diff --git "a/data/raw/APTNER/APTNERdev.txt" "b/data/raw/APTNER/APTNERdev.txt"
new file mode 100644--- /dev/null
+++ "b/data/raw/APTNER/APTNERdev.txt"
@@ -0,0 +1,40588 @@
+Uses O
+RijndaelManaged S-ENCR
+instead O
+of O
+AES S-ENCR
+for O
+encryption O
+. O
+( O
+with O
+ECB B-ENCR
+mode E-ENCR
+, O
+which O
+is O
+considered O
+weak O
+) O
+. O
+
+Quasar S-MAL
+contains O
+the O
+NetSerializer B-TOOL
+library E-TOOL
+that O
+handles O
+serialization O
+of O
+high O
+level O
+IPacket O
+objects O
+that O
+the O
+client B-TOOL
+and I-TOOL
+server E-TOOL
+use O
+to O
+communicate O
+. O
+
+The O
+serialization O
+assigns O
+unique O
+IDs O
+for O
+serializable O
+objects O
+types O
+. O
+
+The O
+open O
+source O
+and O
+several O
+other O
+samples O
+we O
+found O
+give O
+a O
+dynamically-assigned O
+1 O
+byte O
+ID O
+at O
+compile O
+time O
+. O
+
+The O
+sample O
+we O
+analyzed O
+changed O
+that O
+behavior O
+and O
+hard-coded O
+DWORD O
+for O
+each O
+object O
+type O
+. O
+
+This O
+is O
+a O
+better O
+implementation O
+, O
+as O
+it O
+allows O
+servers O
+and O
+clients O
+from O
+different O
+versions O
+to O
+communicate O
+with O
+each O
+other O
+to O
+some O
+extent O
+. O
+
+The O
+sample O
+we O
+analyzed O
+is O
+most O
+likely O
+forked O
+from O
+open O
+source O
+quasar B-MAL
+1.2.0.0 E-MAL
+. O
+
+We O
+find O
+multiple O
+file/object O
+names O
+hinting O
+at O
+the O
+version O
+, O
+but O
+must O
+compelling O
+: O
+
+Quasar B-MAL
+version I-MAL
+1.1.0.0 E-MAL
+names O
+the O
+encryption O
+module O
+name O
+space O
+“ O
+Encryption O
+” O
+, O
+while O
+subsequent O
+Quasar B-MAL
+versions E-MAL
+use O
+“ O
+Cryptography O
+” O
+– O
+which O
+we O
+observe O
+in O
+this O
+sample O
+. O
+
+Quasar B-MAL
+version I-MAL
+1.3.0.0 E-MAL
+changed O
+the O
+encryption O
+key O
+generation O
+, O
+and O
+stopped O
+saving O
+the O
+password O
+in O
+the O
+sample O
+. O
+
+There O
+are O
+more O
+indications O
+as O
+well O
+, O
+such O
+as O
+names O
+of O
+objects O
+, O
+files O
+etc O
+. O
+
+Other O
+samples O
+we O
+analyzed O
+had O
+different O
+combinations O
+of O
+modification O
+to O
+cryptography O
+and O
+serialization O
+. O
+
+Our O
+decompilation O
+of O
+the O
+serialization B-TOOL
+library E-TOOL
+was O
+not O
+complete O
+enough O
+to O
+allow O
+simple O
+recompilation O
+. O
+
+Instead O
+, O
+we O
+downloaded O
+and O
+compiled O
+the O
+1.2.0.0 O
+server O
+of O
+the O
+open-source O
+Quasar B-MAL
+RAT E-MAL
+, O
+having O
+determined O
+that O
+this O
+seemed O
+likely O
+the O
+most O
+similar O
+version O
+. O
+
+The O
+out-of-the-box B-TOOL
+server E-TOOL
+could O
+not O
+communicate O
+with O
+the O
+client O
+sample O
+owing O
+to O
+the O
+previously O
+documented O
+modifications O
+that O
+we O
+had O
+observed O
+. O
+
+We O
+incorporated O
+those O
+changes O
+into O
+our O
+build O
+, O
+discovering O
+that O
+this O
+worked O
+for O
+most O
+sample O
+versions O
+with O
+almost O
+no O
+further O
+modification O
+. O
+
+Both O
+the O
+client O
+and O
+the O
+server S-TOOL
+use O
+the O
+same O
+code O
+to O
+serialize O
+and O
+encrypt O
+the O
+communications O
+. O
+
+Instead O
+of O
+compiling O
+a O
+different O
+server S-TOOL
+for O
+each O
+client O
+, O
+our B-TOOL
+server E-TOOL
+uses O
+the O
+code O
+from O
+within O
+the O
+client O
+to O
+communicate O
+with O
+it O
+. O
+
+Using O
+Reflection O
+, O
+the O
+server S-TOOL
+can O
+load O
+the O
+assembly O
+of O
+the O
+client O
+to O
+find O
+the O
+relevant O
+functions O
+and O
+passwords O
+. O
+
+This O
+was O
+more O
+complex O
+. O
+
+Both O
+the O
+client O
+and O
+server O
+uses O
+the O
+same O
+API O
+, O
+but O
+the O
+client O
+serializer O
+cannot O
+serialize O
+server O
+objects O
+, O
+because O
+they O
+are O
+not O
+the O
+same O
+as O
+their O
+“ O
+mirrored O
+” O
+objects O
+inside O
+the O
+client O
+. O
+
+In O
+some O
+cases O
+these O
+objects O
+are O
+completely O
+different O
+, O
+for O
+example O
+the O
+server O
+commands O
+to O
+get O
+the O
+file O
+system O
+. O
+
+Our O
+solution O
+is O
+to O
+: O
+
+Translate O
+on O
+the O
+fly O
+the O
+objects O
+the O
+server O
+send O
+to O
+mirrored O
+matching O
+client O
+objects O
+( O
+will O
+not O
+work O
+if O
+client O
+doesn’t O
+have O
+this O
+object O
+, O
+or O
+renamed O
+it O
+) O
+. O
+
+Copy O
+the O
+content O
+from O
+the O
+server O
+object O
+into O
+the O
+new O
+client O
+object O
+( O
+will O
+not O
+work O
+if O
+client O
+implementation O
+is O
+different O
+) O
+. O
+
+Serialize O
+the O
+client O
+object O
+( O
+which O
+will O
+be O
+later O
+encrypted O
+and O
+sent O
+) O
+. O
+
+Deserialize O
+the O
+decrypted O
+response O
+into O
+another O
+client O
+response O
+object O
+. O
+
+Translate O
+the O
+client O
+response O
+object O
+into O
+the O
+server O
+version O
+of O
+the O
+client O
+response O
+object O
+. O
+
+Copy O
+the O
+contents O
+from O
+the O
+client O
+response O
+object O
+into O
+the O
+translated O
+server O
+object O
+. O
+
+Return O
+the O
+translated O
+object O
+. O
+
+Our O
+sample O
+communicates O
+with O
+app.progsupdate.com S-DOM
+, O
+which O
+resolved O
+to O
+185.141.25.68 S-IP
+, O
+over O
+TCP S-PROT
+port O
+4664 O
+. O
+
+The O
+server O
+sends O
+a O
+command O
+. O
+for O
+example O
+, O
+“ O
+Get B-FILE
+System I-FILE
+Information E-FILE
+” O
+. O
+
+The O
+command O
+is O
+translated O
+to O
+an O
+IPacket O
+of O
+type O
+GetSystemInfo O
+. O
+
+The O
+packet O
+is O
+serialized O
+into O
+a O
+stream O
+of O
+bytes O
+. O
+
+The O
+stream O
+of O
+bytes O
+is O
+encrypted O
+( O
+in O
+some O
+versions O
+there O
+is O
+also O
+optional O
+compression O
+step O
+) O
+. O
+
+The O
+stream O
+of O
+bytes O
+is O
+sent O
+over O
+TCP S-PROT
+to O
+the O
+client O
+. O
+
+The O
+client O
+receives O
+and O
+decrypts O
+the O
+packet O
+. O
+
+The O
+client O
+deserializes O
+the O
+packet O
+into O
+IPacket O
+GetSystemInfo O
+. O
+
+The O
+relevant O
+handler O
+of O
+the O
+client O
+is O
+called O
+, O
+collects O
+the O
+system O
+information O
+and O
+sends O
+it O
+back O
+inside O
+IPacket O
+of O
+GetSystemInfoResponse O
+. O
+
+Each O
+of O
+these O
+layers O
+seems O
+to O
+be O
+different O
+to O
+some O
+extent O
+in O
+the O
+various O
+samples O
+we O
+found O
+. O
+
+The O
+IPacket O
+, O
+Serialization O
+and O
+Encryption O
+framework O
+code O
+is O
+shared O
+between O
+the O
+client O
+and O
+the O
+server O
+, O
+therefore O
+we O
+can O
+use O
+it O
+with O
+Reflection O
+. O
+
+However O
+the O
+Server O
+handlers O
+and O
+command O
+function O
+are O
+not O
+, O
+so O
+we O
+cannot O
+create O
+a O
+completely O
+perfect O
+simulation O
+. O
+
+The O
+attacker O
+can O
+issue O
+commands O
+( O
+not O
+all O
+commands O
+appear O
+in O
+different O
+samples O
+) O
+through O
+the O
+Quasar B-TOOL
+server I-TOOL
+GUI E-TOOL
+for O
+each O
+client O
+: O
+
+Get O
+system O
+information O
+. O
+
+Get O
+file O
+system O
+. O
+
+Upload O
+/ O
+download O
+/ O
+execute O
+files O
+. O
+
+Startup O
+manager O
+. O
+
+Open O
+task O
+manager O
+. O
+
+Kill O
+/ O
+start O
+processes O
+. O
+
+Edit O
+registry O
+. O
+
+Reverse O
+Proxy O
+. O
+
+Shutdown O
+/ O
+restart O
+the O
+computer O
+. O
+
+Open O
+remote O
+desktop O
+connection O
+. O
+
+Observe O
+the O
+desktop O
+and O
+actions O
+of O
+active O
+user O
+. O
+
+Issue O
+remote O
+mouse O
+clicks O
+and O
+keyboard O
+strokes O
+. O
+
+Password O
+stealing O
+. O
+
+Retrieve O
+Keylogger O
+logs O
+. O
+
+Visit O
+website O
+. O
+
+Display O
+a O
+message O
+box O
+. O
+
+The O
+file B-TOOL
+system E-TOOL
+commands O
+underling O
+handlers O
+and O
+IPacket O
+were O
+modified O
+to O
+support O
+more O
+features O
+, O
+so O
+these O
+commands O
+don’t O
+work O
+out O
+of O
+the O
+box O
+and O
+required O
+manual O
+implementation O
+from O
+us O
+. O
+
+With O
+further O
+analysis O
+of O
+the O
+Quasar B-MAL
+RAT E-MAL
+C2 S-TOOL
+Server O
+, O
+we O
+uncovered O
+vulnerabilities O
+in O
+the O
+server O
+code O
+, O
+which O
+would O
+allow O
+remote O
+code O
+execution O
+. O
+
+This O
+might O
+allow O
+a O
+second O
+attacker O
+to O
+install O
+code O
+of O
+their O
+choice O
+– O
+for O
+example O
+, O
+their O
+own O
+Quasar B-MAL
+RAT E-MAL
+– O
+on O
+the O
+original O
+attacker O
+’s O
+server O
+. O
+
+We O
+refer O
+to O
+this O
+( O
+somewhat O
+ironic O
+) O
+technique O
+as O
+a O
+“ O
+Double B-ACT
+Edged I-ACT
+Sword I-ACT
+Attack E-ACT
+” O
+. O
+
+We O
+did O
+not O
+apply O
+this O
+to O
+any O
+live O
+C2 S-TOOL
+servers O
+– O
+we O
+only O
+tested O
+this O
+with O
+our O
+own O
+servers O
+in O
+our O
+lab O
+. O
+
+In O
+the O
+lab O
+, O
+we O
+changed O
+our O
+Quasar B-MAL
+RAT E-MAL
+source O
+code O
+to O
+use O
+the O
+known O
+encryption O
+key O
+, O
+and O
+to O
+send O
+fake O
+victim O
+IP S-PROT
+address O
+, O
+City O
+, O
+Country O
+code O
+, O
+Flag O
+, O
+and O
+Username O
+. O
+
+The O
+Quasar S-MAL
+serve O
+does O
+not O
+verify O
+the O
+RAT S-TOOL
+data O
+, O
+and O
+displays O
+this O
+data O
+in O
+the O
+RAT S-TOOL
+Server O
+GUI O
+when O
+the O
+RAT S-TOOL
+is O
+executed O
+and O
+connects O
+to O
+the O
+server O
+. O
+
+We O
+found O
+this O
+could O
+be O
+used O
+to O
+supply O
+compelling O
+“ O
+victim O
+data O
+” O
+to O
+convince O
+the O
+attacker O
+to O
+connect O
+to O
+this O
+“ O
+victim O
+” O
+via O
+the O
+GUI O
+. O
+
+Quasar S-MAL
+serve O
+includes O
+a O
+File B-TOOL
+Manager I-TOOL
+window E-TOOL
+, O
+allowing O
+the O
+attacker O
+to O
+select O
+victim O
+files O
+, O
+and O
+trigger O
+file O
+operations O
+– O
+for O
+example O
+, O
+uploading O
+a O
+file O
+from O
+victim O
+machine O
+to O
+server O
+. O
+
+Uploaded O
+files O
+are O
+written O
+to O
+the O
+server O
+sub O
+directory O
+“ O
+clients\user_name@machine_name_ipaddress S-FILE
+” O
+. O
+
+Quasar S-MAL
+serve O
+does O
+not O
+verify O
+that O
+the O
+size O
+, O
+filename O
+, O
+extension O
+, O
+or O
+header O
+of O
+the O
+uploaded O
+file O
+is O
+the O
+same O
+as O
+requested O
+. O
+
+Therefore O
+, O
+if O
+we O
+convince O
+the O
+attacker O
+to O
+request O
+the O
+file O
+“ O
+secret_info.doc S-FILE
+( O
+20KB S-FILE
+) O
+” O
+, O
+we O
+can O
+instead O
+return O
+to O
+the O
+server O
+any O
+file O
+of O
+our O
+choice O
+, O
+of O
+any O
+size O
+or O
+type O
+. O
+
+When O
+the O
+Quasar S-MAL
+serve O
+retrieves O
+the O
+name O
+of O
+the O
+uploaded O
+file O
+from O
+the O
+victim O
+, O
+it O
+does O
+not O
+verify O
+that O
+it O
+is O
+a O
+valid O
+file O
+path O
+. O
+
+Therefore O
+sending O
+the O
+file O
+path O
+“ O
+..\..\ B-FILE
+secret_info.doc E-FILE
+” O
+
+will O
+result O
+in O
+writing O
+our O
+file O
+instead O
+to O
+the O
+same O
+directory O
+as O
+the O
+Quasar S-MAL
+serve O
+code O
+. O
+
+Quasar S-MAL
+serve O
+does O
+not O
+even O
+verify O
+that O
+a O
+file O
+was O
+requested O
+from O
+the O
+victim O
+. O
+
+Immediately O
+when O
+the B-TOOL
+File I-TOOL
+Manager I-TOOL
+window E-TOOL
+is O
+opened O
+by O
+the O
+attacker O
+, O
+the O
+Quasar S-MAL
+serve O
+sends O
+two O
+commands O
+to O
+the O
+RAT S-TOOL
+: O
+GetDrives O
+and O
+listDirectory O
+( O
+to O
+populate O
+the O
+list O
+of O
+the O
+victim O
+’s O
+files O
+in O
+the O
+RAT B-TOOL
+Server I-TOOL
+GUI E-TOOL
+) O
+. O
+
+We O
+can O
+respond O
+to O
+those O
+commands O
+by O
+instead O
+sending O
+two O
+files O
+of O
+our O
+choice O
+to O
+the O
+Quasar S-MAL
+serve O
+. O
+
+Again O
+, O
+we O
+control O
+the O
+content O
+of O
+the O
+file O
+, O
+the O
+size O
+and O
+the O
+path O
+and O
+filename O
+. O
+
+Quasar S-MAL
+is O
+a O
+.NET B-TOOL
+Framework E-TOOL
+assembly O
+, O
+loading O
+multiple O
+DLLs O
+upon O
+launch O
+, O
+for O
+example O
+“ O
+dnsapi.dll S-FILE
+” O
+. O
+
+Quasar S-MAL
+serve O
+is O
+vulnerable O
+to O
+a O
+simple O
+DLL S-TOOL
+hijacking O
+attack O
+, O
+by O
+using O
+this O
+technique O
+to O
+replace O
+server O
+DLLs O
+. O
+
+When O
+the O
+attacker O
+restarts O
+the O
+Quasar S-MAL
+application O
+, O
+our O
+uploaded O
+“ O
+dnsapi.dll S-FILE
+” O
+will O
+instead O
+be O
+loaded O
+. O
+
+Through O
+this O
+vector O
+, O
+we O
+could O
+drop O
+our O
+own O
+Quasar S-MAL
+clien O
+on O
+the O
+attacker O
+’s O
+server O
+and O
+execute O
+it O
+. O
+
+Our O
+Quasar B-MAL
+RAT E-MAL
+will O
+connect O
+to O
+our O
+own O
+( O
+secured O
+, O
+of O
+course O
+) O
+Quasar S-MAL
+serve O
+, O
+allowing O
+us O
+to O
+control O
+that O
+attacker O
+’s O
+server O
+with O
+his O
+own O
+RAT S-TOOL
+. O
+
+We O
+can O
+also O
+replace O
+“ O
+shfolder.dll S-FILE
+” O
+( O
+and O
+add O
+a O
+DLL S-TOOL
+export O
+proxy O
+to O
+avoid O
+a O
+crash O
+) O
+, O
+which O
+is O
+loaded O
+whenever O
+the O
+attacker O
+clicks O
+the O
+builder O
+tab O
+– O
+allowing O
+us O
+to O
+infect O
+the O
+server O
+while O
