from the developers.


XM Cyber Unveils Automated Purple-Teaming at Speed and Scale
21.3.2018 securityweek APT

Israeli Cybersecurity Startup Launches Automated Advanced Persistent Threat (APT) Simulation Platform

Penetration testing is the most effective method of testing whether existing security policy stands up against advanced attackers, but it doesn't scale well to large, dynamic networks, and only provides a single conclusion at a specific point in time. The solution is clearly automation.

XM Cyber is an Israeli firm founded in 2016. Its three co-founders are Tamir Pardo (formerly head of Mossad); Boaz Gorodissky (formerly head of technology for the government of Israel); and Noam Erez (who spent 25 years in Israeli intelligence). Its headquarters are in Israel, but with a presence in the U.S. and Australia. It has customers in Israel, the U.S. and Europe.

Its primary product, an automated APT simulation platform called HaXM, is unveiled today. The product simulates the possible behavior of an attacker in order to locate potential weaknesses on the system; and then, using the data gathered, provides recommendations for the remediation of those weaknesses. In this manner it provides automated red teaming with blue teaming to produce purple teaming at speed, continuously, and at scale.

"The problem we solve," VP of Product Adi Ashkenazy told SecurityWeek, "is that when you look at modern organizations and you see the kind of security stack they have in place, you have to wonder if they are actually securing their critical assets. This is something the companies ask themselves as well. They spend a lot of money on different products and vendors; but at the end of the day, if you ask them, 'are your critical assets secure?', they may have hope and some belief, but they have no concrete evidence to support the idea."

Manual penetration testing to prove the hypothesis of security, he continued, makes no sense for the modern organization that may have tens of thousands of endpoints, and hundreds of subsystems; and is continuously evolving and changing.

"This is why we founded XM Cyber," commented Noam Erez: "to equip enterprises with a continuous 360-degree view of which critical assets are at risk, what security issues they should focus on, and how best to harness their resources to resolve them."

HaXM places sensors only on 'endpoints of interest'. "We don't have to map the entire network," said Ashkenazy. "We deploy our sensors on the endpoints of interest within the infrastructure that hackers are able or likely to use. We try to be almost religious in the way we mimic attacks -- we don't put sensors on every endpoint."

Nor does HaXM start with any preconceived idea of a potential attack. "We don't define the attack vectors in advance," he said. "We act like a virtual hacker. We start from points of likely breach -- which could be internet-facing servers, for example; or endpoints that receive external email. We place our virtual hacker in those starting points with a tool box that mimics the capabilities of an advanced attacker; and from that moment on the virtual hacker mimics the steps taken by a real hacker trying to find his way to critical assets. We never know in advance what will be found, but so far the virtual hacker has always eventually managed to compromise the entire network."

This is HaXM's simulation mode, where great care is taken not to trigger any alarms from the customer's existing security stack. It checks for the conditions that could be used by an attacker. "This is what we use for 24/7 testing. But we also have a validation mode," added Ashkenazy. "When you switch to validation mode, this is not continuous, but is a controlled mode, where you specify when and where you want to actually test a specific attack vector -- and then we conduct the malicious activities to their full extent so that you can check the security stack in its entirety."

HaXM provides a visualization of the route an aggressor can take from initial entry point on a network to the company's critical assets. In doing this, it definitively presents the existence or absence of sufficient security, highlighting if and where additional security is necessary. While many security products seek to find indications of actual compromise after an initial breach, XM Cyber's approach is to find routes of potential compromise irrespective of an existing breach. It will not locate an attacker; but it will tell the customer what an attacker could achieve.

XM Cyber has offices in Herzliya, Israel; New York; and Sydney, Australia. It has raised $15 million as initial funding in its first two years. The product will be demonstrated at the RSA Conference in San Francisco, California in April 16-19, 2018.


Experts discovered remotely exploitable buffer overflow vulnerability in MikroTik RouterOS
19.3.2018 securityaffairs APT
Security experts at Core Security have disclosed the details of a buffer overflow vulnerability that affects MikroTik RouterOS in versions prior to the latest 6.41.3.
MikroTik is a Latvian vendor that produce routers used by many telco companies worldwide that run RouterOS Linux-based operating system.

The vulnerability, tracked as CVE-2018-7445, could be exploited by a remote attacker with access to the service to execute arbitrary code on the system.

“A buffer overflow was found in the MikroTik RouterOS SMB service when processing NetBIOS session request messages. Remote attackers with access to the service can exploit this vulnerability and gain code execution on the system.” reads the advisory published by the company.

“The overflow occurs before authentication takes place, so it is possible for an unauthenticated remote attacker to exploit it.”

The researchers published a proof of concept exploit code that works with MikroTik’s x86 Cloud Hosted Router.

MikroTik routerOS

Core first reported the flaw to MikroTik on February 19, 2018. MikroTik planned to release a fix in the next release on March 1, 2018 and asked Core to do not reveal the details of the flaw. Even if MikroTik was not able to issue a fix for the estimated deadline 2018, Core waited for the release of the new version the occurred on Monday, March 12, 2018.

In case it is not possible to install an update, MikroTik suggested disabling SMB.

A few days ago, security experts at Kaspersky Lab announced to have spotted a new sophisticated APT group that has been operating under the radar at lease since at least 2012. Kaspersky tracked the group and identified a strain of malware it used, dubbed Slingshot, to compromise systems of hundreds of thousands of victims in the Middle East and Africa.

Slingshot

The researchers have seen around 100 victims of Slingshot and detected its modules, located in Kenya, Yemen, Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania.

Kenya and Yemen account for the largest number of infections to date. Most of the victims are individuals rather than organizations, the number of government organizations is limited.

The APT group exploited zero-day vulnerabilities (CVE-2007-5633; CVE-2010-1592, CVE-2009-0824.) in routers used by the Latvian network hardware provider Mikrotik to drop a spyware into victims’ computers.
The attackers first compromise the router, then replace one of its DDLs with a malicious one from the file-system, the library is loads in the target’s computer memory when the user runs the Winbox Loader software, a management suite for Mikrotik routers.

The DLL file runs on the victim’s machine and connects to a remote server to download the final payload, the Slingshot malware in the attacks monitored by Kaspersky.

It is not clear if the Slingshot gang also exploited the CVE-2018-7445 vulnerability to compromise the routers.

Now that a proof of concept exploit for vulnerability CVE-2018-7445 is available online customers need to upgrade RouterOS to version 6.41.3 to avoid problems.


Russia-linked Sofacy APT targets an unnamed European Government agency
18.3.2018 securityaffairs APT

While US-CERT warns of cyber attacks against critical infrastructure in the energy sectors, Russia-linked Sofacy APT is targeting a government agency in Europe.
Last week the US Government announced sanctions against five Russian entities and 19 individuals, including the FSB, the military intelligence agency GRU.

Despite the sanctions, Russian hackers continue to target entities worldwide, including US organizations.

The Russian spy agencies and the individuals are accused of trying to influence the 2016 presidential election and launching massive NotPetya ransomware campaign and other attacks on businesses in the energy industry.

Last year, the Department of Homeland Security and Federal Bureau of Investigation issued a joint technical alert to warn of attacks on US critical infrastructure powered by Russian threat actors. The US-CERT blamed the APT group tracked as Dragonfly, Crouching Yeti, and Energetic Bear.

Now the US-CERT updated its alert by providing further info that and officially linking the above APT groups to the Kremlin.

The Alert (TA18-074A) warns of “Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors,” it label the attackers as “Russian government cyber actors.”

“This alert provides information on Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.” reads the alert.

“It also contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by Russian government cyber actors on compromised victim networks.”

According to the DHS, based on the analysis of indicators of compromise, the Dragonfly threat actor is still very active and its attacks are ongoing.

“DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks.” continues the alert. “After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).”

The Russian Government has always denied the accusations, in June 2017 Russian President Putin declared that patriotic hackers may have powered attacks against foreign countries and denied the involvement of Russian cyberspies.

A few days ago, cyber security experts at Palo Alto Networks uncovered hacking campaigns launched by Sofacy against an unnamed European government agency leveraging an updated variant of the DealersChoice tool.

“On March 12 and March 14, we observed the Sofacy group carrying out an attack on a European government agency involving an updated variant of DealersChoice.” reads the analysis published by PaloAlto Networks.

“The updated DealersChoice documents used a similar process to obtain a malicious Flash object from a C2 server, but the inner mechanics of the Flash object contained significant differences in comparison to the original samples we analyzed. One of the differences was a particularly clever evasion technique.”

The attacks uncovered by PaloAlto aimed at a government organization in Europe used a spear phishing email referencing the “Underwater Defence & Security” conference, which will take place in the U.K. later this month.

While previous versions of DealersChoice loaded a malicious Flash object as soon as the bait document was opened, the samples analyzed by PaloAlto that were related to the last attacks include the Flash object on page three of the document and it’s only loaded if users scroll down to it.

“The user may not notice the Flash object on the page, as Word displays it as a tiny black box in the document, as seen in Figure 1. This is an interesting anti-sandbox technique, as it requires human interaction prior to the document exhibiting any malicious activity.” states the analysis.

Early February, experts from Kaspersky highlighted a shift focus in the Sofacy APT group’s interest, from NATO member countries and Ukraine to towards the Middle East and Central Asia.


Chinese APT Group TEMP.Periscope targets US Engineering and Maritime Industries
18.3.2018 securityaffairs APT

The China-linked APT group Leviathan. aka TEMP.Periscope, has increased the attacks on engineering and maritime entities over the past months.
Past attacks conducted by the group aimed at targets connected to South China Sea issues, most of them were research institutes, academic organizations, and private firms in the United States.

The group has also targeted professional/consulting services, high-tech industry, healthcare, and media/publishing. Most of the identified victims were in the United States, some of them located in Europe and at least one in Hong Kong.

“The campaign is linked to a group of suspected Chinese cyber espionage actors we have tracked since 2013, dubbed TEMP.Periscope. The group has also been reported as “Leviathan” by other security firms.” reads the analysis published by security firm FireEye.

“The current campaign is a sharp escalation of detected activity since summer 2017. Like multiple other Chinese cyber espionage actors, TEMP.Periscope has recently re-emerged and has been observed conducting operations with a revised toolkit.”

The researchers confirmed that the tactics, techniques, and procedures (TTPs) and the targets of the TEMP.Periscope overlap with ones both TEMP.Jumper and NanHaiShu APT groups.

Researchers at FireEye observed a spike in the activity of TEMP.Periscope that was also associated with the use of a broad range of tools commonly used by other Chinese threat actors.

The arsenal of the crew includes backdoors, reconnaissance tools, webshells, and file stealers.

A first backdoor dubbed BADFLICK, could be used to modify the file system of the infected system, establish a reverse shell, and modifying the command-and-control configuration.

Another backdoor used by the group is dubbed Airbreak, which is a JavaScript-based backdoor (aks “Orz”) that retrieves commands from hidden strings in compromised webpages and actor controlled profiles on legitimate services.

TEMP.Periscope

Other malware is described in the post published by FireEye.

“PHOTO: a DLL backdoor also reported publicly as “Derusbi”, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files.” continues the analysis.

“HOMEFRY: a 64-bit Windows password dumper/cracker that has previously been used in conjunction with AIRBREAK and BADFLICK backdoors. Some strings are obfuscated with XOR x56.”

The crews also used the Lunchmoney tool that exfiltrates files to Dropbox and the Murkytop command-line reconnaissance tool.

Recently the group used the China Chopper, a code injection webshell that executes Microsoft .NET code within HTTP POST commands.

The group targeted victims with spear-phishing messaged that use weaponized documents attempting to exploit the CVE-2017-11882 vulnerability to deliver malicious code.

“The current wave of identified intrusions is consistent with TEMP.Periscope and likely reflects a concerted effort to target sectors that may yield information that could provide an economic advantage, research and development data, intellectual property, or an edge in commercial negotiations,” FireEye concludes.

Further details, including the Indicators of Compromise are reported in the analysis published by FireEye.


OceanLotus APT is very active, it used new Backdoor in recent campaigns
14.3.2018 securityaffairs APT

The OceanLotus APT group, also known as APT32 and APT-C-00, has been using a new backdoor in recently observed attacks.
The OceanLotus Group has been active since at least 2013, according to the experts it is a state-sponsored hacking group linked to Vietnam, most of them in Vietnam, the Philippines, Laos, and Cambodia.

The hackers targeting organizations across multiple industries and have also targeted foreign governments, dissidents, and journalists.

Since at least 2014, experts at FireEye have observed APT32 targeting foreign corporations with an interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. The APT32 is also targeting peripheral network security and technology infrastructure corporations, and security firms that may have connections with foreign investors.

Researchers at Volexity has been tracking the threat actor since May 2017, they observed attacks aimed at the Association of Southeast Asian Nations (ASEAN), and media, human rights, and civil society organizations.

Vietnamese APT32 group is today one of the most advanced APTs in the threat landscape, Volexity researchers compared the APT with the dreaded s Russia-linked Turla APT.

The group is well-resourced, it continues to use along with old techniques.

“A great deal of research about this group was published last year, including
papers such as those from CyberReason, a lengthy global view from FireEye and the watering-hole explanation from Volexity. We see that this group keeps updating their backdoors, infrastructure, and infection vectors.” reads the analysis published by ESET.

“OceanLotus continues its activity particularly targeting company and government networks in East-Asian countries. A few months ago, we discovered and analyzed one of their latest backdoors. Several tricks are being used to convince the user to execute the backdoor, to slow down its analysis and to avoid detection.”

The threat actors started adopting a new backdoor that provides them with remote access and full control on the infected systems.

OceanLotus’s attack is carried on in two stages, in the first phase the hackers leverage a dropper, delivered via spear-phishing messages, to gain the initial foothold on the targeted system, then the malicious code prepares the stage for the backdoor.

“Over the past few months, a number of decoy documents have been used. One of them was a fake TrueType font updater for the Roboto Slab regular font. This choice of font seems a bit odd since it does not support a lot of East-Asian languages.” reads the analysis.

“When executed, this binary decrypts its resource (XOR with a 128-byte, hardcoded key) and decompresses the decrypted data (LZMA). The legitimate RobotoSlab-Regular.ttf file is written into the %temp% folder and run via Win32 API function ShellExecute.

The shellcode decrypted from the resource is executed. After its execution, the fake font updater drops another application whose sole purpose is to delete the dropper. This “eraser” application is dropped as %temp%\[0-9].tmp.exe.”

OceanLotus backdoor

Attackers also powered watering hole attacks using fake installers posing as updates for popular applications.

One of the installers used by the APT is the repackaged Firefox installer described by 360 Labs on Freebuf (Chinese language).

Researchers noticed that attackers’ dropper package includes several components, the whole process of installation and execution relies heavily on multiple layers of obfuscation to prevent detection. The dropper also included garbage code to avoid being detected and code designed to delete the bait document.

The dropper gain persistence by creating a Windows service if administrator privileges are available, or modifies the operating system’s registry if executed with normal privileges.

The backdoor is able to execute tens of commands, including fingerprint the system, create a process, call the PE Loader, drop and execute a program and run shellcode in a new thread.

“Once again, OceanLotus shows that the team is active and continues to update its toolset. This also demonstrates its intention to remain hidden by picking its targets, limiting the distribution of their malware and using several different servers to avoid attracting attention to a single domain or IP address.” concludes ESET.

“The encryption of the payload, together with the side-loading technique – despite
its age – is a good way to stay under the radar, since the malicious activities look like they come from the legitimate application.”


New North Korea-linked Cyberattacks Target Financial Institutions

12.3.2018 securityweek APT

New North Korean Hidden Cobra / Lazarus Campaign Targets Financial Institutions in Turkey

Hidden Cobra, also known as the Lazarus Group from North Korea, is now targeting the Turkish financial system with a new and 'aggressive' operation that resembles earlier attacks against the global SWIFT financial network.

An analysis published by senior analyst of major campaigns, Ryan Sherstobitoff, says McAfee believes this operation is intended to gain access to specific Turkish financial organizations via targeted spear-phishing, using a weaponized Word document containing an embedded Flash exploit. The Flash vulnerability only surfaced at the end of January 2018, but is thought to have been exploited by North Korean actors since mid-November 2017. It was patched by Adobe within a week; but any computer that has not yet updated Flash to the latest version will remain vulnerable.

McAfee's report on the campaign says that one government-controlled financial organization, a government organization involved in finance and trade, and three large financial organizations are victims of the attack -- which occurred on March 2 and 3. In this attack, the Flash exploit drops the Bankshot implant, a RAT that gives the attacker full capability on a victim's system.

Nortk Korea FlagUS-CERT issued a malware analysis report (MAR) on Bankshot (PDF) in December 2017. It describes it as malware used by the North Korean government, whose cyber activity is conducted by actors it calls Hidden Cobra. McAfee says the variant it has analyzed "is 99% similar to the documented Bankshot variants from 2017."

In the spear-phishing campaign, the Bankshot implant was associated with a Word document with the filename Agreement.docx. It masquerades as an agreement template for Bitcoin distribution. Once activated, malicious DLLs are downloaded from falcancoin.io -- a lookalike domain name to the legitimate cryptocurrency-lending platform Falcon Coin.

The DLLs communicate with three control servers (the URLs are hardcoded in the implants' code), two of them Chinese-language online gambling sites. Based on the response received from the control server, the malware can carry out a wide range of malicious tasks centered on gathering system data and controlling system processes. It also contains two methods of file deletion capable of erasing evidence of presence and other destructive actions. After every action, the malware sends a response to the control server indicating whether the action was successful.

Hidden Cobra has been linked to several attacks against financial institutions. "This implant has been connected to a major Korean bank attack and is also known as Trojan Manuscript," writes Sherstobitoff. That variant contained the capability to search for hosts related to the SWIFT network and the same control server strings as the variant we found targeting the Turkish financial sector."

North Korean actors are credited with the 2015/2016 attacks on the SWIFT network. No evidence was found to suggest that this version is designed to conduct financial transactions; "rather," writes Sherstobitoff, "it is a channel into the victim's environment, in which further stages of implants can be deployed for financial reconnaissance."

McAfee is confident that it has uncovered a new Hidden Cobra (ie, North Korean government) reconnaissance campaign against Turkish financial institutions. In February, the Winter Olympic Games held in South Korea were hit by cyber-attacks dubbed Olympic Destroyer. Many commentators assumed the attacks came from North Korea -- an assumption supported by indicators within the malware.

By mid-February, Recorded Future warned against hasty attribution for Olympic Destroyer, despite the presence of code fragments previously used by North Korean actors. "The co-occurrence of code overlap in the malware," wrote Recorded Future, "may be indicative of a false flag operation, attempting to dilute evidence and confuse researchers."

More recently, Kaspersky Lab concluded that despite the presence of a unique fingerprint tying Olympic Destroyer to Lazarus (Hidden Cobra), there is other evidence suggesting the involvement of the Russian group known as Sofacy or APT28. One possible scenario is that the Russian hackers attempted to frame Lazarus for the attack after the North Korean group tried to pin one of its own campaigns on Russian actors.

Given the relative ease and increasing frequency of so-called 'false flag' cyber-attacks, SecurityWeek asked McAfee how certain it is that Hidden Cobra is the group behind the Turkish attacks. "McAfee takes attribution very seriously," relied Ryan Sherstobitoff. "As such, McAfee Advanced Threat Research analysis and conclusions are based on multiple indicators. While the private sector can rarely claim 100% confidence in attack attribution without access to the same resources possessed by government and law enforcement agencies, we can say that the code and target similarities between the malicious files uncovered in this campaign and earlier attacks publicly attributed to Hidden Cobra by the United States Government, are very strong indicators of the acting group."

"We have found," concludes McAfee, "what may be an early data-gathering stage for future possible heists from financial organizations in Turkey (and possibly other countries)." It warns that the attack has a high chance of success against victims with an unpatched version of Flash. "Documents with the Flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal."


China-Linked APT15 used new backdoors in attack against UK Government’s service provider
12.3.2018 securityaffairs APT

China-Linked APT15 used new backdoors is an attack that is likely part of a wider operation aimed at contractors at various UK government departments and military organizations.
Last week Ahmed Zaki, a senior malware researcher at NCC Group, presented at the Kaspersky’s Security Analyst Summit (SAS), details of a malware-based attack against the service provider for the UK Government launched by the APT15 China-linked group (aka Ke3chang, Mirage, Vixen Panda and Playful Dragon).

“In May 2017, NCC Group’s Incident Response team reacted to an ongoing incident where our client, which provides a range of services to UK Government, suffered a network compromise involving the advanced persistent threat group APT15.” reads a blog post published by NCC Group.

NCC stop the investigation in June 2017 on explicit request of the victim but resumed it in August after the APT15 hackers managed to regain access to the victim’s network.

“APT15 managed to regain access a couple of weeks later via the corporate VPN solution with a stolen VPN certificate, which they had extracted from a compromised host.” continues the analysis.

The attack is likely part of a wider operation aimed at contractors at various UK government departments and military organizations.

APT15 has been active since at least 2010, it conducted cyber espionage campaigns against targets worldwide. The attackers demonstrated an increasing level of sophistication across the years, they used a custom-malware and various exploits in their attacks.

NCC Group recently spotted two new backdoors used by the group along with malware already associated with the APT15.

“During our analysis of the compromise, we identified new backdoors that now appear to be part of APT15’s toolset. The backdoor BS2005 – which has traditionally been used by the group – now appears alongside the additional backdoors RoyalCli and RoyalDNS.” continues NCC Group.

“The RoyalCli backdoor appears to be an evolution of BS2005 and uses familiar encryption and encoding routines.”


One of the backdoors has been tracked as RoyalCLI due to a debugging path left in the binary, it is the successor of BS2005 backdoor used by the group. Both RoyalCLI and BS2005 communicate with command and control (C&C) servers via Internet Explorer using the COM interface IWebBrowser2.

The attackers utilized Windows commands to conduct reconnaissance activities, the lateral movement was conducted by using a combination of net command, mounting the C$ share of hosts and manually copying files to or from compromised hosts.

The second backdoor, tracked as RoyalDNS, uses DNS to communicate with the C&C server, once executed the command the backdoor returns output through DNS.

Further information, including the IoCs, are available in the post.


Kaspersky – Sofacy ‘s campaigns overlap with other APT groups’ operations
12.3.2018 securityaffairs APT

According to Kaspersky, the Sofacy APT is particularly interested in military, defense and diplomatic entities in the far east, but overlap with other APT’s operations makes hard the attribution.
Last week, during the Kaspersky Security Analyst Summit (SAS) held in Cancun, researchers from Kaspersky illustrated the results of their investigation on the recent activities conducted by the dreaded Sofacy APT group.

The experts confirmed the news reported by Kaspersky three weeks ago, the Russia-linked APT28 group (aka Pawn Storm, Fancy Bear, Sofacy, Sednit, Tsar Team and Strontium.) have shifted focus in their interest, from NATO member countries and Ukraine to towards the Middle East and Central Asia.

According to Kaspersky researcher Kurt Baumgartner, the Sofacy APT is particularly interested in military, defense and diplomatic entities in the far east.

The researchers explained that the Russian APT group’s activity overlaps with cyber espionage campaigns conducted by other threat actors.

Baumgartner pointed out that the Zerbrocy malware used by Sofacy APT was discovered on machines that had also been infected with the Mosquito backdoor associated with Russian Turla APT. Baumgartner also explained that Sofacy SPLM malware has infected the same systems that were compromised by Danti China-linked APT.

In similar circumstances, the Kaspersky researchers found that the systems infected by the SPLM malware (aka CHOPSTICK and X-Agent) had been previously infected with other Turla malware.

Sofacy backdoor

Kaspersky noticed that the overlaps were frequent on systems belonging to government, technology, and military organizations in Central Asia.

Another case of evident overlap was between Sofacy and the Longhorn threat actor, a group that researchers at Symantec reportedly linked to the CIA due to the use of Vault 7 tools. At least a server belonging to a military and aerospace conglomerate in China was infected by Sofacy backdoors and Longhorn malware.

Of course, even in presence of overlap, it is difficult to attribute the infection to a specific actor because APT groups use to plant false flags.


Masha and these Bears
10.3.2018 Kaspersky APT
Sofacy, also known as APT28, Fancy Bear, and Tsar Team, is a prolific, well resourced, and persistent adversary. They are sometimes portrayed as wild and reckless, but as seen under our visibility, the group can be pragmatic, measured, and agile. Our previous post on their 2017 activity stepped away from the previously covered headline buzz presenting their association with previously known political hacks and interest in Europe and the US, and examines their under-reported ongoing activity in middle east, central asia, and now a shift in targeting further east, including China, along with an overlap surprise. There is much understated activity that can be clustered within this set and overlap in APT activity. Here, we examine current deployment, code, cryptography, and targeting.

Essentially, this examination finds the group maintains subdivisions of efforts in targeting, development, and coding. Comparisons to other modules quickly shows a delineation in other Sofacy efforts. SPLM, GAMEFISH, and Zebrocy delivery all maintain their own clusters, but frequently overlap later.

Because SPLM is their primary and selective second stage tool, SPLM deployment is of much interest. But Zebrocy efforts are in such high volume, that these modules need examination as well.

SPLM/CHOPSTICK/XAgent Code
SPLM, otherwise known as CHOPSTICK, or by the author(s) as “XAgent”, is described as Sofacy’s signature second stage tool, selectively used for years against around the world. Really, many modified XAgent modules have been deployed over the years. Even the individual Linux modules renamed as “Fysbis” backdoors released in 2016 were merely modified and reduced portions of recompiled XAgent C/C++ codebase. Anyway, SPLM/CHOPSTICK has maintained various combinations of code, with some recognizable functionality listed here.