+it O
+runs O
+, O
+without O
+the O
+need O
+to O
+wait O
+for O
+application O
+restart O
+. O
+
+Although O
+Downeks S-MAL
+has O
+been O
+publicly O
+examined O
+to O
+some O
+extent O
+, O
+our O
+analysis O
+found O
+several O
+features O
+not O
+previously O
+described O
+. O
+
+Earlier O
+Downeks S-MAL
+samples O
+were O
+all O
+written O
+in O
+native O
+code O
+. O
+
+However O
+, O
+among O
+our O
+Downeks S-MAL
+samples O
+, O
+we O
+found O
+new O
+versions O
+apparently O
+written O
+in O
+.NET S-TOOL
+. O
+
+We O
+observe O
+many O
+behavioral O
+similarities O
+and O
+unique O
+strings O
+across O
+both O
+the O
+native-Downeks S-MAL
+versions O
+, O
+and O
+the O
+new O
+.NET S-TOOL
+Downeks I-MAL
+versions E-MAL
+. O
+
+Almost O
+all O
+of O
+the O
+strings O
+and O
+behaviors O
+we O
+describe O
+in O
+this O
+analysis O
+of O
+a O
+.NET S-TOOL
+version O
+are O
+also O
+present O
+in O
+the O
+native O
+version O
+. O
+
+We O
+observed O
+these O
+samples O
+deployed O
+only O
+against O
+Hebrew-speaking O
+targets O
+. O
+
+Downeks S-MAL
+.NET O
+internal O
+name O
+is O
+“ O
+SharpDownloader S-MAL
+” O
+, O
+“ O
+Sharp O
+” O
+may O
+be O
+a O
+reference O
+to O
+the O
+language O
+it O
+was O
+written O
+in O
+– O
+C# S-TOOL
+. O
+
+As O
+seen O
+in O
+previous O
+Downeks S-MAL
+versions O
+, O
+it O
+uses O
+masquerades B-TOOL
+with I-TOOL
+icons E-TOOL
+, O
+filenames S-TOOL
+and O
+metadata B-TOOL
+imitating I-TOOL
+popular I-TOOL
+legitimate I-TOOL
+applications E-TOOL
+such O
+as O
+VMware B-TOOL
+workstation E-TOOL
+and O
+CCleaner S-TOOL
+, O
+or O
+common O
+file O
+formats O
+such O
+as O
+DOC S-TOOL
+and O
+PDF S-TOOL
+. O
+
+All O
+3 O
+samples O
+were O
+compiled O
+with O
+the O
+same O
+timestamp O
+. O
+
+Downeks.NET S-MAL
+is O
+obfuscated O
+using O
+“ O
+Yano S-TOOL
+” O
+and O
+can O
+be O
+easily O
+de-obfuscated O
+using O
+the B-TOOL
+de4dot I-TOOL
+utility E-TOOL
+. O
+
+SHA256 S-ENCR
+: O
+4dcf5bd2c7a5822831d9f22f46bd2369c4c9df17cc99eb29975b5e8ae7e88606 S-SHA2
+. O
+
+SHA256 S-ENCR
+: O
+905f6a62749ca6f0fd33345d6a8b1831d87e9fd1f81a59cd3add82643b367693 S-SHA2
+. O
+
+SHA256 S-ENCR
+: O
+c885f09b10feb88d7d176fe1a01ed8b480deb42324d2bb825e96fe1408e2a35f S-SHA2
+. O
+
+Downeks S-MAL
+is O
+a O
+backdoor O
+with O
+only O
+very O
+basic O
+capabilities O
+. O
+
+It O
+communicates O
+with O
+the O
+C2 S-TOOL
+server O
+using O
+HTTP S-PROT
+POST O
+requests O
+. O
+
+It O
+runs O
+in O
+an O
+infinite O
+loop O
+, O
+in O
+each O
+iteration O
+it O
+requests O
+a O
+command O
+from O
+the O
+C2 S-TOOL
+, O
+and O
+then O
+it O
+sleeps O
+for O
+a O
+time O
+period O
+it O
+receives O
+in O
+the O
+C2 S-TOOL
+response O
+( O
+defaulting O
+to O
+1 O
+second O
+if O
+no O
+sleep-time O
+sent O
+) O
+. O
+
+The O
+data O
+that O
+is O
+sent O
+in O
+the O
+POST O
+is O
+serialized O
+with O
+json S-TOOL
+, O
+which O
+is O
+then O
+is O
+encrypted O
+, O
+and O
+finally O
+encoded O
+in O
+base64 O
+. O
+
+The O
+json S-TOOL
+format O
+is O
+typically O
+{ O
+“mth O
+” O
+: O
+
+” O
+some_method O
+” O
+, O
+“ O
+data O
+” O
+: O
+
+” O
+some_encrypted_data O
+” O
+} O
+. O
+
+The O
+C2 S-TOOL B-TOOL
+server E-TOOL
+responds O
+using O
+the O
+same O
+format O
+and O
+serialization/encryption/encoding O
+. O
+
+As O
+described O
+in O
+earlier O
+analyses O
+, O
+Downeks S-MAL
+’ O
+main O
+purpose O
+is O
+as O
+a O
+downloader O
+. O
+
+Unfortunately O
+, O
+we O
+were O
+unable O
+to O
+get O
+any O
+C2 S-TOOL B-TOOL
+servers E-TOOL
+to O
+issue O
+download O
+commands O
+to O
+any O
+samples O
+that O
+we O
+tested O
+in O
+our O
+lab O
+. O
+
+The O
+download O
+is O
+initiated O
+upon O
+receiving O
+json O
+with O
+a O
+“ O
+download O
+” O
+command O
+, O
+which O
+includes O
+the O
+URL O
+of O
+the O
+file O
+to O
+be O
+downloaded O
+. O
+
+Downeks S-MAL
+can O
+also O
+be O
+instructed O
+to O
+execute O
+binaries O
+that O
+already O
+exist O
+on O
+the O
+victim O
+machine O
+. O
+
+After O
+successful O
+execution O
+, O
+Downeks S-MAL
+returns O
+the O
+results O
+to O
+the O
+C2 S-TOOL B-TOOL
+server E-TOOL
+. O
+
+Downeks S-MAL
+also O
+has O
+a O
+self-update O
+capability O
+, O
+if O
+instructed O
+by O
+the O
+C2 S-TOOL
+. O
+
+Downeks S-MAL
+can O
+be O
+instructed O
+with O
+the B-TOOL
+“ I-TOOL
+img I-TOOL
+” I-TOOL
+command E-TOOL
+to O
+capture O
+the O
+victim O
+screen O
+and O
+transmit O
+it O
+back O
+to O
+the O
+C2 S-TOOL
+. O
+
+The O
+parameters O
+“ O
+wth O
+” O
+and O
+“ O
+qlt O
+” O
+specify O
+“ O
+width O
+” O
+and O
+“ O
+quality O
+” O
+. O
+
+Downeks B-MAL
+.NET E-MAL
+creates O
+a O
+file O
+in O
+the O
+“ O
+Appdata O
+” O
+directory O
+, O
+based O
+on O
+certain O
+properties O
+of O
+the O
+machine O
+. O
+
+During O
+our O
+analysis O
+, O
+Downeks S-MAL
+created O
+a O
+file O
+in O
+“ O
+Appdata\Roaming O
+” O
+containing O
+only O
+“ O
+SD{new O
+line} O
+0 O
+” O
+( O
+“ O
+SD O
+” O
+possibly O
+for O
+“ O
+SharpDownloader O
+” O
+) O
+. O
+
+Although O
+this O
+file O
+itself O
+is O
+not O
+particularly O
+interesting O
+, O
+the O
+older O
+( O
+native O
+) O
+Downeks S-MAL
+versions O
+also O
+creates O
+a O
+file O
+in O
+Appdata\Roaming S-TOOL
+, O
+with O
+identical O
+data O
+. O
+
+The O
+filenames O
+across O
+the O
+two O
+variants O
+bear O
+striking O
+similarities O
+. O
+
+The O
+.NET S-TOOL
+variant O
+creates O
+“ O
+1FABFBFF0000065132F71D94 S-SHA2
+” O
+, O
+while O
+the O
+native O
+version O
+creates O
+“ O
+000206511FABFBFF S-SHA2
+” O
+. O
+
+We O
+observed O
+the O
+string O
+“ O
+1FABFBFF0000065132F71D94 S-SHA2
+” O
+in O
+memory O
+during O
+debugging O
+of O
+the O
+native O
+variant O
+. O
+
+This O
+is O
+a O
+pseudo-unique O
+ID O
+for O
+each O
+machine O
+, O
+based O
+on O
+install O
+date O
+taken O
+from O
+the O
+registry O
+, O
+volume O
+serial O
+number O
+, O
+OS O
+version O
+and O
+service O
+pack O
+, O
+Processor O
+architecture O
+, O
+and O
+computer O
+name O
+. O
+
+Downeks S-MAL
+enumerates O
+any O
+antivirus O
+products O
+installed O
+on O
+the O
+victim O
+machine O
+and O
+transmits O
+the O
+list O
+to O
+the O
+C2 S-TOOL
+. O
+
+It O
+constructs O
+this O
+list O
+using O
+the O
+WMI S-OS
+query O
+: O
+“SELECT O
+displayName O
+FROM O
+AntivirusProduct O
+” O
+. O
+
+Downeks S-MAL
+achieves O
+host O
+persistence O
+through O
+either O
+the O
+registry B-TOOL
+“ I-TOOL
+run I-TOOL
+” I-TOOL
+key E-TOOL
+or O
+with O
+a O
+shortcut B-TOOL
+in I-TOOL
+the I-TOOL
+start-up I-TOOL
+folder E-TOOL
+. O
+
+In O
+another O
+similarity O
+between O
+both O
+variants O
+, O
+Dowenks S-MAL
+assesses O
+the O
+victim O
+’s O
+external O
+IP O
+using O
+an O
+HTTP B-TOOL
+request E-TOOL
+to O
+http://www.myexternalIP
+. O
+
+com/raw S-URL
+. O
+
+Downeks S-MAL
+can O
+be O
+instructed O
+by O
+the O
+C2 S-TOOL
+to O
+perform O
+a O
+few O
+other O
+commands O
+: O
+
+Check O
+if O
+the O
+computer O
+name O
+and O
+user O
+name O
+, O
+or O
+external O
+IP S-PROT
+address O
+, O
+is O
+in O
+a O
+provided O
+list O
+and O
+if O
+so O
+, O
+display O
+a O
+message O
+box O
+with O
+a O
+message O
+as O
+defined O
+by O
+the O
+C2 S-TOOL
+. O
+
+Kill O
+any O
+running O
+process O
+and O
+attempt O
+to O
+delete O
+the O
+associated O
+executable O
+. O
+“ O
+Setup O
+” O
+command O
+– O
+sends O
+various O
+info O
+about O
+the O
+machine O
+with O
+each O
+iteration O
+of O
+the O
+C2 S-TOOL
+communications O
+loop O
+. O
+
+Downeks S-MAL
+has O
+static O
+encryption O
+keys O
+hardcoded O
+in O
+the O
+code O
+. O
+
+Palo B-IDTY
+Alto I-IDTY
+Networks E-IDTY
+customers O
+are O
+protected O
+from O
+Downeks S-MAL
+and O
+Quasar S-MAL
+used O
+in O
+this O
+attack O
+: O
+
+WildFire S-TOOL
+properly O
+classifies O
+these O
+Downeks S-MAL
+and O
+Quasar S-MAL
+samples O
+as O
+malicious O
+. O
+
+Traps S-TOOL
+detects O
+and O
+blocks O
+malicious O
+behavior O
+exhibited O
+by O
+new O
+, O
+unknown O
+Quasar S-MAL
+samples O
+. O
+
+C2 S-TOOL
+servers S-TOOL
+associated O
+with O
+this O
+activity O
+are O
+blocked O
+through O
+Threat O
+Prevention O
+DNS S-PROT
+signatures O
+. O
+
+URI B-ACT
+TERROR I-ACT
+ATTACK E-ACT
+& O
+KASHMIR S-LOC
+PROTEST O
+THEMED O
+SPEAR B-ACT
+PHISHING E-ACT
+emails S-TOOL
+TARGETING O
+INDIAN B-IDTY
+EMBASSIES E-IDTY
+AND O
+INDIAN B-IDTY
+MINISTRY I-IDTY
+OF I-IDTY
+EXTERNAL I-IDTY
+AFFAIRS E-IDTY
+- O
+CYSINFO O
+. O
+
+In O
+my O
+previous O
+blog O
+I O
+posted O
+details O
+of O
+a O
+cyber O
+attack O
+targeting O
+Indian B-IDTY
+government I-IDTY
+organizations E-IDTY
+. O
+
+This O
+blog O
+post O
+describes O
+another O
+attack O
+campaign O
+where O
+attackers O
+used O
+the O
+Uri B-ACT
+terror I-ACT
+attack E-ACT
+and O
+Kashmir S-LOC
+protest O
+themed O
+spear B-ACT
+phishing I-ACT
+email S-TOOL
+to O
+target O
+officials O
+in O
+the O
+Indian B-IDTY
+Embassies E-IDTY
+and O
+Indian B-IDTY
+Ministry I-IDTY
+of I-IDTY
+External I-IDTY
+Affairs E-IDTY
+( O
+MEA S-IDTY
+) O
+. O
+
+In O
+order O
+to O
+infect O
+the O
+victims O
+, O
+the O
+attackers O
+distributed O
+spear-phishing S-ACT
+emails S-TOOL
+containing O
+malicious B-TOOL
+word E-TOOL
+document O
+which O
+dropped O
+a O
+malware O
+capable O
+of O
+spying O
+on O
+infected O
+systems O
+. O
+
+The O
+email S-TOOL
+purported O
+to O
+have O
+been O
+sent O
+from O
+legitimate O
+email S-TOOL
+ids O
+. O
+
+The O
+attackers O
+spoofed O
+the O
+email S-TOOL
+ids O
+associated O
+with O
+Indian B-IDTY
+Ministry I-IDTY
+of I-IDTY
+Home I-IDTY
+Affairs E-IDTY
+to O
+send O
+out O
+email S-TOOL
+to O
+the O
+victims O
+. O
+
+Attackers O
+also O
+used O
+the O
+name B-TOOL
+of I-TOOL
+the I-TOOL
+top-ranking I-TOOL
+official E-TOOL
+associated O
+with O
+Minister B-IDTY
+of I-IDTY
+Home I-IDTY
+affairs E-IDTY
+in O
+the O
+signature O
+of O
+the O
+email S-TOOL
+, O
+this O
+is O
+to O
+make O
+it O
+look O
+like O
+the O
+email S-TOOL
+was O
+sent O
+by O
+a O
+high-ranking O
+Government O
+official O
+associated O
+with O
+Ministry B-IDTY
+of I-IDTY
+Home I-IDTY
+Affairs E-IDTY
+( O
+MHA S-IDTY
+) O
+. O
+
+In O
+the O
+The O
+first O
+wave O
+of O
+attack O
+, O
+The O
+attackers O
+spoofed O
+an O
+email S-TOOL
+id O
+that O
+is O
+associated O
+with O
+Indian O
+Ministry B-IDTY
+of I-IDTY
+Home I-IDTY
+Affairs E-IDTY
+( O
+MHA S-IDTY
+) O
+and O
+an O
+email S-TOOL
+was O
+sent O
+on O
+September B-TIME
+20th I-TIME
+, I-TIME
+2016 E-TIME
+( O
+just O
+2 O
+days O
+after O
+the O
+Uri B-ACT
+terror I-ACT
+attack E-ACT
+) O
+to O
+an O
+email S-TOOL
+id O
+associated O
+with O
+the O
+Indian B-IDTY
+Embassy E-IDTY
+in O
+Japan S-LOC
+. O
+
+The O
+email S-TOOL
+was O
+made O
+to O
+look O
+like O
+as O
+if O
+an O
+investigation O
+report O
+related O
+to O
+Uri B-ACT
+terror I-ACT
+attack E-ACT
+was O
+shared O
+by O
+the O
+MHA S-IDTY
+official O
+. O
+
+On O
+Sept B-TIME
+20th,2016 E-TIME
+similar O
+Uri O
+Terror O
+report O
+themed O
+email S-TOOL
+was O
+also O
+sent O
+to O
+an O
+email S-TOOL
+id O
+connected O
+with O
+Indian B-IDTY
+embassy E-IDTY
+in O
+Thailand S-LOC
+. O
+
+This O
+email S-TOOL
+was O
+later O
+forwarded O
+on O
+Oct B-TIME
+24th,2016 E-TIME
+from O
+a O
+spoofed O
+email S-TOOL
+id O
+which O
+is O
+associated O
+with O
+Thailand S-LOC
+Indian B-IDTY
+embassy E-IDTY
+to O
+various O
+email S-TOOL
+recipients O
+connected O
+to O
+the O
+Indian B-IDTY
+Ministry I-IDTY
+of I-IDTY
+External I-IDTY
+Affairs E-IDTY
+as O
+shown O
+in O
+the O
+below O
+screen O
+shot O
+. O
+
+In O
+this O
+case O
+Attackers O
+again O
+spoofed O
+an O
+email S-TOOL
+id O
+associated O
+with O
+Indian B-IDTY
+Ministry I-IDTY
+of I-IDTY
+Home I-IDTY
+Affairs E-IDTY
+and O
+the O
+mail O
+was O
+sent O
+on O
+September B-TIME
+1,2016 E-TIME
+to O
+an O
+email S-TOOL
+id O
+associated O
+Thailand S-LOC
+Indian B-IDTY
+embassy E-IDTY
+, O
+this O
+email S-TOOL
+was O
+later O
+forwarded O
+on O
+Oct B-TIME
+24th,2016 E-TIME
+from O
+a O
+spoofed O
+email S-TOOL
+of O
+Thailand S-LOC
+Indian B-IDTY
+embassy E-IDTY
+to O
+various O
+email S-TOOL
+recipients O
+connected O
+to O
+the O
+Indian B-IDTY
+Ministry I-IDTY
+of I-IDTY
+External I-IDTY
+Affairs E-IDTY
+( O
+MEA S-IDTY
+) O
+. O
+
+This O
+time O
+the O
+email S-TOOL
+was O
+made O
+to O
+look O
+like O
+an O
+investigation O
+report O
+related O
+to O
+Jammu B-LOC
+& I-LOC
+Kashmir E-LOC
+protest O
+was O
+shared O
+by O
+the O
+Ministry B-IDTY
+of I-IDTY
+Home I-IDTY
+Affairs E-IDTY
+Official O
+and O
+the O
+forwarded O
+email S-TOOL
+was O
+made O
+to O
+look O
+like O
+the O
+report O
+was O
+forwarded O
+by O
+an O
+Ambassador O
+in O
+Thailand S-LOC
+Indian B-IDTY
+embassy E-IDTY
+to O
+the O
+MEA S-IDTY
+officials O
+. O
+
+From O
+the O
+emails S-TOOL
+( O
+and O
+the O
+attachments O
+) O
+it O
+looks O
+like O
+the O
+goal O
+of O
+the O
+attackers O
+was O
+to O
+infect O
+and O
+take O
+control O
+of O
+the O
+systems O
+and O
+also O
+to O
+spy O
+on O
+the O
+actions O
+of O
+the O
+Indian O
+Government O
+post O
+the O
+Jammu B-LOC
+& I-LOC
+Kashmir E-LOC
+protest O
+and O
+Uri B-ACT
+Terror I-ACT
+attack E-ACT
+. O
+
+When O
+the O
+victim O
+opens O
+the O
+attached B-TOOL
+word I-TOOL
+document E-TOOL
+it O
+prompts O
+the O
+user O
+to O
+enable O
+macro O
+content O
+and O
+both O
+the O
+documents O
+( O
+Uri B-FILE
+Terror I-FILE
+Report.doc E-FILE
+and O
+mha-report.doc S-FILE
+) O
+displayed O
+the O
+same O
+content O
+and O
+contained O
+a O
+Show O
+Document O
+button O
+. O
+
+In O
+case O
+of O
+both O
+the O
+documents O
+( O
+Uri B-FILE
+Terror I-FILE
+Report.doc E-FILE
+and O
+mha-report.doc S-FILE
+) O
+the O
+malicious O
+macro B-TOOL
+code E-TOOL
+was O
+heavily O
+obfuscated O
+(used O
+obscure O
+variable/function O
+names O
+to O
+make O
+analysis O
+harder O
+) O
+and O
+did O
+not O
+contain O
+any O
+auto O
+execute O
+functions O
+. O
+
+Malicious O
+activity O
+is O
+trigged O
+only O
+on O
+user O
+interaction O
+, O
+attackers O
+normally O
+use O
+this O
+technique O
+to O
+bypass O
+sandbox/automated O
+analysis O
+. O
+
+Reverse O
+engineering O
+both O
+the O
+word O
+documents O
+( O
+Uri B-FILE
+Terror I-FILE
+Report.doc E-FILE
+& O
+mha-report.doc S-FILE
+) O
+exhibited O
+similar O
+behaviour O
+except O
+the O
+minor O
+difference O
+mentioned O
+below O
+. O
+
+In O
+case O
+of O
+mha-report.doc S-FILE
+the O
+malicious O
+activity O
+triggered O
+only O
+when O
+the O
+show O
+document O
+button O
+was O
+clicked O
+, O
+when O
+this O
+event O
+occurs O
+the O
+macro B-TOOL
+code E-TOOL
+calls O
+a O
+subroutine O
+CommandButton1_Click() S-TOOL
+which O
+in O
+turn O
+calls O
+a O
+malicious O
+obfuscated O
+function O
+( O
+Bulbaknopka() S-TOOL
+) O
+. O
+
+In O
+case O
+of O
+Uri B-FILE
+Terror I-FILE
+Report.doc E-FILE
+the O
+malicious O
+activity O
+triggered O
+when O
+the O
+document O
+was O
+either O
+closed O
+or O
+when O
+the O
+show O
+document O
+button O
+was O
+clicked O
+, O
+when O
+any O
+of O
+these O
+event O
+occurs O
+a O
+malicious O
+obfuscated O
+function O
+( O
+chugnnarabashkoim() S-TOOL
+) O
+gets O
+called O
+. O
+
+The O
+malicious B-TOOL
+macro I-TOOL
+code E-TOOL
+first O
+decodes O
+a O
+string O
+which O
+contains O
+a O
+reference O
+to O
+the O
+pastebin O
+url O
+. O
+
+The O
+macro S-TOOL
+then O
+decodes O
+a O
+PowerShell S-TOOL
+script O
+which O
+downloads O
+base64 B-TOOL
+encoded I-TOOL
+content E-TOOL
+from O
+the O
+pastebin S-TOOL
+url O
+. O
+
+The O
+base64 B-TOOL
+encoded I-TOOL
+content E-TOOL
+downloaded O
+from O
+the O
+Pastebin S-TOOL
+link O
+is O
+then O
+decoded O
+to O
+an O
+executable O
+and O
+dropped O
+on O
+the O
+system O
+. O
+
+The O
+technique O
+of O
+hosting O
+malicious O
+code O
+in O
+legitimate O
+sites O
+like O
+Pastebin S-TOOL
+has O
+advantages O
+and O
+it O
+is O
+highly O
+unlikely O
+to O
+trigger O
+any O
+suspicion O
+in O
+security O
+monitoring O
+and O
+also O
+can O
+bypass O
+reputation O
+based O
+devices O
+. O
+
+The O
+dropped O
+file O
+was O
+determined O
+as O
+modified O
+version O
+of O
+njRAT B-MAL
+trojan E-MAL
+. O
+
+The O
+dropped O
+file O
+( O
+officeupdate.exe S-FILE
+) O
+is O
+then O
+executed O
+by O
+the O
+macro B-TOOL
+code E-TOOL
+using O
+the O
+PowerShell B-TOOL
+script E-TOOL
+. O
+njRAT S-MAL
+is O
+a O
+Remote B-TOOL
+Access I-TOOL
+Tool E-TOOL
+( O
+RAT S-MAL
+) O
+used O
+mostly O
+by O
+the O
+actor O
+groups O
+in O
+the O
+middle B-LOC
+east E-LOC
+. O
+
+Once O
+infected O
+njRAT S-MAL
+communicates O
+to O
+the O
+attacker O
+and O
+allows O
+the O
+attacker O
+to O
+log O
+keystrokes O
+, O
+upload/download O
+files O
+, O
+access O
+victims O
+web O
+camera O
+, O
+audio O
+recording O
+, O
+steal O
+credentials O
+, O
+view O
+victims O
+desktop O
+, O
+open O
+reverse O
+shell O
+etc O
+. O
+
+The O
+dropped B-TOOL
+file E-TOOL
+was O
+analyzed O
+in O
+an O
+isolated O
+environment O
+( O
+without O
+actually O
+allowing O
+it O
+to O
+connect O
+to O
+the O
+c2 S-TOOL
+server O
+) O
+. O
+
+Once O
+the O
+dropped O
+file O
+( O
+officeupdate.exe S-FILE
+) O
+is O
+executed O
+the B-MAL
+malware E-MAL
+drops O
+additional O
+files O
+( O
+googleupdate.exe S-FILE
+, O
+malib.dll S-FILE
+and O
+msccvs.dll S-FILE
+) O
+into O
+the O
+%AllUsersProfile%\Google S-IDTY
+directory O
+and O
+then O
+executes O
+the O
+dropped O
+googleupdate.exe S-FILE
+Upon O
+execution O
+malware S-MAL
+makes O
+a O
+connection O
+to O
+the O
+c2 S-TOOL
+server O
+on O
+port O
+5555 O
+and O
+sends O
+the O
+system O
+& O
+operating O
+system O
+information O
+along O
+with O
+some O
+base64 O
+encoded O
+strings O
+to O
+the O
+attacker O
+as O
+shown O
+below O
+. O
+
+This O
+section O
+contains O
+the O
+details O
+of O
+the O
+c2 S-TOOL
+domain O
+( O
+khanji.ddns.net S-DOM
+) O
+. O
+
+Attackers O
+used O
+the O
+DynamicDNS S-TOOL
+to O
+host O
+the O
+c2 S-TOOL
+server O
+, O
+this O
+allows O
+the O
+attacker O
+to O
+quickly O
+change O
+the O
+IP S-PROT
+address O
+in O
+real O
+time O
+if O
+the O
+malware O
+c2 S-TOOL
+server O
+infrastructure O
+is O
+unavailable O
+. O
+
+The O
+c2 S-TOOL
+domain O
+was O
+associated O
+with O
+multiple O
+IP S-PROT
+addresses O
+in O
+past O
+. O
+
+During O
+the O
+timeline O
+of O
+this O
+cyber O
+attack O
+most O
+of O
+these O
+IP S-PROT
+addresses O
+were O
+located O
+in O
+Pakistan S-LOC
+and O
+few O
+IP S-PROT
+addresses O
+used O
+the O
+hosting B-TOOL
+provider I-TOOL
+infrastructure E-TOOL
+. O
+
+The O
+c2 S-TOOL
+domain O
+( O
+khanji.ddns.net S-DOM
+) O
+was O
+also O
+found O
+to O
+be O
+associated O
+with O
+multiple O
+malware O
+samples O
+in O
+the O
+past O
+, O
+Some O
+of O
+these O
+malware O
+samples O
+made O
+connection O
+to O
+pastebin S-TOOL
+urls O
+upon O
+execution O
+, O
+which O
+is O
+similar O
+to O
+the O
+behavior O
+mentioned O
+previously O
+. O
+
+Based O
+on O
+the O
+base64 B-TOOL
+encoded I-TOOL
+content E-TOOL
+posted O
+in O
+the O
+Pastebin S-TOOL
+, O
+userid O
+associated O
+with O
+the O
+Pastebin S-TOOL
+post O
+was O
+determined O
+. O
+
+The O
+same O
+user O
+posted O
+multiple O
+similar O
+posts O
+most O
+of O
+them O
+containing O
+similar O
+base64 B-TOOL
+encoded I-TOOL
+content E-TOOL
+( O
+probably O
+used O
+by O
+the O
+malwares O
+in O
+other O
+campaigns O
+to O
+decode O
+and O
+drop O
+malware O
+executable O
+) O
+, O
+these O
+posts O
+were O
+made O
+between O
+July B-TIME
+21st I-TIME
+, I-TIME
+2016 E-TIME
+to O
+September B-TIME
+30 I-TIME
+, I-TIME
+2016 E-TIME
+. O
+
+Below O
+screen O
+shot O
+shows O
+the O
+posts O
+made O
+by O
+the O
+user O
+, O
+the O
+hits O
+column O
+in O
+the O
+below O
+screen O
+shot O
+gives O
+an O
+idea O
+of O
+number O
+of O
+times O
+the O
+links O
+were O
+visited O
+( O
+probably O
+by O
+the O
+malicious B-TOOL
+macro I-TOOL
+code E-TOOL
+) O
+, O
+this O
+can O
+give O
+rough O
+idea O
+of O
+the O
+number O
+of O
+users O
+who O
+are O
+probably O
+infected O
+as O
+a O
+result O
+of O
+opening O
+the O
+malicious O
+document O
+. O
+
+Doing O
+a O
+Google S-IDTY
+search O
+for O
+the O
+Pastebin S-TOOL
+userid O
+landed O
+me O
+on O
+a O
+YouTube S-IDTY
+video O
+posted O
+by O
+an O
+individual O
+demonstrating O
+his O
+modified O
+version O
+of O
+njRAT B-TOOL
+control I-TOOL
+panel/builder I-TOOL
+kit E-TOOL
+. O
+
+The O
+Pastebin S-TOOL
+userid O
+matched O
+with O
+the O
+email S-TOOL
+ID O
+mentioned O
+by O
+this O
+individual O
+in O
+the O
+YouTube S-IDTY
+video O
+description O
+section O
+. O
+
+This O
+same O
+keyword O
+was O
+also O
+found O
+in O
+the O
+njRAT S-MAL
+c2 S-TOOL
+communication O
+used O
+in O
+this O
+attack O
+. O
+
+After O
+inspecting O
+the O
+njRAT B-TOOL
+builder I-TOOL
+kit E-TOOL
+it O
+was O
+determined O
+that O
+this O
+individual O
+customized O
+the O
+existing O
+njRAT B-TOOL
+builder I-TOOL
+kit E-TOOL
+to O
+bypass O
+security O
+products O
+. O
+
+The O
+product O
+information O
+in O
+the O
+builder O
+kit O
+matched O
+with O
+this O
+individual O
+’s O
+YouTube S-IDTY
+username O
+and O
+the O
+YouTube S-IDTY
+channel O
+. O
+
+The O
+njRAT S-MAL
+used O
+in O
+this O
+cyber O
+attack O
+was O
+built O
+from O
+this O
+builder O
+kit O
+. O
+
+Based O
+on O
+this O
+information O
+it O
+can O
+be O
+concluded O
+that O
+espionage O
+actors O
+used O
+this O
+individual O
+’s O
+modified O
+version O
+of O
+njRAT S-MAL
+in O
+this O
+cyber O
+attack O
+. O
+
+Even O
+though O
+this O
+individual O
+’s O
+email S-TOOL
+id O
+matched O
+with O
+the O
+Pastebin S-TOOL
+id O
+where O
+base64 O
+encoded O
+malicious O
+code O
+was O
+found O
+, O
+it O
+is O
+hard O
+to O
+say O
+if O
+this O
+individual O
+was O
+or O
+was O
+not O
+involved O
+in O
+this O
+cyber O
+attack O
+. O
+
+It O
+could O
+be O
+possible O
+that O
+the O
+espionage O
+actors O
+used O
+his O
+public O
+identity O
+as O
+a O
+diversion O
+to O
+mislead O
+and O
+to O
+hide O
+the O
+real O
+identity O
+of O
+the O
+attackers O
+or O
+it O
+is O
+also O
+possible O
+that O
+this O
+individual O
+was O
+hired O
+to O
+carry O
+out O
+the O
+attack O
+. O
+
+The O
+indicators O
+are O
+provided O
+below O
+, O
+these O
+indicators O
+can O
+be O
+used O
+by O
+the O
+organizations O
+( O
+Government O
+, O
+Public O
+and O
+Private O
+organizations O
+) O
+to O
+detect O
+and O
+investigate O
+this O
+attack O
+campaign O
+. O
+14b9d54f07f3facf1240c5ba89aa2410 S-FILE
+( O
+googleupdate.exe S-FILE
+) O
+. O
+2b0bd7e43c1f98f9db804011a54c11d6 S-FILE
+( O
+malib.dll S-FILE
+) O
+. O
+feec4b571756e8c015c884cb5441166b S-FILE
+( O
+msccvs.dll S-FILE
+) O
+. O
+84d9d0524e14d9ab5f88bbce6d2d2582 S-FILE
+( O
+officeupdate.exe S-FILE
+) O
+. O
+khanji.ddns.net S-DOM
+139.190.6.180 S-IP
+39.40.141.25 S-IP
+175.110.165.110 S-IP
+39.40.44.245 S-IP
+39.40.67.219 S-IP
+. O
+http://pastebin.com/raw/5j4hc8gT S-URL
+http://pastebin.com/raw/6bwniBtB S-URL
+. O
+028caf3b1f5174ae092ecf435c1fccc2 S-FILE
+7732d5349a0cfa1c3e4bcfa0c06949e4 S-FILE
+9909f8558209449348a817f297429a48 S-FILE
+63698ddbdff5be7d5a7ba7f31d0d592c S-FILE
+7c4e60685203b229a41ae65eba1a0e10 S-FILE
+e2112439121f8ba9164668f54ca1c6af S-FILE
+. O
+
+Attackers O
+in O
+this O
+case O
+made O
+every O
+attempt O
+to O
+launch O
+a O
+clever O
+attack O
+campaign O
+by O
+spoofing O
+legitimate O
+email S-TOOL
+ids O
+and O
+using O
+an O
+email S-TOOL
+theme O
+relevant O
+to O
+the O
+targets O
+. O
+
+The O
+following O
+factors O
+in O
+this O
+cyber O
+attack O
+suggests O
+the O
+possible O
+involvement O
+of O
+Pakistan S-LOC
+state O
+sponsored O
+cyber O
+espionage O
+group O
+to O
+mainly O
+spy O
+on O
+India S-LOC
+’s O
+actions O
+related O
+to O
+these O
+Geo-political O
+events O
+( O
+Uri B-ACT
+terror I-ACT
+attack E-ACT
+and O
+Jammu B-LOC
+& I-LOC
+Kashmir E-LOC
+protests O
+) O
+. O
+
+Victims/targets O
+chosen O
+( O
+Indian B-IDTY
+Embassy E-IDTY
+and O
+Indian B-IDTY
+MEA E-IDTY
+officals O
+) O
+. O
+
+Use O
+of O
+email S-TOOL
+theme O
+related O
+to O
+the O
+Geo-political O
+events O
+that O
+is O
+of O
+interest O
+to O
+the O
+targets O
+. O
+
+Timing O
+of O
+the O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+sent O
+to O
+the O
+victims O
+. O
+
+Location O
+of O
+the O
+c2 S-TOOL
+infrastructure O
+. O
+
+Use O
+of O
+malware O
+that O
+is O
+capable O
+of O
+spying O
+on O
+infected O
+systems O
+. O
+
+The O
+following O
+factors O
+show O
+the O
+level O
+of O
+sophistication O
+and O
+reveals O
+the O
+attackers O
+intention O
+to O
+remain O
+stealthy O
+and O
+to O
+gain O
+long-term O
+access O
+by O
+evading O
+anti-virus O
+, O
+sandbox O
+and O
+security O
+monitoring O
+at O
+both O
+the O
+desktop O
+and O
+network O
+levels O
+. O
+
+Use O
+of O
+obfuscated O
+malicious B-TOOL
+macro I-TOOL
+code E-TOOL
+. O
+
+Use O
+of O
+macro B-TOOL
+code E-TOOL
+that O
+triggers O
+only O
+on O
+user O
+intervention O
+( O
+to O
+bypass O
+sandbox O
+analysis O
+) O
+. O
+
+Use O
+of O
+legitimate O
+site O
+( O
+Pastebin S-TOOL
+) O
+to O
+host O
+malicious O
+code O
+( O
+to O
+bypass O
+security O
+monitoring O
+) O
+. O
+
+Use O
+of O
+customized O
+njRAT S-MAL
+( O
+capable O
+of O
+evading O
+anti-virus O
+) O
+. O
+
+The O
+Curious O
+Case O
+of O
+Notepad S-TOOL
+and O
+Chthonic S-MAL
+: O
+Exposing O
+a O
+Malicious O
+Infrastructure O
+. O
+
+Recently O
+, O
+I O
+’ve O
+been O
+investigating O
+malware O
+utilizing O
+PowerShell S-TOOL
+and O
+have O
+spent O
+a O
+considerable O
+amount O
+of O
+time O
+refining O
+ways O
+to O
+identify O
+new O
+variants O
+of O
+attacks O
+as O
+they O
+appear O
+. O
+
+This O
+posting O
+is O
+a O
+follow-up O
+of O
+my O
+previous O
+work O
+on O
+this O
+subject O
+in O
+
+“ O
+Pulling O
+Back O
+the O
+Curtains O
+on O
+EncodedCommand O
+PowerShell S-TOOL
+Attacks O
+” O
+. O
+
+In O
+a O
+sample O
+I O
+recently O
+analyzed O
+, O
+something O
+stood O