Source Modules Channels
Modules Keylogger HTTP
Channels RemoteShell FTP
Boot FileSystem SMTP
Library Launcher
MainHandler CameraShot
InjectApp
Screenshot
FileObserver
PasswordFirefox
InfoOS
Version 3 and early version 4 SPLM modules maintained keylogger, remoteshell, and filestealer code all within the larger compiled backdoor, and executed each body of functionality from within that process memory space. Later v4 SPLM injected individual keylogger, filestealer, and remoteshell modules into memory space. But for the most part, deployed SPLM maintained the structure of earlier executable code. In 2018, we now see them pushing individual and separate blobs of keylogger, filesystem, and remoteshell code that never touch disk. The larger, 300kb+ SPLM backdoors deployed in 2016 and 2017 are not observed any longer at targets in 2018. Instead, in-memory modules appear in isolation.

In addition to purely XAgent based code, we also observe zebrocy modules completely recoded into powershell from .Net.

Code and Crypto Comparisons
Current SPLM code maintains the unusual cipher hack that Sofacy began deploying in 2017 to hide away configuration details. Comparisons with cipher design and implementations we see in WhiteBear, earlier SPLM and Zebrocy modules tell a few things about design decisions and culture. And when specific malware sets are selectively deployed, that may tell us something about how efforts are divided.

SPLM full backdoor and plugins crypto and strings v4
973ff7eb7a5b720c5f6aafe4cd0469d5
Summary: SPLM is being carved up and delivered as memory-only chunks of compiled code. We observe the “retranslator” code, or ProcessRetranslator.dll, currently being delivered to systems without the presence of the previous, large, SPLM code and injection capabilities. The smaller plugins deployed in 2018 now maintain the same dynamic encryption code as the large 330kb full SPLM backdoors seen in more widespread use in 2017. Strings are well organized and concise.

Code and strings example (decrypted from 2018 “ProcessRetranslator.dll” plugin):

success command not correct
error save parameters
error set parameters for channel, see full info
command processing error
not correct command
command loading func/net module error
command unloading func/net module error
cmd.exe
Retranslator is now launched
Retranslator is now stopped
the process is destroyed
one thread has died so the process is killed too
create process failed on: (%s) , error (%d)
Retranslator is already running
Retranslator is not running
exit
command is successful
command is unsuccessful

SPLM crypto v3 (DNC hack)
cc9e6578a47182a941a478b276320e06
Summary: This earlier SPLM variant found on the DNC network in 2016 still maintains the internal name “splm.dll”, with only one export “init” that was called at runtime. The C++ structure of this 280kb+ dll is familiar SPLM/CHOPSTICK, but it maintains a completely different cipher for decrypting configuration data and error messages, etc. The loop performing the bulk of the work is less than 100 bytes, performing pointer arithmetic alongside a couple xor operations of a lower nibble against sequential bytes.

Here, the cipher uses a modolo pointer arithmetic along with a decryption key per blob. Reviewing all the older ciphers and newer EC based ciphers in openssl and elsewhere results in no match.

WhiteBear code and strings
Summary: WhiteBear is a cluster of activity targeting foreign embassies and MFA organizations, starting in early 2016 and continued into early 2017. Our private GReAT report on this activity pushed in February 2017, and a public report from another vendor described much of the same content almost seven months later as “Gayzer”. It appeared to be a parallel project to WhiteAtlas Turla, and maintained quirks like modular, well logged code with an elegant, professional RSA and 3DES encryption implementation and high quality code injection capabilities, but lots of immature and crude language and english mistakes. Clearly, english and maturity was not the developers’ native language.

While WhiteBear is Turla related, it is interesting to compare to other ongoing development styles. Strings and code are crass.

Debug and command strings

i cunt waiting anymore #%d
lights aint turnt off with #%d
Not find process
CMessageProcessingSystem::Receive_NO_CONNECT_TO_GAYZER
CMessageProcessingSystem::Receive_TAKE_LAST_CONNECTION
CMessageProcessingSystem::Send_TAKE_FIN

Zebrocy custom crypto
Summary: innovative .Net, AutoIT, Delphi, and powershell components are continually updated and deployed to new and old targets. Cryptography ranges from built-in windows api to custom RC4-based ciphers. Strings and code are simple, innovative, and concise.

Code:

Targeting Overlap and a Pivot to Asia
News headlines repeatedly trumpet Sofacy’s foray into Western targets in the US and Europe, especially those connected with NATO. But these efforts only tell a portion of the Sofacy story.

Delineating groups and activity can be messy, and there appears to be overlap in targeting efforts across varying groups in central and east asia throughout 2017 and into 2018. Sofacy has been heavily interested in military and foreign affairs organizations here, resulting in multiple overlapped and competing targeting scenarios:

Mosquito Turla and Zebrocy clusters – Zebrocy clusters targeting diplomatic and commercial organizations within Europe and Asia that match Mosquito targeting profiling
SPLM overlap with traditional Turla – often Turla precedes SPLM deployments
SPLM overlap with Zebrocy – Zebrocy often precedes SPLM deployments
SPLM overlap with Danti
Currently, Sofacy targets large air-defense related commercial organizations in China with SPLM, and moves Zebrocy focus across Armenia, Turkey, Kazahkstan, Tajikistan, Afghanistan, Mongolia, China, and Japan. A previous, removed, report from another vendor claimed non-specific information about the groups’ interest in Chinese universities, but that report has been removed – most likely detections were related to students’ and researchers’ scanning known collected samples and any “incidents” remain unconfirmed and unknown. On the other hand, this Chinese conglomerate designs and manufactures aerospace and air defense technologies, among many other enterprises. And here, an interest in military technologies is certainly within Sofacy purview.

So, even more interesting than the shift eastward and other targeting overlap, is that the specific target system in China was previously a Grey Lambert target. The Sofacy modules at this system appeared to never touch disk, and resemble the Linux Fysbis code. Only one maintained the Filesystem.dll code, while another maintained ProcessRetranslator.dll code. However, it is unusual that a full SPLM backdoor was not detected on this system, nor was any powershell loader script. Because the injection source remains unidentified on such a unique system, we might speculate on what is going on here:

Sofacy attackers had recorded a previous Grey Lambert remote session and replayed the communication after discovering this host, essentially compromising the Grey Lambert module on the system to gain access and later injecting SPLM modules
Grey Lambert attackers inserted false flag and reduced SPLM modules
a new and unrecognized, full variant of SPLM attempted to inject module code into memory and deleted itself
an unknown new powershell script or legitimate but vulnerable web app was exploited to load and execute this unusual SPLM code
In all likelihood, the last option is accurate.

Conclusion
Sofacy is such a large, active group that appears to maintain multiple sub-groups and efforts that all fit under the Sofacy “umbrella”. Sometimes, they share infrastructure, but more often they do not share infrastructure and appear to compete for access within targets. Either way, the group’s consistent activity throughout central and eastern asia seems to be poorly represented in the public discussion.

SPLM did not change in substantial ways for several years, and now it is being split up and used for just functional modules. And much of the malware being deployed by Sofacy is quickly changed from C/C++ to .Net to powershell. Other open source and semi-legitimate pen-testing tools like nbtscan and powercat are being used for mapping available resources and lateral movement as well. It is easy to expect deliberate changes within this group in 2018, with even more .Net, Delphi, and powershell ports of various tools appearing at Sofacy targets throughout the year.

Technical Appendix
Early 2018 Reference Set
SPLM
452ed4c80c1d20d111a1dbbd99d649d5

ZEBROCY
efd8a516820c44ddbf4cc8ed7f30df9c
ff0e4f31a6b18b676b9518d4a748fed1

GAMEFISH
bd3e9f7e65e18bb9a7c4ff8a8aa3a784

GREY LAMBERT
86146d38b738d5bfaff7e85a23dcc53e

GREYWARE/PEN-TESTING NBTSCAN
f01a9a2d1e31332ed36c1a4d2839f412


The Slingshot APT FAQ
10.3.2018 Kaspersky  APT
While analysing an incident which involved a suspected keylogger, we identified a malicious library able to interact with a virtual file system, which is usually the sign of an advanced APT actor. This turned out to be a malicious loader internally named ‘Slingshot’, part of a new, and highly sophisticated attack platform that rivals Project Sauron and Regin in complexity.

The initial loader replaces the victim´s legitimate Windows library ‘scesrv.dll’ with a malicious one of exactly the same size. Not only that, it interacts with several other modules including a ring-0 loader, kernel-mode network sniffer, own base-independent packer, and virtual filesystem, among others.

While for most victims the infection vector for Slingshot remains unknown, we were able to find several cases where the attackers got access to Mikrotik routers and placed a component downloaded by Winbox Loader, a management suite for Mikrotik routers. In turn, this infected the administrator of the router.

We believe this cluster of activity started in at least 2012 and was still active at the time of this analysis (February 2018).

Why did you call the intruder Slingshot?
The name appears unencrypted in some of the malicious samples – it is the name of one of the threat actor’s components, so we decided to extend it to the APT as a whole.

When was Slingshot active?
The earliest sample we found was compiled in 2012 and the threat was still active in February 2018.

How did the threat attack and infect its victims?
Slingshot is very complex and the developers behind it have clearly spent a great deal of time and money on its creation. Its infection vector is remarkable – and, to the best of our knowledge, unique.

We believe that most of the victims we observed appeared to have been initially infected through a Windows exploit or compromised Mikrotik routers.

How exactly does infection happen?
The exact method used by Slingshot to exploit the routers in the first instance is not yet clear. When the target user runs Winbox Loader software (a utility used for Mikrotik router configuration), this connects to the router and downloads some DLLs (dynamic link libraries) from the router’s file system.

One of them – ipv4.dll – has been placed by the APT with what is, in fact, a downloader for other malicious components. Winbox Loader downloads this ipv4.dll library to the target’s computer, loads it in memory and runs it.

This DLL then connects to a hardcoded IP and port (in every cases we saw it was the router’s IP address), downloads the other malicious components and runs them.

To run its code in kernel mode in the most recent versions of operating systems, that have Driver Signature Enforcement, Slingshot loads signed vulnerable drivers and runs its own code through their vulnerabilities. .

Following infection, Slingshot would load a number of modules onto the victim device, including two huge and powerful ones: Cahnadr, the kernel mode module, and GollumApp, a user mode module. The two modules are connected and able to support each other in information gathering, persistence and data exfiltration.

The most sophisticated module is GollumApp. This contains nearly 1,500 user-code functions and provides most of the above described routines for persistence, file system control and C&C communications.

Canhadr, also known as NDriver, contains low-level routines for network, IO operations and so on. Its kernel-mode program is able to execute malicious code without crashing the whole file system or causing Blue Screen – a remarkable achievement. Written in pure C language, Canhadr/Ndriver provides full access to the hard drive and operating memory despite device security restrictions, and carries out integrity control of various system components to avoid debugging and security detection.

Are Mikrotik the only affected routers?
Some victims may have been infected through other routes. During our research we also found a component called KPWS that turned out to be another downloader for Slingshot components.

Did you inform the affected vendor?
Although the available intelligence is limited and we are not sure what kind of exploit was used to infect routers, we provided Mikrotik with all information available.

What can users of Mikrotik routers do to protect themselves?
Users of Mikrotik routers should upgrade to the latest software version as soon as possible to ensure protection against known vulnerabilities. Further, Mikrotik Winbox no longer downloads anything from the router to the user’s computer.

What are the advantages of achieving kernel mode?
It gives intruders complete control over the victim computer. In kernel mode malware can do everything. There are no restrictions, no limitations, and no protection for the user (or none that the malware can’t easily bypass).

What kind of information does Slingshot appear to be looking for?
Slingshot’s main purpose seems to be cyber-espionage. Analysis suggests it collects screenshots, keyboard data, network data, passwords, USB connections, other desktop activity, clipboard and more, although its kernel access means it can steal whatever it wants.

But with full access to the kernel part of the system, it can steal whatever it wants – credit card numbers, password hashes, social security account numbers – any type of data.

How did Slingshot avoid detection?
The threat actor combined a number of known approaches to protect it very effectively from detection: including encrypting all strings in its modules, calling system services directly in order to bypass security-product hooks, using a number of Anti-bug techniques, and more.

Further, it can shut down its components, but ensure they complete their tasks before closing. This process is triggered when there are signs of an imminent in-system event, such as a system shutdown, and is probably implemented to allow user-mode components of the malware to complete their tasks properly to avoid detection during any forensic research.

You said that it disables disk defragmentation module in Windows OS. Why?
This APT uses its own encrypted file system and this can be located among others in an unused part of a hard drive. During defragmentation, the defrag tool relocates data on disk and this tool can write something to sectors where Slingshot keeps its file systems (because the operating system thinks these sectors are free). This will damage the encrypted file system. We suspect that Slingshot tries to disable defragmentation of these specific areas of the hard drive in order to prevent this from happening.

How does it exfiltrate data?
The malware exfiltrates data through standard networks channels, hiding the traffic being extracted by hooking legitimate call-backs, checking for Slingshot data packages and showing the user (and users’ programs like sniffers and so on) clear traffic without exfiltrated data.

Does it use exploits to zero-day vulnerabilities? Any other exploits?
We haven’t seen Slingshot exploit any zero-days, but that doesn’t mean that it doesn’t – that part of a story is still unclear for us. But it does exploit known vulnerabilities in drivers to pass executable code into kernel mode. These vulnerabilities include CVE-2007-5633; CVE-2010-1592, CVE-2009-0824.

What is the victim profile and target geography?
So far, researchers have seen around 100 victims of Slingshot and its related modules, located in Kenya, Yemen, Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania. Most of the victims appear to be targeted individuals rather than organizations, but there are some government organizations and institutions. Kenya and the Yemen account for most of the victims observed to date.

What do we know about the group behind Slingshot?
The malicious samples investigated by the researchers were marked as ‘version 6.x’, which suggests the threat has existed for a considerable length of time. The development time, skill and cost involved in creating Slingshot’s complex toolset is likely to have been extremely high. Taken together, these clues suggest that the group behind Slingshot is likely to be highly organized and professional and probably state-sponsored.

Text clues in the code suggest it is English-speaking. Some of the techniques used by Slingshot, such as the exploitation of legitimate, yet vulnerable drivers has been seen before in other malware, such as White and Grey Lambert. However, accurate attribution is always hard, if not impossible to determine, and increasingly prone to manipulation and error.


APT Hackers Infect Routers to Covertly Implant Slingshot Spying Malware
10.3.2018 thehackernews APT

Security researchers at Kaspersky have identified a sophisticated APT hacking group that has been operating since at least 2012 without being noticed due to their complex and clever hacking techniques.
The hacking group used a piece of advanced malware—dubbed Slingshot—to infect hundreds of thousands of victims in the Middle East and Africa by hacking into their routers.
According to a 25-page report published [PDF] by Kaspersky Labs, the group exploited unknown vulnerabilities in routers from a Latvian network hardware provider Mikrotik as its first-stage infection vector in order to covertly plant its spyware into victims' computers.


Although it is unclear how the group managed to compromise the routers at the first place, Kaspersky pointed towards WikiLeaks Vault 7 CIA Leaks, which revealed the ChimayRed exploit, now available on GitHub, to compromise Mikrotik routers.
Once the router is compromised, the attackers replace one of its DDL (dynamic link libraries) file with a malicious one from the file-system, which loads directly into the victim’s computer memory when the user runs Winbox Loader software.

Winbox Loader is a legitimate management tool designed by Mikrotik for Windows users to easily configure their routers that downloads some DLL files from the router and execute them on a system.
This way the malicious DLL file runs on the targeted computer and connects to a remote server to download the final payload, i.e., Slingshot malware.
Slingshot malware includes two modules—Cahnadr (a kernel mode module) and GollumApp (a user mode module), designed for information gathering, persistence and data exfiltration.


Cahnadr module, aka NDriver, takes care of anti-debugging, rootkit and sniffing functionality, injecting other modules, network communications—basically all the capabilities required by user-mode modules.
"[Cahnadr is a] kernel-mode program is able to execute malicious code without crashing the whole file system or causing Blue Screen—a remarkable achievement," Kaspersky says in its blog post published today.
"Written in pure C language, Canhadr/Ndriver provides full access to the hard drive and operating memory despite device security restrictions, and carries out integrity control of various system components to avoid debugging and security detection."
Whereas GollumApp is the most sophisticated module which has a wide range of spying functionalities that allow attackers to capture screenshots, collect network-related information, passwords saved in web browsers, all pressed keys, and maintains communication with remote command-and-control servers.

Since GollumApp runs in kernel mode and can also run new processes with SYSTEM privileges, the malware gives attackers full control of the infected systems.
Although Kaspersky has not attributed this group to any country but based on clever techniques it used and limited targets, the security firm concluded that it is definitely a highly skilled and English-speaking state-sponsored hacking group.
"Slingshot is very complex, and the developers behind it have clearly spent a great deal of time and money on its creation. Its infection vector is remarkable—and, to the best of our knowledge, unique," the researchers say.
The victims include most of the times individuals and some government organizations across various countries including Kenya, Yemen, Libya, Afghanistan, Iraq, Tanzania, Jordan, Mauritius, Somalia, the Democratic Republic of the Congo, Turkey, Sudan and the United Arab Emirates.


North Korean Hidden Cobra APT targets Turkish financial industry with new Bankshot malware
10.3.2018 securityaffairs APT

McAfee Advanced Threat Research team discovered that the Hidden Cobra APT group is targeting financial organizations in Turkey.
North Korea-linked APT group Hidden Cobra (aka Lazarus Group) is targeting the Turkish financial system.

Experts from McAfee observed the hackers using the Bankshot implant in targeted attacks against the financial organizations in Turkey. The attack resembles previous attacks conducted by Hidden Cobra against the global payment network SWIFT.

Bankshot was first reported by the US DHS in December, now new variants of the malicious code were observed in the wild The sample analyzed by McAfee is 99% similar to the variants detected in 2017.

The hackers used spear-phishing messages with a weaponized Word document containing an embedded Flash exploit that triggers the CVE-2018-4878, Flash vulnerability that was disclosed in late January.

Adobe promptly patched the vulnerability with an emergency patch, but many computers are still vulnerable because the owners did not apply the patch,

According to McAfee, the implant’s first target was a major government-controlled financial organization that was targeted on March 2 and 3.

Later, the same malware implant infected a Turkish government organization involved in finance and trade and a large financial institution.

The implant has so far not surfaced in any other sector or country. This campaign suggests the attackers may plan a future heist against these targets by using Bankshot to gather information.

McAfee’s report on the campaign says that one government-controlled financial organization, a government organization involved in finance and trade, and three large financial organizations.

The attackers leveraged the Flash exploit to deliver the Bankshot RAT.

“Bankshot implants are distributed from a domain with a name similar to that of the cryptocurrency-lending platform Falcon Coin, but the similarly named domain is not associated with the legitimate entity.” reads the analysis published by McAfee.

“The malicious domain falcancoin.io was created December 27, 2017, and was updated on February 19, only a few days before the implants began to appear. These implants are variations of earlier forms of Bankshot, a remote access tool that gives an attacker full capability on a victim’s system. “

Spear phishing messaged used a Word document with the filename Agreement.docx, that appears as a template for Bitcoin distribution.

Hidden Cobra bait document

When the open it, the code it contains download malicious DLLs from falcancoin.io domain.

Experts discovered that the DLLs communicate with three control servers whom URLs are hardcoded in the implants’ code.

“The implants (DLLs) are disguised as ZIP files and communicate with three control servers, two of them Chinese-language online gambling sites. These URLs can be found hardcoded in the implants’ code” continues McAfee.

The malicious code is able to perform several malicious operations, including file deletion, process injection, and exfiltration over command and control channel.

Further details, included the Indicators of Compromise (IoCs) are included in the analysis.


Sofacy Attacks Overlap With Other State-Sponsored Operations
9.3.2018 securityweek BigBrothers  APT 
Attack

Kurt Baumgartner details latest Sofacy attacks at Kaspersky SAS

CANCUN - KASPERSKY SECURITY ANALYST SUMMIT - Attacks carried out by a Russian threat group appear to overlap with campaigns conducted by other cyberspies, including ones linked by researchers to China and the United States.

Kaspersky Lab revealed last month that the Russian threat actor known as Sofacy, APT28, Fancy Bear, Pawn Storm, Sednit and Strontium had shifted its focus from NATO member countries and Ukraine to Central Asia and further east, including China.

On Friday, at Kaspersky’s Security Analyst Summit (SAS), researcher Kurt Baumgartner revealed that the group appears to be particularly interested in military, defense and diplomatic entities in the far east.

Baumgartner also revealed that the attacks launched by Sofacy sometimes overlap with the operations of other state-sponsored cyberspies in terms of victims.

For instance, researchers discovered Sofacy’s Zerbrocy malware on machines that had also been compromised by Mosquito, a backdoor associated with Turla, a different threat actor linked to Russia. Shared victims include diplomatic and commercial organizations in Europe and Asia.

Sofacy’s SPLM malware (aka CHOPSTICK and X-Agent) was found on devices that had also been infected with other Turla malware, which often precedes SPLM.

SPLM has also been spotted on the same systems as malware known to have been used by a China-linked actor known as Danti.

According to Kaspersky, overlaps were generally found on systems belonging to government, technology, science, and military organizations in or based in Central Asia.

Another interesting overlap was between Sofacy and the English-speaking Lamberts group, which is also known as Longhorn. Security firms revealed last year that this cyber espionage group had been using some of the Vault 7 tools leaked by WikiLeaks. These tools are believed to have been developed and used by the U.S. Central Intelligence Agency (CIA).

Kaspersky said it had identified Sofacy backdoors and malware associated with the Lamberts, specifically Grey Lambert, on a server belonging to a military and aerospace conglomerate in China.

Researchers admit, however, that the presence of both Lamberts and Sofacy malware on the server could simply mean that the former planted a false flag, considering that the original delivery vector for the Sofacy tool remains unknown. It’s also possible that the Russian group exploited a previously unknown vulnerability, or that it somehow harnessed the Grey Lambert malware to download its own tools. The most likely scenario, according to experts, is that the Sofacy malware was delivered using an unknown PowerShell script or a legitimate app in which the attackers discovered a flaw.

“Sofacy is sometimes portrayed as wild and reckless, but as seen under our visibility, the group can be pragmatic, measured and agile. Their activity in the East has been largely under-reported, but they are clearly not the only threat actor interested in this region, or even in the same targets,” Baumgartner said. “As the threat landscape grows ever more crowded and complex, we may encounter more examples of target overlap and it could explain why many threat actors check victim systems for the presence of other intruders before fully launching their attacks.”

Kaspersky recently spotted the SPLM malware being used in an attack aimed at major air defense organization in China, while the Zebrocy tool has been used in high volume campaigns targeting entities in Armenia, Turkey, Tajikistan, Kazakhstan, Afghanistan, Mongolia, Japan and China.


New North Korea-linked Cyberattacks Target Financial Institutions
9.3.2018 securityweek APT

New North Korean Hidden Cobra / Lazarus Campaign Targets Financial Institutions in Turkey

Hidden Cobra, also known as the Lazarus Group from North Korea, is now targeting the Turkish financial system with a new and 'aggressive' operation that resembles earlier attacks against the global SWIFT financial network.

An analysis published by senior analyst of major campaigns, Ryan Sherstobitoff, says McAfee believes this operation is intended to gain access to specific Turkish financial organizations via targeted spear-phishing, using a weaponized Word document containing an embedded Flash exploit. The Flash vulnerability only surfaced at the end of January 2018, but is thought to have been exploited by North Korean actors since mid-November 2017. It was patched by Adobe within a week; but any computer that has not yet updated Flash to the latest version will remain vulnerable.

McAfee's report on the campaign says that one government-controlled financial organization, a government organization involved in finance and trade, and three large financial organizations are victims of the attack -- which occurred on March 2 and 3. In this attack, the Flash exploit drops the Bankshot implant, a RAT that gives the attacker full capability on a victim's system.

Nortk Korea FlagUS-CERT issued a malware analysis report (MAR) on Bankshot (PDF) in December 2017. It describes it as malware used by the North Korean government, whose cyber activity is conducted by actors it calls Hidden Cobra. McAfee says the variant it has analyzed "is 99% similar to the documented Bankshot variants from 2017."

In the spear-phishing campaign, the Bankshot implant was associated with a Word document with the filename Agreement.docx. It masquerades as an agreement template for Bitcoin distribution. Once activated, malicious DLLs are downloaded from falcancoin.io -- a lookalike domain name to the legitimate cryptocurrency-lending platform Falcon Coin.

The DLLs communicate with three control servers (the URLs are hardcoded in the implants' code), two of them Chinese-language online gambling sites. Based on the response received from the control server, the malware can carry out a wide range of malicious tasks centered on gathering system data and controlling system processes. It also contains two methods of file deletion capable of erasing evidence of presence and other destructive actions. After every action, the malware sends a response to the control server indicating whether the action was successful.

Hidden Cobra has been linked to several attacks against financial institutions. "This implant has been connected to a major Korean bank attack and is also known as Trojan Manuscript," writes Sherstobitoff. That variant contained the capability to search for hosts related to the SWIFT network and the same control server strings as the variant we found targeting the Turkish financial sector."

North Korean actors are credited with the 2015/2016 attacks on the SWIFT network. No evidence was found to suggest that this version is designed to conduct financial transactions; "rather," writes Sherstobitoff, "it is a channel into the victim's environment, in which further stages of implants can be deployed for financial reconnaissance."