+out O
+as O
+extremely O
+suspicious O
+which O
+led O
+me O
+down O
+a O
+rabbit O
+hole O
+, O
+uncovering O
+malicious O
+infrastructure O
+supporting O
+Chthonic S-MAL
+, O
+Nymaim S-MAL
+, O
+and O
+other O
+malware O
+and O
+malicious O
+websites O
+. O
+
+Throughout O
+this O
+blog O
+post O
+I O
+present O
+my O
+analysis O
+and O
+thought O
+process O
+during O
+this O
+research O
+, O
+but O
+if O
+you O
+would O
+just O
+like O
+a O
+list O
+of O
+the O
+findings O
+, O
+they O
+are O
+over O
+on O
+our O
+Unit42 S-SECTEAM
+GitHub S-TOOL
+. O
+
+Most O
+commonly O
+, O
+PowerShell S-TOOL
+is O
+launched O
+from O
+a O
+Microsoft B-TOOL
+Office I-TOOL
+document E-TOOL
+that O
+uses O
+a O
+VBA B-TOOL
+macro E-TOOL
+to O
+launch O
+PowerShell S-TOOL
+to O
+perform O
+something O
+malicious O
+– O
+typically O
+downloading O
+the O
+“ O
+real O
+” O
+malware O
+to O
+run O
+. O
+
+I O
+focused O
+my O
+hunting O
+on O
+the O
+PowerShell S-TOOL
+activity O
+with O
+Palo O
+Alto O
+Networks O
+AutoFocus O
+to O
+determine O
+whether O
+it O
+’s O
+worth O
+digging O
+into O
+further O
+based O
+on O
+“ O
+uniqueness O
+” O
+and O
+functionality O
+. O
+
+In O
+this O
+case O
+, O
+the O
+first O
+sample O
+I O
+looked O
+at O
+stood O
+out O
+for O
+another O
+reason O
+entirely O
+. O
+
+If O
+you O
+take O
+a O
+look O
+at O
+the O
+below O
+PowerShell S-TOOL
+, O
+you O
+’ll O
+quickly O
+understand O
+why O
+. O
+
+Most O
+commonly O
+, O
+PowerShell S-TOOL
+is O
+launched O
+from O
+a O
+Microsoft B-TOOL
+Office I-TOOL
+document E-TOOL
+that O
+uses O
+a O
+VBA B-TOOL
+macro E-TOOL
+to O
+launch O
+PowerShell S-TOOL
+to O
+perform O
+something O
+malicious O
+– O
+typically O
+downloading O
+the O
+“ O
+real O
+” O
+malware O
+to O
+run O
+. O
+
+I O
+focused O
+my O
+hunting O
+on O
+the O
+PowerShell S-TOOL
+activity O
+with O
+Palo O
+Alto O
+Networks O
+AutoFocus O
+to O
+determine O
+whether O
+it O
+’s O
+worth O
+digging O
+into O
+further O
+based O
+on O
+“ O
+uniqueness O
+” O
+and O
+functionality O
+. O
+
+My O
+initial O
+thought O
+was O
+the O
+worst-case O
+scenario O
+– O
+they O
+’ve O
+been O
+compromised O
+and O
+are O
+distributing B-ACT
+malware E-ACT
+! O
+I O
+immediately O
+downloaded O
+the O
+file O
+from O
+the O
+website O
+, O
+but O
+everything O
+looked O
+normal O
+. O
+
+Of O
+course O
+, O
+I O
+had O
+to O
+investigate O
+further O
+. O
+
+Looking O
+under O
+the O
+hood O
+we O
+see O
+the O
+VBA S-TOOL
+code O
+that O
+builds O
+the O
+PowerShell B-FILE S-TOOL I-FILE
+command E-FILE
+and O
+launches O
+it O
+but O
+something O
+seemed O
+off O
+. O
+
+There O
+are O
+a O
+ton O
+of O
+functions O
+that O
+are O
+clearly O
+decoding O
+information O
+from O
+arrays O
+after O
+which O
+it O
+executes O
+an O
+already O
+decoded O
+PowerShell S-TOOL
+command O
+. O
+
+I O
+decided O
+to O
+debug O
+the O
+macro O
+and O
+see O
+exactly O
+what O
+it O
+’s O
+doing O
+before O
+I O
+made O
+any O
+decisions O
+. O
+
+The O
+most O
+likely O
+conclusion O
+that O
+can O
+be O
+drawn O
+here O
+is O
+that O
+an O
+analyst O
+or O
+researcher O
+obtained O
+this O
+file O
+, O
+modified O
+it O
+to O
+see O
+the O
+content O
+( O
+misspelling O
+the O
+variable O
+name O
+along O
+the O
+way O
+) O
+post-decoding O
+, O
+and O
+uploaded O
+it O
+to O
+see O
+what O
+it O
+did O
+in O
+a O
+sandbox O
+. O
+
+To O
+be O
+sure O
+though O
+, O
+I O
+needed O
+to O
+find O
+other O
+samples O
+and O
+see O
+how O
+they O
+stacked O
+up O
+against O
+this O
+one O
+. O
+
+Going O
+back O
+to O
+the O
+PowerShell S-TOOL
+command O
+, O
+the O
+initial O
+reason O
+I O
+stopped O
+to O
+look O
+at O
+it O
+was O
+due O
+to O
+the O
+way O
+they O
+concatenated O
+variables O
+to O
+form O
+the O
+download O
+command O
+and O
+output O
+. O
+
+This O
+also O
+provides O
+a O
+perfect O
+pivot B-TOOL
+point E-TOOL
+to O
+hunt O
+for O
+samples O
+. O
+
+The O
+dates O
+were O
+all O
+fairly O
+recent O
+, O
+having O
+been O
+received O
+in O
+the O
+past O
+few O
+days O
+since O
+the O
+beginning B-TIME
+of I-TIME
+August E-TIME
+. O
+
+The O
+documents O
+shared O
+the O
+same O
+themes O
+for O
+lures O
+but O
+the O
+VBA B-TOOL
+macro E-TOOL
+and O
+resulting O
+PowerShell S-TOOL
+were O
+more O
+along O
+the O
+lines O
+of O
+what O
+I O
+expected O
+. O
+
+For O
+sample O
+“ O
+538ff577a80748d87b5e738e95c8edd2bd54ea406fe3a75bf452714b17528a87 S-SHA2
+” O
+the O
+following O
+is O
+an O
+excerpt O
+from O
+the O
+VBA B-TOOL
+macro E-TOOL
+building O
+the O
+PowerShell S-TOOL
+command O
+. O
+
+Along O
+with O
+the O
+subsequent O
+Process O
+Activity O
+using O
+the O
+newly O
+built O
+PowerShell S-TOOL
+command O
+, O
+which O
+aligns O
+with O
+what O
+was O
+commented O
+out O
+of O
+the O
+first O
+sample O
+analyzed O
+. O
+
+Given O
+this O
+, O
+I O
+iterated O
+over O
+all O
+171 O
+samples O
+and O
+extracted O
+the O
+following O
+URL O
+’s O
+where O
+PowerShell S-TOOL
+is O
+downloading O
+a O
+payload O
+: O
+
+http://ditetec.com S-DOM/ts.exe S-FILE
+http://ditetec.com S-DOM/u2.exe S-FILE
+http://domass.com.ua S-DOM/index.gif S-FILE
+http://firop.com S-DOM/ego.exe S-FILE
+http://unoset.com S-DOM/jpx.exe S-FILE
+http://unoset.com S-DOM/sxr.exe S-FILE
+https://doci.download S-DOM/inc.exe S-FILE
+https://farhenzel.co S-DOM/gls.exe S-FILE
+https://farsonka.co S-DOM/trb.exe S-FILE
+https://formsonat.co S-DOM/mrb.exe S-FILE
+https://fortuma.co S-DOM/scu.exe S-FILE
+https://iilliiill.bid S-DOM/6ven.exe S-FILE
+https://iilliiill.bid S-DOM/ven.exe S-FILE
+https://iilliiill.bid S-DOM/ven.tvv S-FILE
+https://lom.party S-DOM/mov.exe S-FILE
+https://naiillad.date S-DOM/ex3.exe S-FILE
+https://naiillad.date S-DOM/u3.exe S-FILE
+https://naiillad.date S-DOM/vmer.exe S-FILE
+https://naiillad.date S-DOM/vsync.exe S-FILE
+https://notepad-plus-plus.org/repository S-DOM/7.x/7.4.2/npp.7.4.2.Installer.exe S-FILE
+https://prof.cricket S-DOM/wp.exe S-FILE
+https://tvavi.win S-DOM/pago.exe S-FILE
+. O
+
+After O
+iterating O
+over O
+the O
+171 O
+samples O
+, O
+we O
+’re O
+left O
+with O
+this O
+list O
+of O
+hashes O
+for O
+the O
+downloaded O
+files O
+. O
+
+Note O
+that O
+there O
+are O
+fewer O
+payloads O
+than O
+there O
+are O
+samples O
+, O
+indicating O
+many O
+of O
+the O
+documents O
+download O
+the O
+same O
+payload O
+. O
+
+Below O
+is O
+a O
+table O
+with O
+the O
+compile O
+date O
+and O
+some O
+PDB O
+strings O
+found O
+within O
+a O
+few O
+of O
+the O
+binaries O
+. O
+
+Most O
+of O
+the O
+compile O
+times O
+are O
+within O
+the B-TIME
+past I-TIME
+two I-TIME
+months E-TIME
+, O
+with O
+6 O
+in O
+August S-TIME
+and O
+a O
+couple O
+from O
+as O
+recently B-TIME
+as I-TIME
+two I-TIME
+days I-TIME
+ago E-TIME
+at O
+the O
+time O
+of O
+this O
+writing O
+. O
+29c7740f487a461a96fad1c8db3921ccca8cc3e7548d44016da64cf402a475ad S-SHA2
+2016-12-10 B-TIME
+01 E-TIME
+. O
+d5e56b9b5f52293b209a60c2ccd0ade6c883f9d3ec09571a336a3a4d4c79134b S-SHA2
+2016-12-10 B-TIME
+03 E-TIME
+C:\RAMDrive\Charles\heaven\reams\Teac.pdb O
+. O
+dd5f237153856d19cf20e80ff8238ca42047113c44fae27b5c3ad00be2755eea S-SHA2
+2016-12-10 B-TIME
+16 E-TIME
+C:\Cleaner\amuse\rang\AutoPopulate\la.pdb O
+. O
+a5001e9b29078f532b1a094c8c16226d20c03922e37a4fca2e9172350bc160a0 S-SHA2
+2016-12-20 B-TIME
+18 E-TIME
+. O
+8284ec768a06b606044defe2c2da708ca6b3b51f8e58cb66f61bfca56157bc88 S-SHA2
+2017-07-05 B-TIME
+10 E-TIME
+. O
+f0ce51eb0e6c33fdb8e1ccb36b9f42139c1dfc58d243195aedc869c7551a5f89 S-SHA2
+2017-07-09 B-TIME
+20 E-TIME
+C:\TableAdapter\encyclopedia\Parik.pdb O
+. O
+145d47f4c79206c6c9f74b0ab76c33ad0fd40ac6724b4fac6f06afec47b307c6 S-SHA2
+2017-07-10 B-TIME
+08 E-TIME
+C:\ayakhnin\reprductive\distortedc.pdb O
+. O
+dc8f34829d5fede991b478cf9117fb18c32d639573a827227b2fc50f0b475085 S-SHA2
+2017-07-11 B-TIME
+01 E-TIME
+C:\positioning\scrapping\Szets\thi.pdb O
+. O
+7fe1069c118611113b4e34685e7ee58cb469bda4aa66a22db10842c95f332c77 S-SHA2
+2017-07-11 B-TIME
+02 E-TIME
+C:\NeXT\volatile\legacyExchangeDNs.pdb O
+. O
+5edf117e7f8cd176b1efd0b5fd40c6cd530699e7a280c5c7113d06e9c21d6976 S-SHA2
+2017-07-12 B-TIME
+23 E-TIME
+. O
+2a80fdda87127bdc56fd35c3e04eb64a01a159b7b574177e2e346439c97b770a S-SHA2
+2017-07-13 B-TIME
+00. E-TIME
+a9021e253ae52122cbcc2284b88270ceda8ad9647515d6cca96db264a76583f5 S-SHA2
+2017-07-18 B-TIME
+00 E-TIME
+. O
+dd639d76ff6f33bbfaf3bd398056cf4e95e27822bd9476340c7703f5b38e0183 S-SHA2
+2017-07-18 B-TIME
+00 E-TIME
+. O
+e5a00b49d4ab3e5a3a8f60278b9295f3d252e3e04dadec2624bb4dcb2eb0fada S-SHA2
+2017-07-24 B-TIME
+17 E-TIME
+. O
+6263730ef54fbed0c2d3a7c6106b6e8b12a6b2855a03e7caa8fb184ed1eabeb2 S-SHA2
+2017-07-24 B-TIME
+22 E-TIME
+C:\Snapshot\Diskette\hiding\ROCKMA.pdb O
+. O
+43bfaf9a2a4d46695bb313a32d88586c510d040844f29852c755845a5a09d9df S-SHA2
+2017-07-25 B-TIME
+06 E-TIME
+. O
+b41660db6dcb0d3c7b17f98eae3141924c8c0ee980501ce541b42dc766f85628 S-SHA2
+2017-07-25 B-TIME
+06 E-TIME
+C:\mdb\Changed\Container\praise.pdb O
+. O
+9acdad02ca8ded6043ab52b4a7fb2baac3a08c9f978ce9da2eb51c816a9e7a2e S-SHA2
+2017-07-25 B-TIME
+07 E-TIME
+. O
+2ddaa30ba3c3e625e21eb7ce7b93671ad53326ef8b6e2bc20bc0d2de72a3929d S-SHA2
+2017-07-25 B-TIME
+20 E-TIME
+C:\helpers\better\Expr\Eight\DS.pdb O
+. O
+b836576877b2fcb3cacec370e5e6a029431f59d5070da89d94200619641ca0c4 S-SHA2
+2017-07-26 B-TIME
+12 E-TIME
+C:\V\regard\violates\update\AMBW\a.pdb O
+. O
+0972fc9602b00595e1022d9cfe7e9c9530d4e9adb5786fea830324b3f7ff4448 S-SHA2
+2017-07-26 B-TIME
+20 E-TIME
+. O
+2c258ac862d5e31d8921b64cfa7e5a9cd95cca5643c9d51db4c2fcbe75fa957a S-SHA2
+2017-07-27 B-TIME
+01 E-TIME
+C:\executablery\constructed\IIc.pdb O
+. O
+dd9c558ba58ac81a2142ecb308ac8d0f044c7059a039d2e367024d953cd14a00 S-SHA2
+2017-07-27 B-TIME
+02 E-TIME
+. O
+cb3173a820ac392005de650bbd1dd24543a91e72d4d56300a7795e887a8323b2 S-SHA2
+2017-07-31 B-TIME
+14 E-TIME
+C:\letterbxing\EVP\Chices\legit.pdb O
+. O
+a636f49814ea6603534f780b83a5d0388f5a5d0eb848901e1e1bf2d19dd84f05 S-SHA2
+2017-07-31 B-TIME
+18 E-TIME
+C:\Biomuse\moment\705\cnvincing.pdb O
+. O
+677dd11912a0f13311d025f88caabeeeb1bda27c7c1b5c78cffca36de46e8560 S-SHA2
+2017-07-31 B-TIME
+21 E-TIME
+. O
+fdedf0f90d42d3779b07951d1e8826c7015b3f3e724ab89e350c9608e1f23852 S-SHA2
+2017-08-01 B-TIME
+21 E-TIME
+. O
+142bf7f47bfbd592583fbcfa22a25462df13da46451b17bb984d50ade68a5b17 S-SHA2
+2017-08-02 B-TIME
+09 E-TIME
+. O
+6f4b2c95b1a0f320da1b1eaa918c338c0bab5cddabe169f12ee734243ed8bba8 S-SHA2
+2017-08-02 B-TIME
+12 E-TIME
+C:\cataloging\Dr\VarianceShadows11.pdb O
+. O
+fd5fd7058cf157ea249d4dcba71331f0041b7cf8fd635f37ad13aed1b06bebf2 S-SHA2
+2017-08-04 B-TIME
+02 E-TIME
+C:\dumplings\That\BIT\Warez\loc.pdb O
+. O
+5785c2d68d6f669b96c3f31065f0d9804d2ab1f333a90d225bd993e66656b7d9 S-SHA2
+2017-08-07 B-TIME
+12 E-TIME
+C:\Lgisys\hypothesized\donatedc.pdb O
+. O
+675719a9366386034c285e99bf33a1a8bafc7644874b758f307d9a288e95bdbd S-SHA2
+2017-08-07 B-TIME
+17 E-TIME
+C:\work\cr\nata\cpp\seven\seven\release\seven.pdb O
+. O
+
+At O
+least O
+one O
+of O
+the O
+binaries O
+compiled O
+in O
+August S-TIME
+had O
+a O
+PDB O
+string O
+I O
+was O
+able O
+to O
+locate O
+online O
+in O
+a O
+collection O
+of O
+other O
+PDB O
+files O
+, O
+so O
+they O
+may O
+be O
+introducing O
+their O
+malicious O
+code O
+into O
+these O
+files O
+before O
+compiling O
+someone O
+else O
+’s O
+project O
+. O
+
+Once O
+the O
+file O
+has O
+been O
+downloaded O
+and O
+executed O
+, O
+the O
+new O
+process O
+will O
+launch O
+a O
+legitimate O
+executable O
+, O
+such O
+as O
+“ O
+msiexec.exe S-FILE
+” O
+, O
+and O
+inject O
+code O
+into O
+it O
+. O
+
+This O
+code O
+will O
+then O
+download O
+further O
+payloads O
+through O
+a O
+POST S-PROT
+request O
+to O
+various O
+websites O
+. O
+
+This O
+pattern O
+is O
+shared O
+across O
+the O
+original O
+samples O
+. O
+
+These O
+HTTP S-PROT
+requests O
+match O
+known O
+patterns O
+for O
+a O
+banking B-MAL
+Trojan E-MAL
+named O
+Chthonic S-MAL
+, O
+which O
+is O
+a O
+variant O
+of O
+Zeus O
+. O
+
+A O
+good O
+write-up O
+from O
+2014 S-TIME
+on O
+the O
+malware O
+can O
+be O
+found O
+in O
+this O
+writeup O
+from O
+Yury O
+Namestnikov O
+, O
+Vladimir O
+Kuskov O
+, O
+Oleg O
+Kupreev O
+at O
+Kaspersky B-LOC
+Lab E-LOC
+here O
+and O
+indicates O
+that O
+the O
+returned O
+data O
+is O
+an O
+RC4 S-ENCR
+encrypted O
+loader O
+that O
+sets-up O
+the O
+main O
+Chthonic S-MAL
+module O
+which O
+can O
+download O
+additional O
+modules O
+or O
+malware O
+. O
+
+Iterating O
+once O
+again O
+over O
+the O
+171 O
+samples O
+and O
+scraping O
+out O
+the O
+HTTP S-PROT
+POST S-PROT
+requests O
+, O
+I O
+ended O
+up O
+with O
+the O
+below O
+set O
+of O
+domains O
+: O
+
+amellet.bit S-DOM
+danrnysvp.com S-DOM
+ejtmjealr.com S-DOM
+firop.com S-DOM
+gefinsioje.com S-DOM
+gesofgamd.com S-DOM
+ponedobla.bit S-DOM
+unoset.com S-DOM
+. O
+
+Using O
+this O
+as O
+the O
+next O
+pivot O
+, O
+we O
+have O
+6,034 O
+unique O
+samples O