McAfee is confident that it has uncovered a new Hidden Cobra (ie, North Korean government) reconnaissance campaign against Turkish financial institutions. In February, the Winter Olympic Games held in South Korea were hit by cyber-attacks dubbed Olympic Destroyer. Many commentators assumed the attacks came from North Korea -- an assumption supported by indicators within the malware.

By mid-February, Recorded Future warned against hasty attribution for Olympic Destroyer, despite the presence of code fragments previously used by North Korean actors. "The co-occurrence of code overlap in the malware," wrote Recorded Future, "may be indicative of a false flag operation, attempting to dilute evidence and confuse researchers."

More recently, Kaspersky Lab concluded that despite the presence of a unique fingerprint tying Olympic Destroyer to Lazarus (Hidden Cobra), there is other evidence suggesting the involvement of the Russian group known as Sofacy or APT28. One possible scenario is that the Russian hackers attempted to frame Lazarus for the attack after the North Korean group tried to pin one of its own campaigns on Russian actors.

Given the relative ease and increasing frequency of so-called 'false flag' cyber-attacks, SecurityWeek asked McAfee how certain it is that Hidden Cobra is the group behind the Turkish attacks. "McAfee takes attribution very seriously," relied Ryan Sherstobitoff. "As such, McAfee Advanced Threat Research analysis and conclusions are based on multiple indicators. While the private sector can rarely claim 100% confidence in attack attribution without access to the same resources possessed by government and law enforcement agencies, we can say that the code and target similarities between the malicious files uncovered in this campaign and earlier attacks publicly attributed to Hidden Cobra by the United States Government, are very strong indicators of the acting group."

"We have found," concludes McAfee, "what may be an early data-gathering stage for future possible heists from financial organizations in Turkey (and possibly other countries)." It warns that the attack has a high chance of success against victims with an unpatched version of Flash. "Documents with the Flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal."


Olympic Destroyer, alleged artifacts and false flag make attribution impossible
9.3.2018 securityaffairs
Attack  APT

According to Kaspersky Lab, threat actors behind the recent Olympic Destroyer attack planted sophisticated false flags inside their malicious code.
On February 9, shortly before the Pyeongchang opening ceremonies on Friday, televisions at the main press centre, wifi at the Olympic Stadium and the official website were taken down.

Hackers used the so-called Olympic Destroyer, a strain of malware that allowed the attackers to wipe files and make systems inoperable.

olympic destroyer

Experts discovered that the malware leverages the EternalRomance NSA exploit to spread via the SMB protocol.

Initially, experts blamed North Korea for the attack, later intelligence officers attributed the cyber attack to Russia.

According to Talos team, there are many similarities between the Pyeongchang attack, which they are dubbing ‘Olympic Destroyer”’, and earlier attacks such as BadRabbit and NotPetya. All of these attacks are focused on destruction and disruption of equipment not exfiltration of data or other, more subtle attacks. Using legitimate tools such as PsExec and WMI the attackers are specifically targeting the pyeongchang2018.com domain attempting to steal browser and system credentials to move laterally in the network and then wiping the victim computer to make it unusable.

“Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony.” reads the analysis published by Talos.

Kaspersky experts found samples of the malware at several ski resorts in South Korea, even if they analyzed the malicious code they were not able to attribute the attack to a specific actor.

olympic destroyer 2

The experts identified a unique “fingerprint” associated with the North Korea-linked Lazarus APT, but other evidence collected by the experts revealed important inconsistencies suggesting a false flag operation.

“What we discovered next brought a big shock. Using our own in-house malware similarity system we have discovered a unique pattern that linked Olympic Destroyer to Lazarus. A combination of certain code development environment features stored in executable files, known as Rich header, may be used as a fingerprint identifying the malware authors and their projects in some cases. In case of Olympic Destroyer wiper sample analyzed by Kaspersky Lab this “fingerprint” gave a 100% match with previously known Lazarus malware components and zero overlap with any other clean or malicious file known to date to Kaspersky Lab.” reads the analysis published by Kaspersky.

Kaspersky also found evidence that would suggest the malicious code was developed by the Russia-linked Sofacy APT (aka Pawn Storm, Fancy Bear, APT28, Sednit, Tsar Team, and Strontium.).

“we have seen attackers using NordVPN and MonoVM hosting. Both services are available for bitcoins, which make them the perfect tool for APT actors. This and several other TTPs have in the past been used by the Sofacy APT group, a widely known Russian-language threat actor.” continues Kaspersky.

Is it possible that Russian APT attempted to frame Lazarus? Maybe.

Another possible scenario sees Lazarus using false flag in the Olympics attack.

“There are some open questions about the attacker’s motivation in this story. We know that the attackers had administrative accounts in the affected networks. By deleting backups and destroying all local data they could have easily devastated the Olympic infrastructure. Instead, they decided to do some “light” destruction: wiping files on Windows shares, resetting event logs, deleting backups, disabling Windows services and rebooting systems into an unbootable state.” concluded Kaspersky.

“When you add in the multiple similarities to TTPs used by other actors and malware, intentional false flags and relatively good opsec, it merely raises more questions as to the purpose of all this.”

This case demonstrates the difficulty in the attribution of APT attacks.


Sophisticated False Flags Planted in Olympic Destroyer Malware
8.3.2018 securityweek
Virus  APT

Hackers Behind Olympic Destroyer Malware Used Sophisticated False Flag to Trick Researchers

CANCUN - KASPERSKY SECURITY ANALYST SUMMIT - The hackers behind the recent Olympic Destroyer attack planted sophisticated false flags inside their malware in an effort to trick researchers, Kaspersky Lab revealed on Thursday.

The Olympic Winter Games in Pyeongchang, South Korea, was hit by a cyberattack that caused temporary disruption to IT systems, including the official Olympics website, display monitors, and Wi-Fi connections. The attack involved Olympic Destroyer, a piece of malware designed to wipe files and make systems inoperable, and steal passwords from browsers and Windows. Compromised credentials are used to spread to other machines on the network.

Kaspersky has also spotted infections at several ski resorts in South Korea. The malware, which leverages a leaked NSA exploit known as EternalRomance to spread via the SMB protocol, temporarily disrupted ski gates and lifts at the affected resorts.

Several cybersecurity firms launched investigations into the Olympic Destroyer attack shortly after the news broke, and while they mostly agreed on the malware’s functionality, they could not agree on who was behind the operation. Some pointed the finger at North Korea, while others blamed China or Russia, leading some industry professionals to warn against this type of knee-jerk attribution.

Kaspersky researchers also analyzed the Olympic Destroyer worm in an effort to determine who was behind the attack. While they have’t been able to identify the culprit, experts have found some interesting clues.

The security firm has found a unique “fingerprint” associated with the notorious Lazarus Group, which has been linked to North Korea and blamed for high profile attacks such as the one on Sony, the WannaCry campaign, and various operations targeting financial organizations.

This fingerprint was a 100% match to known Lazarus malware components and it did not appear in any other files from Kaspersky’s database. While this piece of evidence and the type of attack suggested that Olympic Destroyer could be the work of North Korea, other data gathered by researchers as a result of an on-site investigation at a South Korean target revealed inconsistencies.

Experts determined that the unique fingerprint was likely a sophisticated false flag planted by the attackers to throw investigators off track.

“To our knowledge, the evidence we were able to find was not previously used for attribution. Yet the attackers decided to use it, predicting that someone would find it. They counted on the fact that forgery of this artifact is very hard to prove,” explained Vitaly Kamluk, head of the APAC research team at Kaspersky. “It’s as if a criminal had stolen someone else’s DNA and left it at a crime scene instead of their own. We discovered and proved that the DNA found on the crime scene was dropped there on purpose. All this demonstrates how much effort attackers are willing to spend in order to stay unidentified for as long as possible. We’ve always said that attribution in cyberspace is very hard as lots of things can be faked, and Olympic Destroyer is a pretty precise illustration of this.”

In addition to this apparent link to North Korea, Kaspersky has found evidence that would suggest the involvement of the notorious group known as Sofacy, Fancy Bear, APT28 and Pawn Storm, which is widely believed to be sponsored by the Russian government.

One possible scenario is that the Russian hackers attempted to frame Lazarus for the attack after the North Korean group tried to pin one of its campaigns on Russian actors. It’s also possible that the false flag used in the Olympics attack is part of the hackers’ efforts to improve their deception techniques.

Links to China have been found by Intezer, which specializes in recognizing code reuse. Its analysis led to the discovery of numerous code fragments uniquely linked to threat groups tracked as APT3, APT10 and APT12.


Iran-Linked Chafer Group Expands Toolset, Targets List
2.3.2018 securityweek  APT
The Iran-based targeted attack group known as "Chafer" has been expanding its target list in the Middle East and beyond and adding new tools to its cyberweapon arsenal, Symantec warns.

Last year, the group engaged in a series of ambitious new attacks, hitting a major telecom companies in the Middle East and also attempting to attack a major international travel reservations firm. Active since at least July 2014 and already detailed a couple of years ago, Chafer is mainly focused on surveillance operations and the tracking of individuals.

During 2017, the group used seven new tools, rolled out new infrastructure, and hit nine new organizations in Israel, Jordan, the United Arab Emirates, Saudi Arabia, and Turkey. Targets included airlines, aircraft services, software and IT services firms serving the air and sea transport sectors, telecoms, payroll services, engineering consultancies, and document management software companies.

The group also targeted an African airline and attempted to compromise an international travel reservations firm, Symantec discovered.

Last year, Chafer compromised a telecoms services provider in the Middle East, a company that sells solutions to multiple telecom operators in the region. The compromise could have potentially allowed the attackers to carry out surveillance on a vast pool of end-users.

In attacks observed in 2015, the group was attacking the web servers of organizations, likely through SQL injection attacks. Last year, the group also started using malicious documents to drop malware, likely sent via spear-phishing emails to individuals working in targeted organizations.

Said documents were Excel spreadsheets carrying a malicious VBS file that would run a PowerShell script to execute a dropper on the compromised machine. In turn, the dropper would install an information stealer, a screen capture utility, and an empty executable.

The screen capture tool only had a role in the initial information gathering stage, the information stealer targeted the contents of the clipboard, took screenshots, recorded keystrokes, and stole files and user credentials. Next, the attackers would download additional tools onto the infected computer and attempted lateral movement on the victim’s network.

Recently, Chafer employed seven new tools in addition to the malware already associated with the group. Most of these tools, Symantec points out, are freely available, off-the-shelf tools that have been put to a malicious use.

These include Remcom, an open-source alternative to PsExec; Non-sucking Service Manager (NSSM), an open-source alternative to the Windows Service Manager; a custom screenshot and clipboard capture tool; SMB hacking tools, including the EternalBlue exploit; GNU HTTPTunnel, an open-source tool to create a bidirectional HTTP tunnel on Linux computers; UltraVNC, an open-source remote administration tool for Windows; and NBTScan, a free tool for scanning IP networks for NetBIOS name information.

Additionally, the group continued to use tools such as its own custom backdoor Remexi, PsExec, Mimikatz, Pwdump, and Plink.

Chafer apparently used the tools in concert to traverse targeted networks. NSSM was recently adopted for persistence and to install a service to run Plink, which opens reverse SSH sessions to presumably gain RDP access to the compromised computer. Next, PsExec, Remcom, and SMB hacking tools are leveraged for lateral movement.

The new infrastructure used in recent attacks included the domain win7-updates[.]com as a command and control (C&C) address, along with multiple IP addresses, though it’s unclear whether these were leased or hijacked. On a staging server apparently used by the attackers, the researchers found copies of many of the group’s tools.

According to Symantec, Chafer’s activities have some links to Oilrig, another Iran-based cyberespionage group. Both appear to be using the same IP address for C&C address, as well as a similar infection vector, an Excel document dropping a malicious VBS file referencing to the same misspelled file path.

While this could suggest that the two groups are one and the same, there isn’t enough evidence to support that hypothesis, Symantec says. More likely, the “two groups are known to each other and enjoy access to a shared pool of resources,” the researchers suggest.

Chafer’s recent activities show not only that the group remains highly active, but also that it has become more audacious in its choice of targets. Similar to other targeted attack groups, it has been relying on freely available software tools for malicious activities, and also moved to supply chain attacks, which are more time consuming and more likely to be discovered.

“These attacks are riskier but come with a potentially higher reward and, if successful, could give the attackers access to a vast pool of potential targets,” Symantec concludes.


Russia-linked Hackers Directly Targeting Diplomats: Report
2.3.2018 securityweek  APT

The Russia-linked cyber espionage group Sofacy has been targeting foreign affairs agencies and ministries worldwide in a recently discovered campaign, Palo Alto Networks warns.

The hacking group, also known as APT28, Fancy Bear, Pawn Storm, Sednit, Tsar Team, and Strontium, has been highly active recently, and new evidence shows activity directly targeting diplomats in North America and Europe, including those at a European embassy in Moscow.