+that O
+get O
+returned O
+in O
+AutoFocus O
+having O
+made O
+POST S-PROT
+requests O
+to O
+these O
+sites O
+. O
+
+Additionally O
+, O
+we O
+can O
+see O
+there O
+were O
+at O
+least O
+3 O
+very O
+large O
+campaigns O
+where O
+Palo O
+Alto O
+Networks O
+saw O
+activity O
+to O
+these O
+sites O
+in O
+July S-TIME
+. O
+
+From O
+these O
+distribution O
+sites O
+, O
+we O
+can O
+see O
+that O
+5,520 O
+samples O
+are O
+making O
+HTTP S-PROT
+requests O
+to O
+them O
+and O
+these O
+samples O
+have O
+been O
+identified O
+as O
+another O
+downloader O
+Trojan S-MAL
+named O
+Nymaim S-MAL
+. O
+
+The O
+majority O
+of O
+the O
+overall O
+samples O
+came O
+from O
+the O
+following O
+four O
+sites O
+: O
+
+ejtmjealr.com S-DOM
+gefinsioje.com S-DOM
+gesofgamd.com S-DOM
+ponedobla.bit S-DOM
+. O
+
+The O
+‘ O
+ejtmjealr.com S-DOM
+’ O
+domain O
+is O
+particularly O
+interesting O
+due O
+to O
+a O
+similar O
+domain O
+, O
+‘ O
+ejdqzkd.com S-DOM
+’ O
+being O
+discussed O
+by O
+Jarosław O
+Jedynak O
+of O
+CERT.PL S-IDTY
+in O
+this O
+analysis O
+of O
+Nymaim S-MAL
+from O
+earlier B-TIME
+in I-TIME
+the I-TIME
+year E-TIME
+. O
+
+They O
+go O
+on O
+to O
+discuss O
+how O
+Nymaim S-MAL
+uses O
+a O
+static O
+configuration O
+to O
+contact O
+that O
+domain O
+, O
+which O
+will O
+return O
+IP O
+’s O
+that O
+go O
+into O
+a O
+DGA O
+and O
+output O
+the O
+actual O
+IP O
+addresses O
+needed O
+for O
+C2 S-TOOL
+communication O
+. O
+
+Ben O
+Baker O
+, O
+Edmund O
+Brumaghin O
+and O
+Jonah O
+Samost O
+of O
+Talos S-IDTY
+have O
+a O
+fantastic O
+write-up O
+of O
+this O
+process O
+here O
+. O
+
+To O
+continue O
+my O
+analysis O
+, O
+I O
+shifted O
+focus O
+to O
+Maltego S-TOOL
+so O
+as O
+to O
+visually O
+graph O
+the O
+infrastructure O
+. O
+
+For O
+this O
+task O
+, O
+I O
+used O
+PassiveTotal B-TOOL
+’s I-TOOL
+Passive I-TOOL
+DNS E-TOOL
+and O
+AutoFocus B-TOOL
+Maltego I-TOOL
+transforms E-TOOL
+. O
+
+Pivoting O
+off O
+the O
+five O
+highlighted O
+IP O
+’s O
+above O
+with O
+a O
+shared O
+infrastructure O
+, O
+I O
+pulled O
+the O
+reverse O
+DNS S-PROT
+to O
+see O
+what O
+other O
+sites O
+may O
+be O
+present O
+. O
+
+The O
+“ O
+idXXXXX.top O
+” O
+pattern O
+immediately O
+stands O
+out O
+and O
+may O
+suggest O
+a O
+pattern O
+in O
+the O
+static O
+configuration O
+for O
+the O
+initial O
+domains O
+used O
+by O
+the O
+DGA O
+for O
+Nymaim S-MAL
+since O
+the O
+previous O
+two O
+started O
+with O
+“ O
+ejX.com S-DOM
+. O
+
+Given O
+the O
+level O
+of O
+overlap O
+already O
+, O
+I O
+proceeded O
+to O
+grab O
+all O
+of O
+the O
+passive O
+DNS S-PROT
+available O
+for O
+each O
+of O
+the O
+707 O
+IP O
+addresses O
+. O
+
+A O
+full O
+list O
+of O
+the O
+domains O
+can O
+be O
+seen O
+here O
+. O
+
+From O
+the O
+first O
+cluster O
+on O
+the O
+left O
+, O
+if O
+we O
+sort O
+by O
+incoming O
+links O
+per O
+node O
+a O
+pattern O
+stands O
+out O
+in O
+the O
+domain O
+names O
+looking O
+similar O
+to O
+the O
+previously O
+mentioned O
+Nymaim S-MAL
+ones O
+. O
+
+A O
+quick O
+search O
+with O
+the O
+AutoFocus O
+transform O
+to O
+pull O
+tag O
+information O
+shows O
+these O
+are O
+specifically O
+related O
+to O
+Nymaim S-MAL
+, O
+most O
+likely O
+for O
+the O
+DGA O
+seed O
+; O
+however O
+, O
+looking O
+at O
+domains O
+with O
+less O
+links O
+, O
+other B-MAL
+malware I-MAL
+families E-MAL
+begin O
+to O
+emerge O
+. O
+
+The O
+cluster O
+on O
+the O
+right O
+is O
+actually O
+collapsing O
+one O
+collection O
+of O
+entities O
+due O
+to O
+the O
+sheer O
+size O
+of O
+it O
+. O
+
+All O
+of O
+these O
+connected O
+domains O
+follow O
+a O
+pattern O
+similar O
+to O
+phishing B-ACT
+attacks E-ACT
+masquerading O
+as O
+legitimate O
+services O
+– O
+in O
+this O
+case O
+“ O
+online.verify.paypal O
+” O
+( O
+588 O
+) O
+and O
+“ O
+hmrc.secure.refund O
+” O
+( O
+1021 O
+) O
+. O
+
+In O
+addition O
+to O
+domains O
+of O
+that O
+type O
+, O
+there O
+is O
+evidence O
+of O
+other O
+malware O
+distribution O
+being O
+carried O
+out O
+on O
+this O
+infrastructure O
+. O
+
+Collapsing O
+the O
+collection O
+back O
+down O
+, O
+note O
+the O
+two O
+domains O
+“ O
+brontorittoozzo.com S-DOM
+” O
+and O
+“ O
+randomessstioprottoy.net S-DOM
+” O
+that O
+fall O
+outside O
+of O
+the O
+collection O
+due O
+to O
+more O
+infrastructure O
+connections O
+. O
+
+By O
+pivoting O
+off O
+of O
+one O
+sample O
+we O
+were O
+able O
+to O
+zoom O
+out O
+and O
+identify O
+a O
+sizable O
+infrastructure O
+of O
+what O
+appears O
+to O
+be O
+707 O
+IP O
+’s O
+and O
+2,611 O
+domains O
+being O
+utilized O
+for O
+malicious O
+activity O
+. O
+
+As O
+such O
+, O
+these O
+findings O
+represent O
+a O
+collection O
+of O
+compromised O
+websites O
+, O
+compromised O
+registrar O
+accounts O
+used O
+to O
+spin O
+up O
+subdomains O
+, O
+domains O
+used O
+by O
+malware O
+DGA S-MAL
+’s O
+, O
+phishing E-ACT
+kits O
+, O
+carding O
+forums O
+, O
+malware O
+C2 S-TOOL
+sites O
+, O
+and O
+a O
+slew O
+of O
+other O
+domains O
+that O
+revolve O
+around O
+criminal O
+activity O
+. O
+
+Hopefully O
+this O
+analysis O
+has O
+been O
+helpful O
+in O
+understanding O
+how O
+truly O
+connected O
+some O
+of O
+these O
+infrastructures O
+can O
+be O
+and O
+how O
+with O
+a O
+little O
+digging O
+, O
+you O
+can O
+uncover O
+a O
+substantial O
+amount O
+of O
+operationally O
+useful O
+indicators O
+to O
+protect O
+you O
+and O
+yours O
+. O
+
+The O
+Full O
+Shamoon S-MAL
+: O
+How O
+the O
+Devastating O
+Malware O
+Was O
+Inserted O
+Into O
+Networks O
+
+. O
+
+Researchers O
+from O
+the O
+IBM B-SECTEAM
+X-Force I-SECTEAM
+Incident I-SECTEAM
+Response I-SECTEAM
+and I-SECTEAM
+Intelligence I-SECTEAM
+Services I-SECTEAM
+( I-SECTEAM
+IRIS I-SECTEAM
+) I-SECTEAM
+team E-SECTEAM
+identified O
+a O
+missing O
+link O
+in O
+the O
+operations O
+of O
+a O
+threat O
+actor O
+involved O
+in O
+recent O
+Shamoon O
+malware O
+attacks O
+against O
+Gulf B-LOC
+state E-LOC
+organizations O
+. O
+
+These O
+attacks O
+, O
+which O
+occurred O
+in O
+November B-TIME
+2016 E-TIME
+and O
+January B-TIME
+2017 E-TIME
+, O
+reportedly O
+affected O
+thousands O
+of O
+computers O
+across O
+multiple O
+government O
+and O
+civil O
+organizations O
+in O
+Saudi B-LOC
+Arabia E-LOC
+and O
+elsewhere O
+in O
+Gulf B-LOC
+states E-LOC
+. O
+
+Shamoon S-MAL
+is O
+designed O
+to O
+destroy O
+computer O
+hard O
+drives O
+by O
+wiping O
+the O
+master O
+boot O
+record O
+( O
+MBR O
+) O
+and O
+data O
+irretrievably O
+, O
+unlike O
+ransomware O
+, O
+which O
+holds O
+the O
+data O
+hostage O
+for O
+a O
+fee O
+. O
+
+Through O
+their O
+recent O
+investigations O
+, O
+our O
+forensics O
+analysts O
+pinpointed O
+the O
+initial O
+compromise O
+vector O
+and O
+post-compromise O
+operations O
+that O
+led O
+to O
+the O
+deployment O
+of O
+the O
+destructive O
+Shamoon S-MAL
+malware O
+on O
+targeted O
+infrastructures O
+. O
+
+It O
+’s O
+worth O
+mentioning O
+that O
+, O
+according O
+to O
+X-Force B-SECTEAM
+IRIS E-SECTEAM
+, O
+the O
+initial O
+compromise O
+took O
+place O
+weeks O
+before O
+the O
+actual O
+Shamoon S-MAL
+deployment O
+and O
+activation O
+were O
+launched O
+. O
+
+Since O
+Shamoon O
+incidents O
+feature O
+the O
+infiltration O
+and O
+escalation O
+stages O
+of O
+targeted O
+attacks O
+, O
+X-Force B-TOOL
+IRIS I-TOOL
+responders E-TOOL
+sought O
+out O
+the O
+attackers O
+’ O
+entry O
+point O
+. O
+
+Their O
+findings O
+pointed O
+to O
+what O
+appears O
+to O
+be O
+the O
+initial O
+point O
+of O
+compromise O
+the O
+attackers O
+used O
+: O
+a O
+document O
+containing O
+a O
+malicious O
+macro O
+that O
+, O
+when O
+approved O
+to O
+execute O
+, O
+enabled O
+C2 S-PROT
+communications O
+to O
+the O
+attacker O
+’s O
+server O
+and O
+remote O
+shell O
+via O
+PowerShell S-TOOL
+. O
+
+The O
+document O
+was O
+not O
+the O
+only O
+one O
+discovered O
+in O
+the O
+recent O
+attack O
+waves O
+. O
+
+X-Force B-SECTEAM
+IRIS E-SECTEAM
+researchers O
+had O
+been O
+tracking O
+earlier O
+activity O
+associated O
+with O
+similar O
+malicious O
+, O
+PowerShell-laden O
+documents O
+themed O
+as O
+resumes O
+and O
+human O
+resources O
+documents O
+, O
+some O
+of O
+which O
+related O
+to O
+organizations O
+in O
+Saudi B-LOC
+Arabia E-LOC
+. O
+
+This O
+research O
+identified O
+several O
+bouts O
+of O
+offensive O
+activity O
+that O
+occurred O
+in O
+the O
+past O
+few O
+months O
+, O
+which O
+revealed O
+similar O
+operational O
+methods O
+in O
+which O
+the O
+attackers O
+served O
+malicious O
+documents O
+and O
+other O
+malware O
+executables O
+from O
+web O
+servers O
+to O
+their O
+targets O
+to O
+establish O
+an O
+initial O
+foothold O
+in O
+the O
+network O
+. O
+
+Although O
+Shamoon S-MAL
+was O
+previously O
+documented O
+in O
+research O
+blogs O
+, O
+the O
+specific O
+network O
+compromise O
+methods O
+leading O
+to O
+the O
+attacks O
+have O
+remained O
+unclear O
+in O
+the O
+reported O
+cases O
+. O
+
+X-Force B-SECTEAM
+IRIS E-SECTEAM
+researchers O
+studied O
+Shamoon S-MAL
+’s O
+attack O
+life O
+cycle O
+and O
+observed O
+its O
+tactics O
+at O
+Saudi-based O
+organizations O
+and O
+private O
+sector O
+companies O
+. O
+
+This O
+research O
+led O
+them O
+to O
+believe O
+that O
+the O
+actor O
+using O
+Shamoon S-MAL
+in O
+recent O
+attacks O
+relied O
+heavily O
+on O
+weaponized O
+documents O
+built O
+to O
+leverage O
+PowerShell S-TOOL
+to O
+establish O
+their O
+initial O
+network O
+foothold O
+and O
+subsequent O
+operations O
+: O
+
+Attackers O
+send O
+a O
+spear B-ACT
+phishing E-ACT
+email S-TOOL
+to O
+employees O
+at O
+the O
+target O
+organization O
+. O
+
+The O
+email S-TOOL
+contains O
+a O
+Microsoft B-TOOL
+Office E-TOOL
+document O
+as O
+an O
+attachment O
+. O
+
+Opening O
+the O
+attachment O
+from O
+the O
+email S-TOOL
+invokes O
+PowerShell S-TOOL
+and O
+enables O
+command O
+line O
+access O
+to O
+the O
+compromised O
+machine O
+. O
+
+Attackers O
+can O
+now O
+communicate O
+with O
+the O
+compromised O
+machine O
+and O
+remotely O
+execute O
+commands O
+on O
+it O
+. O
+
+The O
+attackers O
+use O
+their O
+access O
+to O
+deploy O
+additional O
+tools O
+and O
+malware O
+to O
+other O
+endpoints O
+or O
+escalate O
+privileges O
+in O
+the O
+network O
+. O
+
+Attackers O
+study O
+the O
+network O
+by O
+connecting O
+to O
+additional O
+systems O
+and O
+locating O
+critical O
+servers O
+. O
+
+The O
+attackers O
+deploy O
+the O
+Shamoon S-MAL
+malware O
+. O
+
+A O
+coordinated O
+Shamoon S-MAL
+outbreak O
+begins O
+and O
+computer O
+hard O
+drives O
+across O
+the O
+organization O
+are O
+permanently O
+wiped O
+. O
+
+X-Force B-SECTEAM
+IRIS E-SECTEAM
+identified O
+the O
+below O
+malicious O
+document O
+. O
+
+X-Force O
+IRIS O
+File O
+name O
+: O
+cv_itworx.doc S-FILE
+. O
+
+X-Force O
+IRIS O
+MD5 S-ENCR
+: O
+45b0e5a457222455384713905f886bd4 S-MD5
+. O
+
+X-Force O
+IRIS O
+SHA256 S-ENCR
+: O
+528714aaaa4a083e72599c32c18aa146db503eee80da236b20aea11aa43bdf62 S-SHA1
+. O
+
+X-Force O
+IRIS O
+Hosting O
+URL O
+: O
+http://mol.com-ho.me/cv_itworx.doc S-URL
+. O
+
+Our O
+researchers O
+examined O
+the O
+domain O
+that O
+hosted O
+the O
+first O
+malicious O
+file O
+, O
+mol.com-ho.me S-DOM
+. O
+
+Per O
+the O
+domain O
+’s O
+WHOIS S-PROT
+record O
+, O
+an O
+anonymized O
+registrant O
+registered O
+com-ho.me S-DOM
+in O
+October B-TIME
+2016 E-TIME
+and O
+used O
+it O
+to O
+serve O
+malicious O
+documents O
+with O
+similar O
+macro O
+activation O
+features O
+. O
+
+The O
+following O
+list O
+of O
+documents O
+included O
+: O
+
+cv.doc S-FILE
+: O
+f4d18316e367a80e1005f38445421b1f S-MD5
+. O
+cv_itworx.doc S-FILE
+: O
+45b0e5a457222455384713905f886bd4 S-MD5
+. O
+cv_mci.doc S-FILE
+: O
+f4d18316e367a80e1005f38445421b1f S-MD5
+. O
+discount_voucher_codes.xlsm S-FILE
+: O
+19cea065aa033f5bcfa94a583ae59c08 S-MD5
+. O
+
+Health_insurance_plan.doc S-FILE
+: O
+ecfc0275c7a73a9c7775130ebca45b74 S-MD5
+. O
+
+Health_insurance_registration.doc S-FILE
+: O
+1b5e33e5a244d2d67d7a09c4ccf16e56 S-MD5
+. O
+job_titles.doc S-FILE
+: O
+fa72c068361c05da65bf2117db76aaa8 S-MD5
+. O
+job_titles_itworx.doc S-FILE
+: O
+43fad2d62bc23ffdc6d301571135222c S-MD5
+. O
+job_titles_mci.doc S-FILE
+: O
+ce25f1597836c28cf415394fb350ae93 S-MD5
+. O
+
+Password_Policy.xlsm S-FILE
+: O
+03ea9457bf71d51d8109e737158be888 S-MD5
+. O
+
+These O
+files O
+were O
+most O
+likely O
+delivered O
+via O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+to O
+lure O
+employees O
+into O
+unwittingly O
+launching O
+the O
+malicious O
+payload O
+. O
+
+A O
+closer O
+review O
+of O
+the O
+file O
+names O
+revealed O
+“ O
+IT B-SECTEAM
+Worx E-SECTEAM
+” O
+and O
+“ O
+MCI S-IDTY
+” O
+. O
+
+A O
+search O
+of O
+the O
+name O
+IT B-SECTEAM
+Worx E-SECTEAM