Sofacy was supposedly behind the attacks on the 2016 United States presidential election, but also hit Ukraine and NATO countries. In fact, the group heavily targeted NATO in early 2017, when it even used zero-day exploits, but then started to shift its focus towards the Middle East and Central Asia.

Palo Alto Networks has now uncovered two parallel efforts within a new Sofacy campaign, each using its own set of tools for attacks. One of the efforts was observed in the beginning of February 2018 to use phishing emails as the attack vector, to target an organization in Europe and another in North America.

The message spoofed the sender address of Jane’s by IHSMarkit, a well-known supplier of information and analysis. The email carried an attachment claiming to be a calendar of events relevant to the targeted organizations, but was a Microsoft Excel spreadsheet containing a malicious macro script.

The attackers used a white font color to hide the content of the document to the victim and lure them into enabling macros. Once that happens, the script changes the text color to black.

The macro also retrieves content from several cells to obtain a base64 encoded payload, writes it to a text file in the ProgramData folder, and leverages the command certutil -decode to decode the contents to an .exe file, which it runs after two seconds.

The executable is a loader Trojan that decrypts an embedded payload (DLL) and saves it to a file. Next, it creates a batch file to run the DLL payload, and writes the path to the batch file to a registry key, for persistence.

The installed malware is a variant of SofacyCarberp, which has been extensively used by the threat group in attacks. The malware performs initial reconnaissance by gathering system information, then sends the data to the command and control (C&C) server and fetches additional tools.

Both the loader and the SofacyCarberp variant used in the attack are similar to samples previously analyzed, yet they include several differences, such as a new hashing algorithm to resolve API functions and find browser processes for injection, and modified C&C communication mechanisms.

The security researchers also believe the group may have used the Luckystrike open-source tool to generate the malicious document and/or the macro, as the macro in the document closely resembles those found within the Microsoft PowerShell-based tool. The only difference between the two, besides random function name and random cell values, would be the path to the “.txt” and “.exe” files.

The security researchers also noticed that the Sofacy group registered new domains as part of the campaign, but that it used a default landing page they employed in other attacks as well. The domain used in this attack, cdnverify[.]net was registered on January 30, 2018.

“No other parts of the C&C infrastructure amongst these domains contained any overlapping artifacts. Instead, the actual content within the body of the websites was an exact match in each instance,” Palo Alto notes.

“The Sofacy group should no longer be an unfamiliar threat at this stage. They have been well documented and well researched with much of their attack methodologies exposed. They continue to be persistent in their attack campaigns and continue to use similar tooling as in the past. This leads us to believe that their attack attempts are likely still succeeding, even with the wealth of threat intelligence available in the public domain,” Palo Alto concludes.


DPA Report: Russia-linked APT28 group hacked Germany’s government network
1.3.2018 securityaffairs APT  BigBrothers

Germany Government confirmed that hackers had breached its computer network and implanted a malware that was undetected for one year.
German news agency DPA reported that Russian hackers belonging to the APT28 group (aka Fancy Bear, Pawn Storm, Sednit, Sofacy, and Strontium) have breached Germany’s foreign and interior ministries’ online networks.

The agency, quoting unnamed security sources, revealed that the APT28 hackers planted malware in the ministries’ networks. The malicious code was undetected as long as a year.

“A Russian-backed hacker group known for many high-level cyber attacks was able to infiltrate the German government’s secure computer networks, the dpa news agency reported Wednesday.” reported the ABCnews.

The German Government discovered the intrusion in December but the experts believe that the hackers were inside the networks as long as a year. The DPA also added that hackers were able to penetrate an isolated government IT network.

“within the federal administration the attack was isolated and brought under control.” said the Interior Ministry that also confirmed an ongoing investigation.

“This case is being worked on with the highest priority and considerable resources,” the ministry added.

The hackers exfiltrated 17 gigabytes of data that could be used in further attacks against the German Government.

APT28 targets Germany

This isn’t the first time that Russia-linked APT28 was blamed for a cyber attack against Germany, in 2015 the APT group hacked into the systems of the German Parliament.

What will happen in the future?

Top German intelligence officials are requesting to the government to hack back attackers in case of a cyber attack from a foreign government


A Slice of 2017 Sofacy Activity
25.2.2018 Kaspersky
Phishing  APT
Sofacy, also known as APT28, Fancy Bear, and Tsar Team, is a highly active and prolific APT. From their high volume 0day deployment to their innovative and broad malware set, Sofacy is one of the top groups that we monitor, report, and protect against. 2017 was not any different in this regard. Our private reports subscription customers receive a steady stream of YARA, IOC, and reports on Sofacy, our most reported APT for the year.

This high level of cyber-espionage activity goes back years. In 2011-2012, the group used a relatively tiny implant (known as “Sofacy” or SOURFACE) as their first stage malware, which at the time had similarities with the old Miniduke implants. This made us believe the two groups were connected, although it looks they split ways at a certain point, with the original Miniduke group switching to the CosmicDuke implant in 2014. The division in malware was consistent and definitive at that point.

In 2013, the Sofacy group expanded their arsenal and added more backdoors and tools, including CORESHELL, SPLM (aka Xagent, aka CHOPSTICK), JHUHUGIT (which is built with code from the Carberp sources), AZZY (aka ADVSTORESHELL, NETUI, EVILTOSS, and spans across 4-5 generations) and a few others. We’ve seen quite a few versions of these implants, which were relatively widespread at some point or still are. In 2015 we noticed another wave of attacks which took advantage of a new release of the AZZY implant, largely undetected by antivirus products. The new wave of attacks included a new generation of USB stealers deployed by Sofacy, with initial versions dating to February 2015. It appeared to be geared exclusively towards high profile targets.

Sofacy’s reported presence in the DNC network alongside APT29 brought possibly the highest level of public attention to the group’s activities in 2016, especially when data from the compromise was leaked and “weaponized”. And later 2016, their focus turned towards the Olympics’ and the World Anti-Doping Agency (WADA) and Court of Arbitration for Sports (CAS), when individuals and servers in these organizations were phished and compromised. In a similar vein with past CyberBerkut activity, attackers hid behind anonymous activist groups like “anonpoland”, and data from victimized organizations were similarly leaked and “weaponized”.

This write-up will survey notables in the past year of 2017 Sofacy activity, including their targeting, technology, and notes on their infrastructure. No one research group has 100% global visibility, and our collected data is presented accordingly. Here, external APT28 reports on 2017 Darkhotel-style activity in Europe and Dealer’s Choice spearphishing are of interest. From where we sit, 2017 Sofacy activity starts with a heavy focus on NATO and Ukrainian partners, coinciding with lighter interest in Central Asian targets, and finishing the second half of the year with a heavy focus on Central Asian targets and some shift further East.
 

Dealer’s Choice
The beginning of 2017 began with a slow cleanup following the Dealer’s Choice campaign, with technical characteristics documented by our colleagues at Palo Alto in several stages at the end of 2016. The group spearphished targets in several waves with Flash exploits leading to their carberp based JHUHUGIT downloaders and further stages of malware. It seems that many folks did not log in and pull down their emails until Jan 2017 to retrieve the Dealer’s Choice spearphish. Throughout these waves, we observed that the targets provided connection, even tangential, to Ukraine and NATO military and diplomatic interests.

In multiple cases, Sofacy spoofs the identity of a target, and emails a spearphish to other targets of interest. Often these are military or military-technology and manufacturing related, and here, the DealersChoice spearphish is again NATO related:
 

The global reach that coincided with this focus on NATO and the Ukraine couldn’t be overstated. Our KSN data showed spearphishing targets geolocated across the globe into 2017.
AM, AZ, FR, DE, IQ, IT, KG, MA, CH, UA, US, VN

DealersChoice emails, like the one above, that we were able to recover from third party sources provided additional targeting insight, and confirmed some of the targeting within our KSN data:
TR, PL, BA, AZ, KR, LV, GE, LV, AU, SE, BE

0day Deployment(s)
Sofacy kicked off the year deploying two 0day in a spearphish document, both a Microsoft Office encapsulated postscript type confusion exploit (abusing CVE-2017-0262) and an escalation of privilege use-after-free exploit (abusing CVE-2017-0263). The group attempted to deploy this spearphish attachment to push a small 30kb backdoor known as GAMEFISH to targets in Europe at the beginning of 2017. They took advantage of the Syrian military conflict for thematic content and file naming “Trump’s_Attack_on_Syria_English.docx”. Again, this deployment was likely a part of their focus on NATO targets.

Light SPLM deployment in Central Asia and Consistent Infrastructure
Meanwhile in early-to-mid 2017, SPLM/CHOPSTICK/XAgent detections in Central Asia provided a glimpse into ongoing focus on ex-Soviet republics in Central Asia. These particular detections are interesting because they indicate an attempted selective 2nd stage deployment of a backdoor maintaining filestealer, keylogger, and remoteshell functionality to a system of interest. As the latest revision of the backdoor, portions of SPLM didn’t match previous reports on SPLM/XAgent while other similarities were maintained. SPLM 64-bit modules already appeared to be at version 4 of the software by May of the year. Targeting profiles included defense related commercial and military organizations, and telecommunications.

Targeting included TR, KZ, AM, KG, JO, UK, UZ
 

Heavy Zebrocy deployments
Since mid-November 2015, the threat actor referred to as “Sofacy” or “APT28” has been utilizing a unique payload and delivery mechanism written in Delphi and AutoIT. We collectively refer to this package and related activity as “Zebrocy” and had written a few reports on its usage and development by June 2017 – Sofacy developers modified and redeployed incremented versions of the malware. The Zebrocy chain follows a pattern: spearphish attachment -> compiled Autoit script (downloader) -> Zebrocy payload. In some deployments, we observed Sofacy actively developing and deploying a new package to a much smaller, specific subset of targets within the broader set.

Targeting profiles, spearphish filenames, and lures carry thematic content related to visa applications and scanned images, border control administration, and various administrative notes. Targeting appears to be widely spread across the Middle East, Europe, and Asia:</p style=”margin-bottom:0!important”>

Business accounting practices and standards
Science and engineering centers
Industrial and hydrochemical engineering and standards/certification
Ministry of foreign affairs
Embassies and consulates
National security and intelligence agencies
Press services
Translation services
NGO – family and social service
Ministry of energy and industry
We identified new MSIL components deployed by Zebrocy. While recent Zebrocy versioning was 7.1, some of the related Zebrocy modules that drop file-stealing MSIL modules we call Covfacy were v7.0. The components were an unexpected inclusion in this particular toolset. For example, one sent out to a handful of countries identifies network drives when they are added to target systems, and then RC4-like-encrypts and writes certain file metadata and contents to a local path for later exfiltration. The stealer searches for files 60mb and less with these extensions:</p style=”margin-bottom:0!important”>

.doc
.docx
.xls
.xlsx
.ppt
.pptx
.exe
.zip
.rar
At execution, it installs an application-defined Windows hook. The hook gets windows messages indicating when a network drive has been attached. Upon adding a network drive, the hook calls its “RecordToFile” file stealer method.
 

Zebrocy spearphishing targets:
AF, AM, AU, AZ, BD, BE, CN, DE, ES, FI, GE, IL, IN, JO, KW, KG, KZ, LB, LT, MN, MY, NL, OM, PK, PO, SA, ZA, SK, SE, CH, TJ, TM, TR, UA, UAE, UK, US, UZ

SPLM deployment in Central Asia
SPLM/CHOPSTICK components deployed throughout 2017 were native 64-bit modular C++ Windows COM backdoors supporting http over fully encrypted TLSv1 and TLSv1.2 communications, mostly deployed in the second half of 2017 by Sofacy. Earlier SPLM activity deployed 32-bit modules over unencrypted http (and sometimes smtp) sessions. In 2016 we saw fully functional, very large SPLM/X-Agent modules supporting OS X.

The executable module continues to be part of a framework supporting various internal and external components communicating over internal and external channels, maintaining slightly morphed encryption and functionality per deployment. Sofacy selectively used SPLM/CHOPSTICK modules as second stage implants to high interest targets for years now. In a change from previous compilations, the module was structured and used to inject remote shell, keylogger, and filesystem add-ons into processes running on victim systems and maintaining functionality that was originally present within the main module.

The newer SPLM modules are deployed mostly to Central Asian based targets that may have a tie to NATO in some form. These targets include foreign affairs government organizations both localized and abroad, and defense organizations’ presence localized, located in Europe and also located in Afghanistan. One outlier SPLM target profile within our visibility includes an audit and consulting firm in Bosnia and Herzegovina.

Minor changes and updates to the code were released with these deployments, including a new mutex format and the exclusive use of encrypted HTTP communications over TLS. The compiled code itself already is altered per deployment in multiple subtle ways, in order to stymie identification and automated analysis and accommodate targeted environments. Strings (c2 domains and functionality, error messages, etc) are custom encrypted per deployment.

Targets: TR, KZ, BA, TM, AF, DE, LT, NL

SPLM/CHOPSTICK/XAgent Modularity and Infrastructure
This subset of SPLM/CHOPSTICK activity leads into several small surprises that take us into 2018, to be discussed in further detail at SAS 2018. The group demonstrates malleability and innovation in maintaining and producing familiar SPLM functionality, but the pragmatic and systematic approach towards producing undetected or difficult-to-detect malware continues. Changes in the second stage SPLM backdoor are refined, making the code reliably modular.

Infrastructure Notes
Sofacy set up and maintained multiple servers and c2 for varying durations, registering fairly recognizable domains with privacy services, registrars that accept bitcoin, fake phone numbers, phony individual names, and 1 to 1 email address to domain registration relationships. Some of this activity and patterns were publicly disclosed, so we expect to see more change in their process in 2018. Also, throughout the year and in previous years, researchers began to comment publicly on Sofacy’s fairly consistent infrastructure setup.

As always, attackers make mistakes and give away hints about what providers and registrars they prefer. It’s interesting to note that this version of SPLM implements communications that are fully encrypted over HTTPS. As an example, we might see extraneous data in their SSL/TLS certificates that give away information about their provider or resources. Leading up to summer 2017, infrastructure mostly was created with PDR and Internet Domain Service BS Corp, and their resellers. Hosting mostly was provided at Fast Serv Inc and resellers, in all likelihood related to bitcoin payment processing.

Accordingly, the server side certificates appear to be generated locally on VPS hosts that exclusively are paid for at providers with bitcoin merchant processing. One certificate was generated locally on what appeared to be a HP-UX box, and another was generated on “8569985.securefastserver[.]com” with an email address “root@8569985.securefastserver[.]com”, as seen here for their nethostnet[.]com domain. This certificate configuration is ignored by the malware.
 

In addition to other ip data, this data point suggested that Qhoster at https://www.qhoster[.]com was a VPS hosting reseller of choice at the time. It should be noted that the reseller accepted Alfa Click, PayPal, Payza, Neteller, Skrill, WebMoney, Perfect Money, Bitcoin, Litecoin, SolidTrust Pay, CashU, Ukash, OKPAY, EgoPay, paysafecard, Alipay, MG, Western Union, SOFORT Banking, QIWI, Bank transfer for payment.

Conclusion
Sofacy, one of the most active APT we monitor, continues to spearphish their way into targets, reportedly widely phishes for credentials, and infrequently participates in server side activity (including host compromise with BeEF deployment, for example). KSN visibility and detections suggests a shift from their early 2017 high volume NATO spearphish targeting towards the middle east and Central Asia, and finally moving their focus further east into late 2017. Their operational security is good. Their campaigns appear to have broken out into subsets of activity and malware involving GAMEFISH, Zebrocy, and SPLM, to name a few. Their evolving and modified SPLM/CHOPSTICK/XAgent code is a long-standing part of Sofacy activity, however much of it is changing. We’ll cover more recent 2018 change in their targeting and the malware itself at SAS 2018.

With a group like Sofacy, once their attention is detected on a network, it is important to review logins and unusual administrator access on systems, thoroughly scan and sandbox incoming attachments, and maintain two factor authentication for services like email and vpn access. In order to identify their presence, not only can you gain valuable insight into their targeting from intelligence reports and gain powerful means of detections with hunting tools like YARA, but out-of-band processing with a solution like KATA is important.

Technical Appendix
Related md5
8f9f697aa6697acee70336f66f295837
1a4b9a6b321da199aa6d10180e889313
842454b48f5f800029946b1555fba7fc
d4a5d44184333442f5015699c2b8af28
1421419d1be31f1f9ea60e8ed87277db
b1d1a2c64474d2f6e7a5db71ccbafa31
953c7321c4959655fdd53302550ce02d
57601d717fcf358220340675f8d63c8a
02b79c468c38c4312429a499fa4f6c81
85cd38f9e2c9397a18013a8921841a04
f8e92d8b5488ea76c40601c8f1a08790
66b4fb539806ce27be184b6735584339
e8e1fcf757fe06be13bead43eaa1338c
953c7321c4959655fdd53302550ce02d
aa2aac4606405d61c7e53140d35d7671
85cd38f9e2c9397a18013a8921841a04
57601d717fcf358220340675f8d63c8a
16e1ca26bc66e30bfa52f8a08846613d
f8e92d8b5488ea76c40601c8f1a08790
b137c809e3bf11f2f5d867a6f4215f95
237e6dcbc6af50ef5f5211818522c463
88009adca35560810ec220544e4fb6aa
2163a33330ae5786d3e984db09b2d9d2
02b79c468c38c4312429a499fa4f6c81
842454b48f5f800029946b1555fba7fc
d4a5d44184333442f5015699c2b8af28
b88633376fbb144971dcb503f72fd192
8f9f697aa6697acee70336f66f295837
b6f77273cbde76896a36e32b0c0540e1
1a4b9a6b321da199aa6d10180e889313
1421419d1be31f1f9ea60e8ed87277db
1a4b9a6b321da199aa6d10180e889313
9b10685b774a783eabfecdb6119a8aa3
aa34fb2e5849bff4144a1c98a8158970
aced5525ba0d4f44ffd01c4db2730a34
b1d1a2c64474d2f6e7a5db71ccbafa31
b924ff83d9120d934bb49a7a2e3c4292
cdb58c2999eeda58a9d0c70f910d1195
d4a5d44184333442f5015699c2b8af28
d6f2bf2066e053e58fe8bcd39cb2e9ad
34dc9a69f33ba93e631cd5048d9f2624
1c6f8eba504f2f429abf362626545c79
139c9ac0776804714ebe8b8d35a04641
e228cd74103dc069663bb87d4f22d7d5
bed5bc0a8aae2662ea5d2484f80c1760
8c3f5f1fff999bc783062dd50357be79
5882a8dd4446abd137c05d2451b85fea
296c956fe429cedd1b64b78e66797122
82f06d7157dd28a75f1fbb47728aea25
9a975e0ddd32c0deef1318c485358b20
529424eae07677834a770aaa431e6c54
4cafde8fa7d9e67194d4edd4f2adb92b
f6b2ef4daf1b78802548d3e6d4de7ba7
ede5d82bb6775a9b1659dccb699fadcb
116d2fc1665ce7524826a624be0ded1c
20ff290b8393f006eaf4358f09f13e99
4b02dfdfd44df3c88b0ca8c2327843a4
c789ec7537e300411d523aef74407a5e
0b32e65caf653d77cab2a866ee2d9dbc
27faa10d1bec1a25f66e88645c695016
647edddf61954822ddb7ab3341f9a6c5
2f04b8eb993ca4a3d98607824a10acfb
9fe3a0fb3304d749aeed2c3e2e5787eb
62deab0e5d61d6bf9e0ba83d9e1d7e2b
86b607fe63c76b3d808f84969cb1a781
f62182cf0ab94b3c97b0261547dfc6cf
504182aaa5575bb38bf584839beb6d51
d79a21970cad03e22440ea66bd85931f

Related domains
nethostnet[.]com
hostsvcnet[.]com
etcrem[.]net
movieultimate[.]com
newfilmts[.]com
fastdataexchange[.]org
liveweatherview[.]com
analyticsbar[.]org
analyticstest[.]net
lifeofmentalservice[.]com
meteost[.]com
righttopregnantpower[.]com
kiteim[.]org
adobe-flash-updates[.]org
generalsecurityscan[.]com
globalresearching[.]org
lvueton[.]com
audiwheel[.]com
online-reggi[.]com
fsportal[.]net
netcorpscanprotect[.]com
mvband[.]net
mvtband[.]net
viters[.]org
treepastwillingmoment[.]com
sendmevideo[.]org
satellitedeluxpanorama[.]com
ppcodecs[.]com
encoder-info[.]tk
wmdmediacodecs[.]com
postlkwarn[.]com
shcserv[.]com
versiontask[.]com
webcdelivery[.]com
miropc[.]org
securityprotectingcorp[.]com
uniquecorpind[.]com
appexsrv[.]net
adobeupgradeflash[.]com


Iran-linked group OilRig used a new Trojan called OopsIE in recent attacks
24.2.2018 securityaffairs BigBrothers  APT

According to malware researchers at Palo alto Networks, the Iran-linked OilRig APT group is now using a new Trojan called OopsIE.
The Iran-linked OilRig APT group is now using a new Trojan called OopsIE, experts at Palo Alto Networks observed the new malware being used in recent attacks against an insurance agency and a financial institution in the Middle East.

One of the attacks relied on a variant of the ThreeDollars delivery document, the same malicious document was sent by the threat actor to the UAE government to deliver the ISMInjector Trojan.

In the second attack detected by PaloAlto, the OilRig hackers attempted to deliver the malicious code via a link in a spear phishing message.

“On January 8, 2018, Unit 42 observed the OilRig threat group carry out an attack on an insurance agency based in the Middle East. Just over a week later, on January 16, 2018, we observed an attack on a Middle Eastern financial institution. In both attacks, the OilRig group attempted to deliver a new Trojan that we are tracking as OopsIE.” reads the analysis from Palo Alto Networks.

The first attack occurred on January 8, 2018, the hackers sent two emails to two different email addresses at the target organization within a six minutes time span. Attackers spoofed the email address associated with the Lebanese domain of a major global financial institution.

OilRig launched another attack on January 16, in this case, the attackers downloaded the OopsIE Trojan from the command and control (C&C) server directly. The same organization was hit by OilRig for the second time, the first attacks occurred in 2017.

The researchers explained that the malware is packed with SmartAssembly and obfuscated with ConfuserEx.

The hackers gain persistence by creating a VBScript file and a scheduled task to run itself every three minutes. The OopsIE Trojan communicates with the C&C over HTTP by using the InternetExplorer application object.

“By using the InternetExplorer application object, all C2 related requests will look as if they came from the legitimate browser and therefore will not contain any anomalous fields within the request, such as custom User-Agents. The OopsIE Trojan is configured to use a C2 server hosted at:

www.msoffice365cdn[.]com” states the analysis.

“The Trojan will construct specific URLs to communicate with the C2 server and parses the C2 server’s response looking for content within the tags <pre> and </pre>. The initial HTTP request acts as a beacon”

OilRig

The Trojan can run a command, upload a file, or download a specified file.

Oilrig will continue to adapt its tactics, the experts believe that it will remain a highly active threat actor in the Middle East region.

“This group has repeatedly shown evidence of a willingness to adapt and evolve their tactics, while also reusing certain aspects as well. We have now observed this adversary deploy a multitude of tools, with each appearing to be some form of iterative variation of something used in the past. However, although the tools themselves have morphed over time, the plays they have executed in their playbook largely remain the same when examined over the attack life cycle,” Palo Alto concludes.


Russia-linked Sofacy APT group shift focus from NATO members to towards the Middle East and Central Asia
22.2.20218 securityaffairs APT

Experts from Kaspersky highlighted a shift focus in the Sofacy APT group’s interest, from NATO member countries and Ukraine to towards the Middle East and Central Asia.
The Russia-linked APT28 group (aka Pawn Storm, Fancy Bear, Sofacy, Sednit, Tsar Team and Strontium.) made the headlines again, this time security experts from Kaspersky highlighted a shift focus in their interest, from NATO member countries and Ukraine to towards the Middle East and Central Asia.

“Sofacy, one of the most active APT we monitor, continues to spearphish their way into targets, reportedly widely phishes for credentials, and infrequently participates in server side activity (including host compromise with BeEF deployment, for example). KSN visibility and detections suggests a shift from their early 2017 high volume NATO spearphish targeting towards the middle east and Central Asia, and finally moving their focus further east into late 2017.” states Kaspersky.

The experts analyzed the infections of the Sofacy backdoor tracked as SPLM, CHOPSTICK and X-Agent, the APT group had been increasingly targeting former Soviet countries in Central Asia. The hackers mostly targeted telecoms companies and defense-related organization, primary target were entities in Turkey, Kazakhstan, Armenia, Kyrgyzstan, Jordan and Uzbekistan.

The researchers observed several attacks leveraging the SPLM and the Zebrocy tool between the second and fourth quarters of 2017 against organizations in Asia. The list of targeted countries included China, Mongolia, South Korea and Malaysia.

Sofacy APT

“This high level of cyber-espionage activity goes back years. In 2011-2012, the group used a relatively tiny implant (known as “Sofacy” or SOURFACE) as their first stage malware, which at the time had similarities with the old Miniduke implants.” states Kaspersky.

“This made us believe the two groups were connected, although it looks they split ways at a certain point, with the original Miniduke group switching to the CosmicDuke implant in 2014. The division in malware was consistent and definitive at that point.”

The Zebrocy tool was used by attackers to collect data from victims, researchers observed its involvement in attacks on accounting firms, science and engineering centers, industrial organizations, ministries, embassies and consulates, national security and intelligence agencies, press and translation services, and NGOs.