+brings O
+up O
+a O
+global B-SECTEAM
+software I-SECTEAM
+professional I-SECTEAM
+services I-SECTEAM
+organization E-SECTEAM
+headquartered O
+in O
+Egypt S-LOC
+. O
+
+MCI S-IDTY
+is O
+Saudi B-IDTY
+Arabia I-IDTY
+’s I-IDTY
+Ministry I-IDTY
+of I-IDTY
+Commerce I-IDTY
+and I-IDTY
+Investment E-IDTY
+. O
+
+It O
+is O
+possible O
+these O
+names O
+were O
+used O
+in O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+because O
+they O
+would O
+seem O
+benign O
+to O
+Saudi-based O
+employees O
+and O
+lure O
+them O
+to O
+open O
+the O
+attachment O
+. O
+
+X-Force B-SECTEAM
+IRIS E-SECTEAM
+researchers O
+further O
+identified O
+that O
+the O
+threat O
+actor O
+behind O
+the O
+malicious O
+documents O
+served O
+many O
+of O
+them O
+using O
+a O
+URL-shortening O
+scheme O
+in O
+the O
+following O
+pattern O
+: O
+briefl.ink/{a-z0-9}[5] S-URL
+. O
+
+File O
+Detail O
+: O
+Info O
+File O
+name O
+: O
+job_titles_itworx.doc S-FILE
+. O
+
+MD5 S-ENCR
+: O
+43fad2d62bc23ffdc6d301571135222c S-MD5
+. O
+
+SHA256 S-ENCR
+: O
+e5b643cb6ec30d0d0b458e3f2800609f260a5f15c4ac66faf4ebf384f7976df6 S-SHA1
+. O
+
+Hosting O
+URL O
+: O
+http://briefl.ink/qhtma S-URL
+. O
+
+Passive O
+DNS S-PROT
+results O
+on O
+a O
+communications O
+domain O
+associated O
+with O
+the O
+Shamoon S-MAL
+attack O
+revealed O
+related O
+network O
+infrastructure O
+, O
+identifying O
+additional O
+domains O
+used O
+by O
+the O
+threat O
+actors O
+. O
+
+Domain O
+Name O
+: O
+Spoofed O
+Site O
+ntg-sa.com S-URL
+The O
+domain O
+ntg-sa.com S-URL
+appears O
+to O
+spoof O
+the O
+legit O
+domain O
+ntg.sa.com S-URL
+associated O
+with O
+the O
+Namer B-IDTY
+Trading I-IDTY
+Group E-IDTY
+. O
+
+Per O
+their O
+webpage O
+, O
+NTG O
+“ O
+was O
+established O
+primarily O
+to O
+cater O
+the O
+growing O
+demands O
+of O
+Petrochemicals O
+waste O
+management O
+within O
+the O
+Kingdom O
+of O
+Saudi O
+Arabia O
+” O
+. O
+maps-modon.club S-URL
+: O
+The O
+maps-modon.club S-URL
+domain O
+appears O
+to O
+spoof O
+maps.modon.gov.sa S-URL
+, O
+which O
+is O
+associated O
+with O
+the O
+Saudi B-IDTY
+Industrial I-IDTY
+Property I-IDTY
+Authority E-IDTY
+, O
+an O
+organization O
+“ O
+responsible O
+for O
+the O
+development O
+of O
+industrial O
+cities O
+with O
+integrated O
+infrastructure O
+and O
+services O
+” O
+. O
+
+X-Force B-SECTEAM
+IRIS E-SECTEAM
+discovered O
+that O
+the O
+threat O
+actor O
+was O
+hosting O
+at O
+least O
+one O
+malicious O
+executable O
+on O
+a O
+server O
+hosted O
+on O
+ntg-sa.com S-URL
+. O
+
+This O
+file O
+duped O
+targets O
+into O
+believing O
+it O
+was O
+a O
+Flash B-TOOL
+player E-TOOL
+installer O
+that O
+would O
+drop O
+a O
+Windows S-OS
+batch O
+to O
+invoke O
+PowerShell S-TOOL
+into O
+the O
+same O
+C2 S-PROT
+communications O
+. O
+
+Analysis O
+of O
+one O
+of O
+the O
+threat O
+actor O
+’s O
+documents O
+found O
+that O
+if O
+the O
+macro O
+executes O
+, O
+it O
+launches O
+two O
+separate O
+PowerShell S-TOOL
+Scripts O
+. O
+
+The B-MAL
+first I-MAL
+one E-MAL
+executes O
+a O
+PowerShell S-TOOL
+script O
+served O
+from O
+http://139.59.46.154:3485/eiloShaegae1 S-URL
+. O
+
+The O
+host O
+is O
+possibly O
+related O
+to O
+attacks O
+that O
+served O
+the O
+Pupy B-TOOL
+RAT E-TOOL
+, O
+a O
+publicly O
+available O
+cross-platform O
+remote O
+access O
+tool O
+. O
+
+The B-MAL
+second I-MAL
+script E-MAL
+calls O
+VirtualAlloc O
+to O
+create O
+a O
+buffer O
+, O
+uses O
+memset O
+to O
+load O
+Metasploit-related O
+shellcode O
+into O
+that O
+buffer O
+and O
+executes O
+it O
+through O
+CreateThread O
+. O
+
+Metasploit S-TOOL
+is O
+an O
+open O
+source O
+framework O
+popular O
+as O
+a O
+tool O
+for O
+developing O
+and O
+executing O
+exploit O
+code O
+against O
+a O
+remote O
+target O
+machine O
+. O
+
+The O
+shellcode O
+performs O
+a O
+DWORD B-ENCR
+XOR E-ENCR
+of O
+4 O
+bytes O
+at O
+an O
+offset O
+from O
+the O
+beginning O
+of O
+the O
+shellcode O
+that O
+changes O
+the O
+code O
+to O
+create O
+a O
+loop O
+so O
+the O
+XOR O
+continues O
+0x57 O
+times O
+. O
+
+If O
+this O
+execution O
+is O
+successful O
+, O
+it O
+creates O
+a O
+buffer O
+using O
+VirtualAlloc O
+and O
+calls O
+InternetReadFile O
+in O
+a O
+loop O
+until O
+all O
+the O
+file O
+contents O
+are O
+retrieved O
+from O
+http://45.76.128.165:4443/0w0O6 S-URL
+. O
+
+This O
+is O
+then O
+returned O
+as O
+a O
+string O
+to O
+PowerShell S-TOOL
+, O
+which O
+calls O
+invoke-expression O
+( O
+iex O
+) O
+on O
+it O
+, O
+indicating O
+that O
+the O
+expected O
+payload O
+is O
+PowerShell S-TOOL
+. O
+
+Of O
+note O
+, O
+the O
+macro O
+contained O
+a O
+DownloadFile() O
+function O
+that O
+would O
+use O
+URLDownloadToFileA O
+, O
+but O
+this O
+was O
+never O
+actually O
+used O
+. O
+
+Based O
+on O
+observations O
+associated O
+with O
+the O
+malicious O
+document O
+, O
+we O
+observed O
+subsequent O
+shell O
+sessions O
+probably O
+associated O
+with O
+Metasploit B-MAL S-TOOL I-MAL
+’s I-MAL
+Meterpreter E-MAL
+that O
+enabled O
+deployment O
+of O
+additional O
+tools O
+and O
+malware O
+preceding O
+deployment O
+of O
+three O
+Shamoon-related O
+files O
+: O
+ntertmgr32.exe S-FILE
+, O
+ntertmgr64.exe S-FILE
+and O
+vdsk911.sys S-FILE
+. O
+
+Although O
+the O
+complete O
+list O
+of O
+Shamoon S-MAL
+’s O
+victims O
+is O
+not O
+public O
+, O
+Bloomberg O
+reported O
+that O
+in O
+one O
+case O
+, O
+thousands O
+of O
+computers O
+were O
+destroyed O
+at O
+the O
+headquarters O
+of O
+Saudi B-IDTY
+’s I-IDTY
+General I-IDTY
+Authority I-IDTY
+of I-IDTY
+Civil I-IDTY
+Aviation E-IDTY
+, O
+erasing O
+critical O
+data O
+and O
+bringing O
+operations O
+to O
+a O
+halt O
+for O
+several O
+days O
+. O
+
+The O
+recent O
+activity O
+X-Force B-SECTEAM
+IRIS E-SECTEAM
+is O
+seeing O
+from O
+the O
+Shamoon O
+attackers O
+has O
+so O
+far O
+been O
+detected O
+in O
+two O
+waves O
+, O
+but O
+those O
+are O
+likely O
+to O
+subside O
+following O
+the O
+public O
+attention O
+the O
+cases O
+have O
+garnered O
+since O
+late O
+2016 S-TIME
+. O
+
+Saudi B-LOC
+Arabia E-LOC
+released O
+a O
+warning O
+to O
+local O
+organizations O
+about O
+the O
+Shamoon S-MAL
+malware O
+, O
+alerting O
+about O
+potential O
+attacks O
+and O
+advising O
+organizations O
+to O
+prepare O
+. O
+
+Additional O
+Insights O
+on O
+Shamoon2 S-MAL
+. O
+
+IBM S-IDTY
+analysts O
+recently O
+unveiled O
+a O
+first O
+look O
+at O
+how O
+threat O
+actors O
+may O
+have O
+placed O
+Shamoon2 S-MAL
+malware O
+on O
+systems O
+in O
+Saudi B-LOC
+Arabia E-LOC
+. O
+
+Researchers O
+showcased O
+a O
+potential O
+malware O
+lifecycle O
+which O
+started O
+with O
+spear B-ACT
+phishing E-ACT
+and O
+eventually O
+led O
+to O
+the O
+deployment O
+of O
+the O
+disk-wiping O
+malware O
+known O
+as O
+Shamoon S-MAL
+. O
+
+Their O
+research O
+showcased O
+a O
+set O
+of O
+downloaders O
+and O
+domains O
+that O
+could O
+potentially O
+lead O
+to O
+a O
+more O
+extensive O
+malware O
+distribution O
+campaign O
+. O
+
+While O
+researching O
+elements O
+in O
+the O
+IBM S-IDTY
+report O
+, O
+ASERT O
+discovered O
+additional O
+malicious O
+domains O
+, O
+IP S-TOOL
+addresses O
+, O
+and O
+artifacts O
+. O
+
+The O
+basic O
+functionality O
+of O
+the O
+new O
+documents O
+and O
+their O
+PowerShell S-TOOL
+components O
+matched O
+what O
+was O
+previously O
+disclosed O
+. O
+
+For O
+more O
+information O
+on O
+the O
+overall O
+capabilities O
+of O
+the O
+malware O
+, O
+please O
+review O
+IBM S-IDTY
+'s O
+ongoing O
+research O
+. O
+
+It O
+is O
+our O
+hope O
+that O
+by O
+providing O
+additional O
+indicators O
+, O
+end-point O
+investigators O
+and O
+network O
+defenders O
+will O
+be O
+able O
+to O
+discover O
+and O
+mitigate O
+more O
+Shamoon2 S-MAL
+related O
+compromises O
+. O
+
+The O
+following O
+new O
+samples O
+were O
+likely O
+delivered O
+via O
+similar O
+spear B-ACT
+phishing E-ACT
+campaigns O
+as O
+described O
+in O
+IBM S-IDTY
+'s O
+research O
+. O
+
+All O
+three O
+shared O
+the O
+same O
+IPs S-TOOL
+and O
+URLs S-TOOL
+, O
+also O
+provided O
+below O
+. O
+
+These O
+samples O
+were O
+located O
+by O
+pivoting O
+on O
+document O
+attributes O
+. O
+
+In O
+this O
+case O
+, O
+a O
+sample O
+from O
+the O
+IBM S-IDTY
+report O
+indicated O
+the O
+document O
+author O
+‘ O
+gerry.knight O
+’ O
+which O
+led O
+us O
+to O
+the O
+following O
+three O
+additional O
+samples O
+. O
+spear B-ACT
+phishing E-ACT
+: O
+2a0df97277ddb361cecf8726df6d78ac S-MD5
+5e5ea1a67c2538dbc01df28e4ea87472 S-MD5
+d30b8468d16b631cafe458fd94cc3196 S-MD5
+. O
+spear B-ACT
+phishing E-ACT
+: O
+104.218.120.128 S-IP
+. O
+
+spear B-ACT
+phishing E-ACT
+: O
+69.87.223.26 S-IP
+. O
+
+spear B-ACT
+phishing E-ACT
+: O
+5.254.100.200 S-IP
+. O
+
+spear B-ACT
+phishing E-ACT
+: O
+analytics-google.org B-URL
+: I-URL
+69/checkFile.aspx E-URL
+. O
+
+spear B-ACT
+phishing E-ACT
+: O
+analytics-google.org S-URL
+. O
+
+spear B-ACT
+phishing E-ACT
+: O
+69.87.223.26:8080/p S-URL
+. O
+
+From O
+the O
+previous O
+samples O
+, O
+we O
+performed O
+a O
+passive O
+DNS S-PROT
+lookup O
+on O
+the O
+IPs S-TOOL
+. O
+
+We O
+found O
+get.adobe.go-microstf.com S-DOM
+hosted O
+at O
+104.218.120.128 S-IP
+around O
+the O
+time O
+this O
+campaign O
+was O
+ongoing O
+, O
+November B-TIME
+2016 E-TIME
+. O
+
+Researching O
+the O
+domain O
+go-microstf.com S-DOM
+, O
+hosted O
+at O
+45.63.10.99 S-IP
+, O
+revealed O
+yet O
+another O
+iteration O
+of O
+malicious O
+executables O
+. O
+
+In O
+this O
+case O
+, O
+a O
+URL S-TOOL
+used O
+to O
+download O
+the O
+PowerShell S-TOOL
+component O
+shared O
+a O
+naming O
+convention O
+found O
+in O
+the O
+IBM S-IDTY
+report O
+, O
+http://69.87.223.26:8080/eiloShaegae1 S-DOM
+and O
+connected O
+to O
+the O
+IP O
+address O
+used O
+by O
+the O
+previous O
+three O
+samples O
+. O
+
+The O
+following O
+are O
+IOCs S-TOOL
+related O
+to O
+this O
+domain O
+: O
+
+83be35956e5d409306a81e88a1dc89fd S-MD5
+. O
+45.63.10.99 S-IP
+. O
+69.87.223.26 S-IP
+. O
+
+URLs B-IP
+go-microstf.com E-IP
+. O
+69.87.223.26:8080/eiloShaegae1 S-IP
+. O
+go-microstf.com/checkfile.aspx S-IP
+. O
+
+The O
+domain O
+go-microstf.com S-DOM
+was O
+originally O
+set O
+up O
+to O
+spoof O
+Google B-TOOL
+Analytics E-TOOL
+login O
+page O
+. O
+
+Finally O
+, O
+research O
+yielded O
+a O
+relatively O
+unique O
+sample O
+. O
+
+This O
+particular O
+iteration O
+was O
+submitted O
+to O
+VirusTotal S-TOOL
+on O
+September B-TIME
+16 I-TIME
+, I-TIME
+2016 E-TIME
+. O
+
+The O
+majority O
+of O
+samples O
+analyzed O
+to O
+date O
+were O
+submitted O
+no O
+earlier O
+than O
+mid-October S-TIME
+, O
+with O
+most O
+being O
+submitted O
+in O
+January B-TIME
+2017 E-TIME
+or O
+later O
+. O
+
+We O
+were O
+able O
+to O
+discover O
+this O
+particular O
+version O
+by O
+diving O
+further O
+into O
+connections O
+to O
+analytics-google.org S-IP
+. O
+
+Unlike O
+newer O
+samples O
+, O
+this O
+one O
+created O
+a O
+unique O
+file O
+O
+sloo.exe S-FILE
+. O
+
+The O
+file O
+was O
+created O
+at O
+C:\Documents O
+and O
+Settings\Admin\Local O
+Settings\Temp\sloo.exe S-FILE
+. O
+
+In O
+addition O
+to O
+this O
+file O
+, O
+the O
+sample O
+also O
+contacted O
+104.238.184.252 S-IP
+for O
+the O
+PowerShell S-TOOL
+executable O
+. O
+
+Researchers O
+at O
+Palo B-LOC
+Alto E-LOC
+have O
+attributed O
+sloo.exe S-FILE
+and O
+related O
+activities O
+to O
+threat O
+actors O
+of O
+a O
+likely O
+Iranian S-LOC
+state-sponsored O
+origin O
+which O
+they O
+’ve O
+named O
+Magic B-APT
+Hound E-APT
+. O
+
+The O
+group O
+Magic B-APT
+Hound E-APT
+is O
+linked O
+via O
+infrastructure O
+and O
+tools O
+to O
+the O
+Rocket B-APT
+Kitten E-APT
+threat O
+actor O
+group O
+although O
+Palo B-LOC
+Alto E-LOC
+cannot O
+confirm O
+the O
+extent O
+of O
+any O
+relationship O
+between O
+the O
+two O
+groups O
+. O
+
+Dell S-IDTY
+Secureworks O
+analysts O
+recently O
+concluded O
+that O
+domains O
+discussed O
+in O
+the O
+IBM S-IDTY
+report O
+were O
+linked O
+to O
+the O
+Iranian S-LOC
+PuppyRAT S-APT
+. O
+
+In O
+addition O
+, O
+Dell S-IDTY
+analysts O
+have O
+assessed O
+with O
+high-confidence O
+these O
+activities O
+are O
+attributable O
+to O
+Iranian O
+state-sponsored O
+activities O
+. O
+
+IOCs S-TOOL
+for O
+this O
+version O
+were O
+: O
+
+Shamoon2 S-MAL
+: O
+07d6406036d6e06dc8019e3ade6ee7de S-MD5
+. O
+
+Shamoon2 S-MAL
+: O
+104.238.184.252 S-IP
+. O
+
+Shamoon2 S-MAL
+: O
+5.254.100.200 S-IP
+Shamoon2 S-MAL
+: O
+URLs S-TOOL
+. O
+
+Shamoon2 S-MAL
+: O
+analytics-google.org B-IP
+: I-IP
+69/checkFile.aspx E-IP
+. O
+
+These O
+additional O
+IOCs S-TOOL
+will O
+hopefully O
+provide O
+more O
+context O
+into O
+the O
+ongoing O
+threat O
+. O
+
+The O
+link O
+to O
+possible O
+Iranian S-LOC
+threat O
+actors O
+supports O
+ongoing O
+analysis O
+that O
+Shamoon2 S-MAL
+was O
+perpetrated O
+by O
+Iranian S-LOC
+state-sponsored O
+threat O
+actors O
+. O
+
+The O
+last O
+sample O
+discussed O
+may O
+be O
+malware-0 O
+or O
+at O
+least O
+part O
+of O
+the O
+overall O
+development O
+and O
+subsequent O
+deployment O
+of O
+tools O
+used O
+to O
+install O
+Shamoon S-MAL
+on O
+Saudi S-TOOL
+systems O
+. O
+
+Shamoon2 S-MAL
+: O
+2a0df97277ddb361cecf8726df6d78ac S-MD5
+. O
+
+Shamoon2 S-MAL
+: O
+5e5ea1a67c2538dbc01df28e4ea87472 S-MD5
+. O
+
+Shamoon2 S-MAL
+: O
+d30b8468d16b631cafe458fd94cc3196 S-MD5
+. O
+
+Shamoon2 S-MAL
+: O
+83be35956e5d409306a81e88a1dc89fd S-MD5
+. O
+
+Shamoon2 S-MAL
+: O
+07d6406036d6e06dc8019e3ade6ee7de S-MD5
+. O
+
+Shamoon2 S-MAL
+: O
+104.218.120.128 S-IP
+. O
+
+Shamoon2 S-MAL
+: O
+69.87.223.26 S-IP
+. O
+
+Shamoon2 S-MAL
+: O
+5.254.100.200 S-IP
+. O
+
+Shamoon2 S-MAL
+: O
+45.63.10.99 S-IP
+. O
+
+Shamoon2 S-MAL
+: O
+104.238.184.252 S-IP
+. O
+
+Shamoon2 S-MAL
+: O
+analytics-google.org B-DOM
+: I-DOM
+69/checkFile.aspx E-DOM
+. O
+
+Shamoon2 S-MAL
+: O
+analytics-google.org S-DOM
+. O
+
+Shamoon2 S-MAL
+: O
+69.87.223.26:8080/p S-DOM
+. O
+
+Shamoon2 S-MAL
+: O
+go-microstf.com S-DOM
+. O
+
+Shamoon2 S-MAL
+: O
+69.87.223.26:8080/eiloShaegae1 S-DOM
+. O
+
+Shamoon2 S-MAL
+: O
+get.adobe.go-microstf.com S-DOM
+. O
+
+FireEye S-SECTEAM
+recently O
+observed O
+a B-ACT
+sophisticated I-ACT
+campaign E-ACT
+targeting O
+individuals O
+within O
+the O
+Mongolian B-IDTY
+government E-IDTY
+. O
+
+Targeted O
+individuals O
+that O
+enabled O
+macros B-MAL
+in I-MAL
+a I-MAL
+malicious I-MAL
+Microsoft I-MAL
+Word I-MAL
+document E-MAL
+may O
+have O
+been O
+infected O
+with O
+Poison B-MAL
+Ivy E-MAL
+, O
+a O
+popular O
+remote B-TOOL
+access I-TOOL
+tool E-TOOL
+( O
+RAT S-TOOL
+) O
+that O
+has O
+been O
+used O
+for O
+nearly O
+a O
+decade O
+for O
+key O
+logging O
+, O
+screen O
+and O
+video O
+capture O
+, O
+file O
+transfers O
+, O
+password O
+theft O
+, O
+system O
+administration O
+, O
+traffic O
+relaying O
+, O
+and O
+more O
+. O
+
+The B-APT
+threat I-APT
+actors E-APT
+behind O
+this O
+attack O
+demonstrated O
+some O
+interesting O
+techniques O
+, O
+including O
+: O
+
+Customized B-TOOL
+evasion I-TOOL
+based I-TOOL
+on I-TOOL
+victim I-TOOL
+profile E-TOOL
+– O
+The O
+campaign O
+used O
+a O
+publicly O
+available O
+technique O
+to O
+evade O
+AppLocker O
+application O
+whitelisting O
+applied O
+to O
+the O
+targeted O
+systems O
+. O
+
+Fileless B-TOOL
+execution I-TOOL
+and I-TOOL
+persistence E-TOOL
+– O
+In O
+targeted O
+campaigns O
+, O
+threat B-APT
+actors E-APT
+often O
+attempt O
+to O
+avoid O
+writing O
+an O
+executable O
+to O
+the O
+disk O
+to O
+avoid O
+detection O
+and O
+forensic O
+examination O
+. O
+
+The O
+campaign O
+we O
+observed O
+used O
+four B-TOOL
+stages I-TOOL
+of I-TOOL
+PowerShell I-TOOL
+scripts E-TOOL
+without O
+writing O
+the O
+the O
+payloads O
+to O
+individual O
+files O
+. O
+
+Decoy B-TOOL
+documents E-TOOL
+– O
+This O
+campaign O
+used O
+PowerShell S-TOOL
+to O
+download O
+benign O
+documents O
+from O
+the O
+Internet O
+and O
+launch O
+them O
+in O
+a O
+separate O
+Microsoft S-IDTY
+Word O
+instance O
+to O
+minimize O
+user O
+suspicion O
+of O
+malicious O
+activity O
+. O
+
+The B-APT
+threat I-APT
+actors E-APT
+used O
+social B-TOOL
+engineering E-TOOL
+to O
+convince O
+users O
+to O
+run O
+an O
+embedded O
+macro S-MAL
+in O
+a O
+Microsoft B-TOOL
+Word I-TOOL
+document E-TOOL
+that O
+launched O
+a O
+malicious B-MAL
+PowerShell I-MAL
+payload E-MAL
+. O
+
+The B-APT
+threat I-APT
+actors E-APT
+used O
+two O
+publicly O
+available O
+techniques O
+, O
+an O
+AppLocker B-TOOL
+whitelisting I-TOOL
+bypass E-TOOL
+and O
+a O
+script S-TOOL
+to O
+inject O
+shellcode O
+into O
+the O
+userinit.exe S-FILE
+process O
+. O
+
+The O
+malicious B-MAL
+payload E-MAL
+was O
+spread O
+across O
+multiple B-TOOL
+PowerShell I-TOOL
+scripts E-TOOL
+, O
+making O
+its O
+execution O
+difficult O
+to O
+trace O
+. O
+
+Rather O
+than O
+being O
+written O
+to O
+disk O
+as O
+individual O
+script O
+files O
+, O
+the O
+PowerShell B-TOOL
+payloads E-TOOL
+were O
+stored O
+in O
+the O
+registry S-TOOL
+. O
+
+Targets O
+of O
+the O
+campaign O
+received O
+Microsoft B-TOOL
+Word I-TOOL
+documents E-TOOL
+via O
+email S-TOOL
+that O
+claimed O
+to O
+contain O
+instructions O
+for O
+logging O
+into O
+webmail S-TOOL
+or O
+information O
+regarding O
+a O
+state O
+law O
+proposal O
+. O
+
+Microsoft S-IDTY
+application B-TOOL
+whitelisting I-TOOL
+solution E-TOOL
+AppLocker S-TOOL
+prevents O
+unknown O
+executables O
+from O
+running O
+on O
+a O
+system O
+. O
+
+In O
+April B-TIME
+2016 E-TIME
+, O
+a O
+security O
+researcher O
+demonstrated O
+a O
+way O
+to O
+bypass O
+this O
+using O
+regsvr32.exe S-FILE
+, O
+a O
+legitimate B-TOOL
+Microsoft I-TOOL
+executable E-TOOL
+permitted O
+to O
+execute O
+in O
+many O
+AppLocker O
+policies O
+. O
+
+The O
+regsvr32.exe S-FILE
+executable O
+can O
+be O
+used O
+to O
+download O
+a O
+Windows S-OS
+Script B-TOOL
+Component E-TOOL
+file O
+( O
+SCT S-TOOL
+file O
+) O
+by O
+passing O
+the O
+URL O
+of O
+the O
+SCT O
+file O
+as O
+an O
+argument O
+. O
+
+This O
+technique O
+bypasses O
+AppLocker S-TOOL
+restrictions O
+and O
+permits O
+the O
+execution O
+of O
+code O
+within O
+the O
+SCT O
+file O
+. O
+
+In O
+the O
+decrypted O
+shellcode O
+, O
+we O
+also O
+observed O
+content O
+and O
+configuration O
+related O
+to O
+Poison O
+Ivy O
+. O
+
+Correlating O
+these O
+bytes O
+to O
+the O
+standard O
+configuration O
+of O
+Poison B-VULNAME
+Ivy E-VULNAME
+, O
+we O
+can O
+observe O
+the O
+following O
+: O
+
+Active O
+setup O
+: O
+StubPath O
+. O
+
+Encryption/Decryption O
+key O
+: O
+version2013 O
+. O
+
+Mutex O
+name O
+: O
+20160509 O
+. O
+
+Although O
+Poison B-VULNAME
+Ivy E-VULNAME
+has O
+been O
+a O
+proven O
+threat O
+for O
+some O
+time O
+, O
+the O
+delivery O
+mechanism O
+for O
+this O
+backdoor O
+uses O
+recent O
+publicly O
+available O
+techniques O
+that O
+differ O
+from O
+previously O
+observed O
+campaigns O
+. O
+
+Through O
+the O
+use O
+of O
+PowerShell S-TOOL
+and O
+publicly B-TOOL
+available I-TOOL
+security I-TOOL
+control I-TOOL
+bypasses I-TOOL
+and I-TOOL
+scripts E-TOOL
+, O
+most O
+steps O
+in O
+the O
+attack O
+are O
+performed O
+exclusively O
+in O
+memory O
+and O
+leave O
+few O
+forensic O
+artifacts O
+on O
+a O
+compromised O
+host O
+. O
+
+FireEye S-SECTEAM
+HX B-TOOL
+Exploit I-TOOL
+Guard E-TOOL
+is O
+a O
+behavior-based B-TOOL
+solution E-TOOL
+that O
+is O
+not O
+affected O
+by O
+the O
+tricks O
+used O
+here O
+. O
+
+It O
+detects O
+and O
+blocks O
+this O
+threat O
+at O
+the O
+initial O
+level O
+of O
+the O
+attack O
+cycle O
+when O
+the O
+malicious O
+macro O
+attempts O
+to O
+invoke O
+the O
+first O
+stage O
+PowerShell S-TOOL
+payload O
+. O
+
+Alert O
+: O
+HIDDEN B-APT
+COBRA E-APT
+- O
+North B-LOC
+Korea E-LOC
+'s O
+DDoS B-TOOL
+Botnet I-TOOL S-ACT
+Infrastructure E-TOOL
+. O
+
+This O
+joint O
+Technical O
+Alert O
+( O
+TA O
+) O
+is O
+the O
+result O
+of O
+analytic O
+efforts O
+between O
+the O
+Department B-IDTY
+of I-IDTY
+Homeland I-IDTY
+Security E-IDTY
+( O
+DHS S-IDTY
+) O
+and O
+the O
+Federal B-IDTY
+Bureau I-IDTY
+of I-IDTY
+Investigation E-IDTY
+( O
+FBI S-IDTY
+) O
+. O
+
+This O
+alert O
+provides O
+technical O
+details O
+on O
+the O
+tools O
+and O
+infrastructure O
+used O
+by O
+cyber O
+actors O
+of O
+the O
+North B-LOC
+Korean E-LOC
+government O
+to O
+target O
+the O
+media O
+, O
+aerospace O
+, O
+financial O
+, O
+and O
+critical O
+infrastructure O
+sectors O
+in O
+the B-LOC
+United I-LOC
+States E-LOC
+and O
+globally O
+. O
+
+Working O
+with O
+U.S. S-LOC
+Government S-IDTY
+partners O
+, O
+DHS S-IDTY
+and O
+FBI S-IDTY
+identified O
+Internet B-PROT
+Protocol E-PROT
+( O
+IP S-PROT
+) O
+addresses O
+associated O
+with O
+a O
+malware O
+variant O
+, O
+known O
+as O
+DeltaCharlie S-MAL
+, O
+used O
+to O
+manage O
+North B-LOC
+Korea E-LOC
+'s O
+distributed B-ACT
+denial-of-service E-ACT
+( O
+DDoS S-ACT
+) O
+botnet B-TOOL
+infrastructure E-TOOL
+. O
+
+This O
+alert O
+contains O
+indicators B-TOOL
+of I-TOOL
+compromise E-TOOL
+( O
+IOCs S-TOOL
+) O
+, O
+malware O
+descriptions O
+, O
+network O
+signatures O
+, O
+and O
+host-based O
+rules O
+to O
+help O
+network O
+defenders O
+detect O
+activity O
+conducted O
+by O
+the O
+North B-LOC
+Korean B-IDTY E-LOC I-IDTY
+government E-IDTY
+. O
+
+The O
+U.S. S-LOC
+Government S-IDTY
+refers O
+to O
+the O
+malicious O
+cyber O
+activity O
+by O
+the O
+North B-LOC
+Korean E-LOC
+government S-IDTY
+as O
+HIDDEN B-APT
+COBRA E-APT
+. O
+
+For O
+more O
+information O
+related O
+to O
+HIDDEN B-APT
+COBRA E-APT
+activity O
+, O
+go O
+to O
+https://www.us-cert.gov/hiddencobra S-URL
+. O
+
+If O
+users O
+or O
+administrators O
+detect O
+the O
+custom O
+tools O
+indicative O
+of O
+HIDDEN B-APT
+COBRA E-APT
+, O
+these O
+tools O
+should O
+be O
+immediately O
+flagged O
+, O
+reported O
+to O
+the O
+DHS S-IDTY
+National B-IDTY
+Cybersecurity I-IDTY
+Communications I-IDTY
+and I-IDTY
+Integration I-IDTY
+Center E-IDTY
+( O
+NCCIC S-IDTY
+) O
+or O
+the O
+FBI S-IDTY
+Cyber O
+Watch O
+( O
+CyWatch O
+) O
+, O
+and O
+given O
+highest O
+priority O
+for O
+enhanced O
+mitigation O
+. O
+
+This O
+alert O
+identifies O
+IP S-PROT B-TOOL
+addresses E-TOOL
+linked O
+to O
+systems O
+infected O
+with O
+DeltaCharlie S-MAL
+malware O
+and O
+provides O
+descriptions O
+of O
+the O
+malware O
+and O
+associated O
+malware O
+signatures O
+. O
+
+DHS S-IDTY
+and O
+FBI S-IDTY
+are O
+distributing O
+these O
+IP S-PROT B-TOOL
+addresses E-TOOL
+to O
+enable O
+network O
+defense O
+activities O
+and O
+reduce O
+exposure O
+to O
+the O
+DDoS S-ACT
+command-and-control O
+network O
+. O
+
+FBI S-IDTY
+has O
+high O
+confidence O
+that O
+HIDDEN B-APT
+COBRA E-APT
+actors O
+are O
+using O
+the O
+IP S-PROT B-TOOL
+addresses E-TOOL
+for O
+further O
+network O
+exploitation O
+. O
+
+This O
+alert O
+includes O
+technical O
+indicators O
+related O
+to O
+specific O
+North B-LOC
+Korean E-LOC
+government S-IDTY
+cyber O
+operations O
+and O
+provides O
+suggested O
+response O
+actions O
+to O
+those O
+indicators O
+, O
+recommended O
+mitigation O
+techniques O
+, O
+and O
+information O
+on O
+reporting O
+incidents O
+to O
+the O
+U.S. S-LOC
+Government S-IDTY
+. O
+
+On O
+August B-TIME
+23 I-TIME
+, I-TIME
+2017 E-TIME
+, O
+DHS S-IDTY
+published O
+a O
+Malware O
+Analysis O
+Report O
+( O
+MAR-10132963 O
+) O
+that O
+examines O
+malware O
+functionality O
+to O
+provide O
+detailed O
+code O
+analysis O
+and O
+insight O
+into O
+specific O
+tactics O
+, O
+techniques O
+, O
+and O
+procedures O
+( O
+TTPs O
+) O
+observed O
+in O
+the O
+malware O
+. O
+
+Since O
+2009 S-TIME
+, O
+HIDDEN B-APT
+COBRA E-APT
+actors O
+have O
+leveraged O
+their O
+capabilities O
+to O
+target O
+and O
+compromise O
+a O
+range O
+of O
+victims O
+; O
+some O
+intrusions O
+have O
+resulted O
+in O
+the O
+Exfiltration S-ACT
+of O
+data O
+while O
+others O
+have O
+been O
+disruptive O
+in O
+nature O
+. O
+
+Commercial O
+reporting O
+has O
+referred O
+to O
+this O
+activity O
+as O
+Lazarus S-APT
+Group O
+and O
+Guardians B-APT
+of I-APT
+Peace E-APT
+. O
+
+DHS S-IDTY
+and O
+FBI S-IDTY
+assess O
+that O
+HIDDEN B-APT
+COBRA E-APT
+actors O
+will O
+continue O
+to O
+use O
+cyber O
+operations O
+to O
+advance O
+their O
+government O
+'s O
+military O
+and O
+strategic O
+objectives O
+. O
+
+Cyber O
+analysts O
+are O
+encouraged O
+to O
+review O
+the O
+information O
+provided O
+in O
+this O
+alert O
+to O
+detect O
+signs O
+of O
+malicious O
+network O
+activity O
+. O
+
+Tools O
+and O
+capabilities O
+used O
+by O
+HIDDEN B-APT
+COBRA E-APT
+actors O
+include O
+DDoS B-TOOL
+botnet S-ACTs E-TOOL
+, O
+keyloggers S-TOOL
+, O
+remote B-TOOL
+access I-TOOL
+tools E-TOOL
+( O
+RATs S-TOOL
+) O
+, O
+and O
+wiper S-MAL
+malware O
+. O
+
+Variants O
+of O
+malware O
+and O
+tools O
+used O
+by O
+HIDDEN B-APT
+COBRA E-APT
+actors O
+include O
+Destover S-MAL
+, O
+Wild B-MAL
+Positron E-MAL/Duuzer S-MAL
+, O
+and O
+Hangman S-MAL
+. O
+
+DHS S-IDTY
+has O
+previously O
+released O
+Alert O
+TA14-353A O
+, O
+which O
+contains O
+additional O
+details O
+on O
+the O
+use O
+of O
+a O
+server B-PROT
+message I-PROT
+block E-PROT
+( O
+SMB S-PROT
+) O
+worm S-MAL
+tool O
+employed O
+by O
+these O
+actors O
+. O
+
+Further O
+research O
+is O
+needed O
+to O
+understand O
+the O
+full O
+breadth O
+of O
+this O
+group O
+'s O
+cyber O
+capabilities O
+. O
+
+In O
+particular O
+, O
+DHS S-IDTY
+recommends O
+that O
+more O
+research O
+should O
+be O
+conducted O
+on O
+the O
+North B-LOC
+Korean E-LOC
+cyber O
+activity O
+that O
+has O
+been O
+reported O
+by O
+cybersecurity O
+and O