The researchers highlighted that the attack infrastructure used in the last attacks pointed to the Sofacy APT, the group has been fairly consistent throughout even if their TTPs were well documented by security firms across the years. Researchers at Kaspersky expect to see some significant changes this year.

“Sofacy set up and maintained multiple servers and c2 for varying durations, registering fairly recognizable domains with privacy services, registrars that accept bitcoin, fake phone numbers, phony individual names, and 1 to 1 email address to domain registration relationships. Some of this activity and patterns were publicly disclosed, so we expect to see more change in their process in 2018. Also, throughout the year and in previous years, researchers began to comment publicly on Sofacy’s fairly consistent infrastructure setup.” continues Kaspersky.

Further details are included in the analysis published by Kaspersky, including Indicators of Compromise (IOCs).


North Korean APT Group tracked as APT37 broadens its horizons
21.2.2018 securityweek APT

Researchers at FireEye speculate that the APT group tracked as APT37 (aka Reaper, Group123, ScarCruft) operated on behalf of the North Korean government.
Here we are to speak about a nation-state actor dubbed APT37 (aka Reaper, Group123, ScarCruft) that is believed to be operating on behalf of the North Korean government.

APT37 has been active since at least 2012, it made the headlines in early February when researchers revealed that the APT group leveraged a zero-day vulnerability in Adobe Flash Player to deliver malware to South Korean users.

Cyber attacks conducted by the APT37 group mainly targeted government, defense, military, and media organizations in South Korea.

FireEye linked the APT37 group to the North Korean government based on the following clues:

the use of a North Korean IP;
malware compilation timestamps consistent with a developer operating in the North Korea time
zone (UTC +8:30) and follows what is believed to be a typical North Korean workday;
objectives that align with Pyongyang’s interests(i.e. organizations and individuals involved in Korean
Peninsula reunification efforts);
Researchers from FireEye revealed that the nation-state actor also targeted entities in Japan, Vietnam, and even the Middle East in 2017. The hackers targeted organizations in the chemicals, manufacturing, electronics, aerospace, healthcare, and automotive sectors.

“APT37 has likely been active since at least 2012 and focuses on targeting the public and private sectors primarily in South Korea. In 2017, APT37 expanded its targeting beyond the Korean peninsula to include Japan, Vietnam and the Middle East, and to a wider range of industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities” reads the report published by FireEye.

APT37 targets

Experts revealed that in 2017, the APT37 targeted a Middle Eastern company that entered into a joint venture with the North Korean government to provide telecommunications service to the country.

The hackers leveraged several vulnerabilities in Flash Player and in the Hangul Word Processor to deliver several types of malware.

The arsenal of the group includes the RUHAPPY wiper, the CORALDECK exfiltration tool, the GELCAPSULE and HAPPYWORK downloaders, the MILKDROP and SLOWDRIFT launchers, the ZUMKONG infostealer, the audio-capturing tool SOUNDWAVE, and backdoors tracked by FireEye as DOGCALL, KARAE, POORAIM, WINERACK and SHUTTERSPEED.

“North Korea has repeatedly demonstrated a willingness to leverage its cyber capabilities for a variety of purposes, undeterred by notional redlines and international norms. Though they have primarily tapped other tracked suspected North Korean teams to carry out the most aggressive actions, APT37 is an additional tool available to the regime, perhaps even desirable for its relative obscurity.” concludes FireEye.

“We anticipate APT37 will be leveraged more and more in previously unfamiliar roles and regions, especially as pressure mounts on their sponsor.”


North Korean Hacking Group APT37 Expands Targets
20.2.2018 securityweek APT

A lesser known hacker group believed to be working on behalf of the North Korean government has been expanding the scope and sophistication of its campaigns, according to a report published on Tuesday by FireEye.

The threat actor is tracked by FireEye as APT37 and Reaper, and by other security firms as Group123 (Cisco) and ScarCruft (Kaspersky). APT37 has been active since at least 2012, but it has not been analyzed as much as the North Korea-linked Lazarus group, which is said to be responsible for high-profile attacks targeting Sony and financial organizations worldwide.

Cisco published a report in January detailing some of the campaigns launched by the threat actor in 2017, but APT37 only started making headlines in early February when researchers revealed that it had been using a zero-day vulnerability in Adobe Flash Player to deliver malware to South Korean users.

APT37, whose goals appear to align with North Korea’s military, political and economic interests, has mainly focused on targeting public and private entities in South Korea, including government, defense, military and media organizations.

However, according to FireEye, the group expanded its attacks to Japan, Vietnam and even the Middle East last year. The list of targets includes organizations in the chemicals, manufacturing, electronics, aerospace, healthcare, and automotive sectors.

North Korean hacker group APT37 expands targets

One of the targets in the Middle East was a telecommunications services provider that had entered an agreement with the North Korean government. The deal fell through, which is when APT37 started hacking the Middle Eastern company, likely in an effort to collect information, FireEye said.

APT37 has exploited several Flash Player and Hangul Word Processor vulnerabilities to deliver various types of malware, including the RUHAPPY wiper, the CORALDECK exfiltration tool, the GELCAPSULE and HAPPYWORK downloaders, the MILKDROP and SLOWDRIFT launchers, the ZUMKONG infostealer, the audio-capturing tool SOUNDWAVE, and backdoors tracked by FireEye as DOGCALL, KARAE, POORAIM, WINERACK and SHUTTERSPEED.

This malware has been delivered using social engineering tactics, watering holes, and even torrent sites for wide-scale distribution.

FireEye is highly confident that APT37 is linked to the North Korean government based on several pieces of evidence, including the use of a North Korean IP, malware compilation timestamps consistent with a typical workday in North Korea, and objectives that align with Pyongyang’s interests.

“North Korea has repeatedly demonstrated a willingness to leverage its cyber capabilities for a variety of purposes, undeterred by notional redlines and international norms,” FireEye said in its report. “Though they have primarily tapped other tracked suspected North Korean teams to carry out the most aggressive actions, APT37 is an additional tool available to the regime, perhaps even desirable for its relative obscurity. We anticipate APT37 will be leveraged more and more in previously unfamiliar roles and regions, especially as pressure mounts on their sponsor.”

Neither Kaspersky nor Cisco have explicitly attributed the APT37 attacks to North Korea.


Gold Dragon Implant Linked to Pyeongchang Olympics Attacks
5.2.2018 securityweek APT
McAfee has discovered an implant that they believe was used as a second-state payload in the recent fileless attacks targeting organizations involved with the upcoming Olympics Games in Pyeongchang, South Korea.

In early January, McAfee's security researchers warned that hackers had already began targeting the Pyeongchang Olympic Games with malware-infected emails. The first such attacks reportedly took place on December 22, with the sender’s address spoofed to appear as if the messages came from the South Korea's National Counter-Terrorism Center.

The hackers were using a PowerShell implant to establish a channel to the attacker’s server and gather basic system-level data, but McAfee couldn’t immediately determine what the attackers did after gaining initial access to a victim’s system.

McAfee has since published a report detailing additional implants used in the attacks, which were used to gain persistence on targeted systems and for continued data exfiltration, including Gold Dragon, Brave Prince, Ghost419, and RunningRat.

Gold Dragon, a Korean-language implant observed on December 24, 2017, is believed to be the second-stage payload in the Olympics attack, with a much more robust persistence mechanism than the initial PowerShell implant.

Designed as a data-gathering implant, Gold Dragon has the domain golddragon.com hardcoded and acts as a reconnaissance tool and downloader for subsequent payloads. It also generates a key to encrypt data gathered from the system, which is then sent to the server ink.inkboom.co.kr.

Gold Dragon is not a full-fledged spyware, as it only has limited reconnaissance and data-gathering functionality. The malware, which had its first variant in the wild in South Korea in July 2017, features elements, code, and behavior similar to Ghost419 and Brave Prince, implants that McAfee has been tracking since May 2017.

The malware lists the directories in the user’s Desktop folder, in the user’s recently accessed files, and in the system’s %programfiles% folder, and gathers this information along with system details, the ixe000.bin file from the current user’s UserProfiles, and registry key and value information for the current user’s Run key, encrypts the data, and sends it to the remote server.

The malware can check the system for processes related to antivirus products and cleaner applications, which it can then terminate to evade detection. Furthermore, it supports the download and execution of additional components retrieved from the command and control (C&C) server.

Also a Korean-language implant featuring similarities to Gold Dragon, Brave Prince too was designed for system profiling, capable of gathering information on directories and files, network configuration, address resolution protocol cache, and systemconfig. The malware was first seen in December 13, 2017. It is also capable of terminating a process associated with a tool that can block malicious code.

First observed in the wild in December 18, 2017, Ghost419 is a Korean-language implant that can be traced to July 29, 2017, to a sample that only shares 46% of the code used in the December samples. This malware appears based on Gold Dragon and Brave Prince, featuring shared elements and code, especially related to system reconnaissance.

The attackers also used a remote access Trojan (RAT) in the Pyeongchang Olympics attacks, the security researchers say. Dubbed RunningRat, this tool operates with two DLLs, the first of which kills any antimalware solution on the system and unpacks and executes the main RAT DLL, in addition to gaining persistence.

The second DLL, which employs anti-debugging techniques, is decompressed in memory, which results in a fileless attack, as it never touches the user’s file system. The malware gathers information about the operating system, along with driver and processor information, and starts capturing user keystrokes and sending them to the C&C server.

“From our analysis, stealing keystrokes is the main function of RunningRat; however, the DLL has code for more extensive functionality. Code is included to copy the clipboard, delete files, compress files, clear event logs, shut down the machine, and much more. However, our current analysis shows no way for such code to be executed,” McAfee reveals.

All of these implants can establish a permanent presence on the victim’s system, but they require a first-stage malware that provides the attacker with an initial foothold on the victim’s system. Some of the implants would only achieve persistence if Hangul Word (the South Korean-specific alternative to Microsoft Office) is running on the system.

“With the discovery of these implants, we now have a better understanding of the scope of this operation. Gold Dragon, Brave Prince, Ghost419, and RunningRat demonstrate a much wider campaign than previously known. The persistent data exfiltration we see from these implants could give the attacker a potential advantage during the Olympics,” McAffee concludes.


Chinese Iron Tiger APT is back, a close look at the Operation PZChao
3.2.2018 securityaffairs APT

Chinese Iron Tiger APT is back, the new campaign, dubbed by Operation PZChao is targeting government, technology, education, and telecommunications organizations in Asia and the US.
Malware researchers from Bitdefender have discovered and monitored for several months the activity of a custom-built backdoor capable of password-stealing, bitcoin-mining, and of course to gain full control of the victim’s machine.

The campaign, dubbed by Bitdefender, Operation PZChao is targeting government, technology, education, and telecommunications organizations in Asia and the US.

“This is also the case of a custom-built piece of malware that we have been monitoring for several months as it wrought havoc in Asia. Our threat intelligence systems picked up the first indicators of compromise in July last year, and we have kept an eye on the threat ever since.” states the report published by BitDefender.
“An interesting feature of this threat, which drew our team to the challenge of analyzing it, is that it features a network of malicious subdomains, each one used for a specific task (download, upload, RAT related actions, malware DLL delivery). The payloads are diversified and include capabilities to download and execute additional binary files, collect private information and remotely execute commands on the system.”

It is interesting to notice that the malware features a network of malicious subdomains, each one used for a specific task (download, upload, RAT related actions, malware DLL delivery).

The experts who analyzed the command and control infrastructure and malicious codes used by the hackers (i.e. Gh0st RAT) speculate the return of the Iron Tiger APT group.

The Iron Tiger APT (aka Panda Emissary or TG-3390) is active at least since 2010 and targeted organization in APAC, but since 2013 it is attacking high-technology targets in the US.

The experts found many similarities between the Gh0stRat samples used in the Operation PZChao and the ones used in past campaigns associated with the Iron Tiger APT.

Attackers behind the Operation PZChao targeted victims with spear-phishing messages using a malicious VBS file attachment that once executed will download the malicious payloads to Windows systems from a distribution server. The researchers determined the IP address of the server, it is “125.7.152.55” in South Korea and hosts the “down.pzchao.com”.

Experts highlighted that new components are downloaded and executed on the target system in every stage of the attack.

Operation PZChao

The experts discovered that the first payload dropped onto compromised systems is a bitcoin miner.

The miner is disguised as a ‘java.exe’ file and used every three weeks at 3 am to avoid being noticed while mining cryptocurrency likely to fund the campaign.

But don’t forget that the main goal of the Operation PZChao is cyber espionage, the malicious code leverages two versions of the Mimikatz tool to gather credentials from the infected host.

The most important component in the arsenal of the attacker remains the powerful Gh0sT RAT malware that allows controlling every aspect of the infected system.

“this remote access Torjan’s espionage capabilities and extensive intelligence harvesting from victims turns it into an extremely powerful tool that is very difficult to identify,” concluded Bitdefender. “The C&C rotation during the Trojan’s lifecycle also helps evade detection at the network level, while the impersonation of legitimate, known applications takes care of the rest.”