+threat O
+research O
+firms O
+. O
+
+HIDDEN B-APT
+COBRA E-APT
+actors O
+commonly O
+target O
+systems O
+running O
+older O
+, O
+unsupported O
+versions O
+of O
+Microsoft S-IDTY
+operating O
+systems O
+. O
+
+The O
+multiple O
+vulnerabilities O
+in O
+these O
+older O
+systems O
+provide O
+cyber O
+actors O
+many O
+targets O
+for O
+exploitation O
+. O
+
+These O
+actors O
+have O
+also O
+used O
+Adobe S-IDTY
+Flash B-TOOL
+player E-TOOL
+vulnerabilities O
+to O
+gain O
+initial O
+entry O
+into O
+users' O
+environments O
+. O
+
+HIDDEN B-APT
+COBRA E-APT
+is O
+known O
+to O
+use O
+vulnerabilities O
+affecting O
+various O
+applications O
+. O
+
+These O
+vulnerabilities O
+include O
+: O
+
+CVE-2015-6585 S-VULID
+: O
+Hangul B-TOOL
+Word I-TOOL
+Processor E-TOOL
+Vulnerability O
+. O
+
+CVE-2015-8651 S-VULID
+: O
+Adobe B-TOOL
+Flash I-TOOL
+Player E-TOOL
+18.0.0.324 O
+and O
+19.x O
+Vulnerability O
+. O
+
+CVE-2016-0034 S-VULID
+: O
+Microsoft B-TOOL
+Silverlight E-TOOL
+5.1.41212.0 O
+Vulnerability O
+. O
+
+CVE-2016-1019 S-VULID
+: O
+Adobe B-TOOL
+Flash I-TOOL
+Player E-TOOL
+21.0.0.197 O
+Vulnerability O
+. O
+
+CVE-2016-4117 S-VULID
+: O
+Adobe B-TOOL
+Flash I-TOOL
+Player E-TOOL
+21.0.0.226 O
+Vulnerability O
+. O
+
+DHS S-IDTY
+recommends O
+that O
+organizations O
+upgrade O
+these O
+applications O
+to O
+the O
+latest O
+version O
+and O
+patch O
+level O
+. O
+
+If O
+Adobe S-IDTY
+Flash S-TOOL
+or O
+Microsoft S-IDTY
+Silverlight S-TOOL
+is O
+no O
+longer O
+required O
+, O
+DHS S-IDTY
+recommends O
+that O
+those O
+applications O
+be O
+removed O
+from O
+systems O
+. O
+
+The O
+IOCs S-TOOL
+provided O
+with O
+this O
+alert O
+include O
+IP S-PROT B-TOOL
+addresses E-TOOL
+determined O
+to O
+be O
+part O
+of O
+the O
+HIDDEN B-APT
+COBRA E-APT
+botnet S-TOOL
+infrastructure O
+, O
+identified O
+as O
+DeltaCharlie S-MAL
+. O
+
+The O
+DeltaCharlie S-MAL
+DDoS S-ACT
+bot S-TOOL
+was O
+originally O
+reported O
+by O
+Novetta S-SECTEAM
+in O
+their O
+2016 S-TIME
+Operation O
+Blockbuster O
+Malware O
+Report O
+. O
+
+This O
+malware O
+has O
+used O
+the O
+IP S-PROT B-TOOL
+addresses E-TOOL
+identified O
+in O
+the O
+accompanying O
+.csv S-FILE
+and O
+.stix S-FILE
+files O
+as O
+both O
+source O
+and O
+destination O
+IPs S-TOOL
+. O
+
+In O
+some O
+instances O
+, O
+the O
+malware O
+may O
+have O
+been O
+present O
+on O
+victims' O
+networks O
+for O
+a O
+significant O
+period O
+. O
+
+DeltaCharlie S-MAL
+is O
+a O
+DDoS S-ACT
+tool O
+used O
+by O
+HIDDEN B-APT
+COBRA E-APT
+actors O
+, O
+and O
+is O
+referenced O
+and O
+detailed O
+in O
+Novetta S-SECTEAM
+'s O
+Operation O
+Blockbuster O
+Destructive O
+Malware O
+report O
+. O
+
+The O
+information O
+related O
+to O
+DeltaCharlie S-MAL
+from O
+the O
+Operation O
+Blockbuster O
+Destructive O
+Malware O
+report O
+should O
+be O
+viewed O
+in O
+conjunction O
+with O
+the O
+IP S-PROT B-TOOL
+addresses E-TOOL
+listed O
+in O
+the O
+.csv S-FILE
+and O
+.stix S-FILE
+files O
+provided O
+within O
+this O
+alert O
+. O
+
+DeltaCharlie S-MAL
+is O
+a O
+DDoS S-ACT
+tool O
+capable O
+of O
+launching O
+Domain B-TOOL
+Name I-TOOL
+System E-TOOL
+( O
+DNS S-TOOL
+) O
+attacks O
+, O
+Network B-PROT
+Time I-PROT
+Protocol E-PROT
+( O
+NTP S-PROT
+) O
+attacks O
+, O
+and O
+Carrier B-TOOL
+Grade I-TOOL
+NAT E-TOOL
+( O
+CGN S-TOOL
+) O
+attacks O
+. O
+
+The O
+malware O
+operates O
+on O
+victims' O
+systems O
+as O
+a O
+svchost-based O
+service O
+and O
+is O
+capable O
+of O
+downloading O
+executables O
+, O
+changing O
+its O
+own O
+configuration O
+, O
+updating O
+its O
+own O
+binaries O
+, O
+terminating O
+its O
+own O
+processes O
+, O
+and O
+activating O
+and O
+terminating O
+denial-of-service O
+attacks O
+. O
+
+HIDDEN B-APT
+COBRA E-APT
+IOCs S-TOOL
+related O
+to O
+DeltaCharlie S-MAL
+are O
+provided O
+within O
+the O
+accompanying O
+.csv S-FILE
+and O
+.stix S-FILE
+files O
+of O
+this O
+alert O
+. O
+
+DHS S-IDTY
+and O
+FBI S-IDTY
+recommend O
+that O
+network O
+administrators O
+review O
+the O
+IP S-PROT B-TOOL
+addresses E-TOOL
+, O
+file B-TOOL
+hashes E-TOOL
+, O
+network B-TOOL
+signatures E-TOOL
+, O
+and O
+YARA S-TOOL
+rules O
+provided O
+, O
+and O
+add O
+the O
+IPs S-TOOL
+to O
+their O
+watchlist O
+to O
+determine O
+whether O
+malicious O
+activity O
+has O
+been O
+observed O
+within O
+their O
+organization O
+. O
+
+When O
+reviewing O
+network O
+perimeter O
+logs O
+for O
+the O
+IP S-PROT B-TOOL
+addresses E-TOOL
+, O
+organizations O
+may O
+find O
+numerous O
+instances O
+of O
+these O
+IP S-PROT B-TOOL
+addresses E-TOOL
+attempting O
+to O
+connect O
+to O
+their O
+systems O
+. O
+
+Upon O
+reviewing O
+the O
+traffic O
+from O
+these O
+IP S-PROT B-TOOL
+addresses E-TOOL
+, O
+system S-TOOL
+owners O
+may O
+find O
+that O
+some O
+traffic O
+corresponds O
+to O
+malicious O
+activity O
+and O
+some O
+to O
+legitimate O
+activity O
+. O
+
+System S-TOOL
+owners O
+are O
+also O
+advised O
+to O
+run O
+the O
+YARA S-TOOL
+tool O
+on O
+any O
+system S-TOOL
+they O
+suspect O
+to O
+have O
+been O
+targeted O
+by O
+HIDDEN B-APT
+COBRA E-APT
+actors O
+. O
+
+This O
+section O
+contains O
+network B-TOOL
+signatures E-TOOL
+and O
+host-based B-TOOL
+rules E-TOOL
+that O
+can O
+be O
+used O
+to O
+detect O
+malicious O
+activity O
+associated O
+with O
+HIDDEN B-APT
+COBRA E-APT
+actors O
+. O
+
+Although O
+created O
+using O
+a O
+comprehensive O
+vetting O
+process O
+, O
+the O
+possibility O
+of O
+false O
+positives O
+always O
+remains O
+. O
+
+These O
+signatures O
+and O
+rules O
+should O
+be O
+used O
+to O
+supplement O
+analysis O
+and O
+should O
+not O
+be O
+used O
+as O
+a O
+sole O
+source O
+of O
+attributing O
+this O
+activity O
+to O
+HIDDEN B-APT
+COBRA E-APT
+actors O
+. O
+
+A O
+successful O
+network O
+intrusion O
+can O
+have O
+severe O
+impacts O
+, O
+particularly O
+if O
+the O
+compromise O
+becomes O
+public O
+and O
+sensitive O
+information O
+is O
+exposed O
+. O
+
+Possible O
+impacts O
+include O
+: O
+temporary O
+or O
+permanent O
+loss O
+of O
+sensitive O
+or O
+proprietary O
+information O
+, O
+disruption O
+to O
+regular O
+operations O
+, O
+financial O
+losses O
+incurred O
+to O
+restore O
+systems O
+and O
+files O
+, O
+and O
+potential O
+harm O
+to O
+an O
+organization O
+'s O
+reputation O
+. O
+
+Network O
+administrators O
+are O
+encouraged O
+to O
+apply O
+the O
+following O
+recommendations O
+, O
+which O
+can O
+prevent O
+as O
+many O
+as O
+85 O
+percent O
+of O
+targeted O
+cyber O
+intrusions O
+. O
+
+The O
+mitigation O
+strategies O
+provided O
+may O
+seem O
+like O
+common O
+sense O
+. O
+
+However O
+, O
+many O
+organizations O
+fail O
+to O
+use O
+these O
+basic O
+security O
+measures O
+, O
+leaving O
+their O
+systems O
+open O
+to O
+compromise O
+: O
+
+Patch O
+applications O
+and O
+operating O
+systems O
+. O
+
+Most O
+attackers O
+target O
+vulnerable O
+applications O
+and O
+operating B-TOOL
+systems E-TOOL
+. O
+
+Ensuring O
+that O
+applications O
+and O
+operating O
+systems O
+are O
+patched O
+with O
+the O
+latest O
+updates O
+greatly O
+reduces O
+the O
+number O
+of O
+exploitable O
+entry O
+points O
+available O
+to O
+an O
+attacker O
+. O
+
+Use O
+best O
+practices O
+when O
+updating O
+software S-TOOL
+and O
+patches S-TOOL
+by O
+only O
+downloading O
+updates O
+from O
+authenticated O
+vendor O
+sites O
+. O
+
+Use O
+application O
+whitelisting O
+. O
+
+Whitelisting O
+is O
+one O
+of O
+the O
+best O
+security O
+strategies O
+because O
+it O
+allows O
+only O
+specified O
+programs O
+to O
+run O
+while O
+blocking O
+all O
+others O
+, O
+including O
+malicious B-MAL
+software E-MAL
+. O
+
+Restrict O
+administrative O
+privileges O
+. O
+
+Threat O
+actors O
+are O
+increasingly O
+focused O
+on O
+gaining O
+control O
+of O
+legitimate O
+credentials O
+, O
+especially O
+credentials O
+associated O
+with O
+highly O
+privileged O
+accounts O
+. O
+
+Reduce O
+privileges O
+to O
+only O
+those O
+needed O
+for O
+a O
+user O
+'s O
+duties O
+. O
+
+Separate O
+administrators O
+into O
+privilege O
+tiers O
+with O
+limited O
+access O
+to O
+other O
+tiers O
+. O
+
+Segment O
+networks O
+and O
+segregate O
+them O
+into O
+security O
+zones O
+. O
+
+Segment O
+networks O
+into O
+logical O
+enclaves O
+and O
+restrict O
+host-to-host O
+communications O
+paths O
+. O
+
+This O
+helps O
+protect O
+sensitive O
+information O
+and O
+critical O
+services O
+, O
+and O
+limits O
+damage O
+from O
+network O
+perimeter O
+breaches O
+. O
+
+Validate O
+input O
+. O
+
+Input O
+validation O
+is O
+a O
+method O
+of O
+sanitizing O
+untrusted O
+input O
+provided O
+by O
+users O
+of O
+a O
+web O
+application O
+. O
+
+Implementing O
+input O
+validation O
+can O
+protect O
+against O
+the O
+security O
+flaws O
+of O
+web O
+applications O
+by O
+significantly O
+reducing O
+the O
+probability O
+of O
+successful O
+exploitation O
+. O
+
+Types O
+of O
+attacks O
+possibly O
+averted O
+include O
+Structured O
+Query O
+Language O
+( O
+SQL O
+) O
+injection O
+, O
+cross-site O
+scripting O
+, O
+and O
+command O
+injection O
+. O
+
+Use O
+stringent O
+file O
+reputation O
+settings O
+. O
+
+Tune O
+the O
+file O
+reputation O
+systems O
+of O
+your O
+anti-virus O
+software O
+to O
+the O
+most O
+aggressive O
+setting O
+possible O
+. O
+
+Some O
+anti-virus O
+products O
+can O
+limit O
+execution O
+to O
+only O
+the O
+highest O
+reputation O
+files O
+, O
+stopping O
+a O
+wide O
+range O
+of O
+untrustworthy O
+code O
+from O
+gaining O
+control O
+. O
+
+Understand O
+firewalls S-TOOL
+. O
+
+Firewalls S-TOOL
+provide O
+security O
+to O
+make O
+your O
+network O
+less O
+susceptible O
+to O
+attack O
+. O
+
+They O
+can O
+be O
+configured O
+to O
+block O
+data O
+and O
+applications O
+from O
+certain O
+locations O
+( O
+IP S-PROT B-TOOL
+whitelisting E-TOOL
+) O
+, O
+while O
+allowing O
+relevant O
+and O
+necessary O
+data O
+through O
+. O
+
+To O
+protect O
+against O
+code O
+injections O
+and O
+other O
+attacks O
+, O
+system O
+operators O
+should O
+routinely O
+evaluate O
+known O
+and O
+published O
+vulnerabilities O
+, O
+periodically O
+perform O
+software O
+updates O
+and O
+technology O
+refreshes O
+, O
+and O
+audit O
+external-facing B-TOOL
+systems E-TOOL
+for O
+known O
+web O
+application O
+vulnerabilities O
+. O
+
+They O
+should O
+also O
+take O
+the O
+following O
+steps O
+to O
+harden O
+both O
+web O
+applications O
+and O
+the O
+servers O
+hosting O
+them O
+to O
+reduce O
+the O
+risk O
+of O
+network O
+intrusion O
+via O
+this O
+vector O
+. O
+
+Use O
+and O
+configure O
+available O
+firewalls S-TOOL
+to O
+block O
+attacks O
+. O
+
+Take O
+steps O
+to O
+secure O
+Windows B-TOOL
+systems E-TOOL
+, O
+such O
+as O
+installing O
+and O
+configuring O
+Microsoft S-IDTY
+'s O
+Enhanced B-TOOL
+Mitigation I-TOOL
+Experience I-TOOL
+Toolkit E-TOOL
+( O
+EMET S-TOOL
+) O
+and O
+Microsoft S-IDTY
+AppLocker S-TOOL
+. O
+
+Monitor O
+and O
+remove O
+any O
+unauthorized O
+code O
+present O
+in O
+any O
+www O
+directories O
+. O
+
+Disable O
+, O
+discontinue O
+, O
+or O
+disallow O
+the O
+use O
+of O
+Internet B-PROT
+Control I-PROT
+Message I-PROT
+Protocol E-PROT
+( O
+ICMP S-PROT
+) O
+and O
+Simple B-PROT
+Network I-PROT
+Management I-PROT
+Protocol E-PROT
+( O
+SNMP S-PROT
+) O
+as O
+much O
+as O
+possible O
+. O
+
+Remove O
+unnecessary O
+HTTP S-PROT
+verbs O
+from O
+web B-TOOL
+servers E-TOOL
+. O
+
+Typical O
+web B-TOOL
+servers E-TOOL
+and O
+applications O
+only O
+require O
+GET O
+, O
+POST O
+, O
+and O
+HEAD O
+. O
+
+Where O
+possible O
+, O
+minimize O
+server O
+fingerprinting O
+by O
+configuring O
+web B-TOOL
+servers E-TOOL
+to O
+avoid O
+responding O
+with O
+banners O
+identifying O
+the O
+server O
+software O
+and O
+version O
+number O
+. O
+
+Secure O
+both O
+the O
+operating O
+system O
+and O
+the O
+application O
+. O
+
+Update O
+and O
+patch O
+production O
+servers O
+regularly O
+. O
+
+Disable O
+potentially O
+harmful O
+SQL-stored O
+procedure O
+calls O
+. O
+
+Sanitize O
+and O
+validate O
+input O
+to O
+ensure O
+that O
+it O
+is O
+properly O
+typed O
+and O
+does O
+not O
+contain O
+escaped O
+code O
+. O
+
+Consider O
+using O
+type-safe O
+stored O
+procedures O
+and O
+prepared O
+statements O
+. O
+
+Audit O
+transaction O
+logs O
+regularly O
+for O
+suspicious O
+activity O
+. O
+
+Perform O
+penetration O
+testing O
+on O
+web B-TOOL
+services E-TOOL
+. O
+
+Ensure O
+error O
+messages O
+are O
+generic O
+and O
+do O
+not O
+expose O
+too O
+much O
+information O
+. O
+
+System O
+operators O
+should O
+take O
+the O
+following O
+steps O
+to O
+limit O
+permissions O
+, O
+privileges O
+, O
+and O
+access O
+controls O
+. O
+
+Reduce O
+privileges O
+to O
+only O
+those O
+needed O
+for O
+a O
+user O
+'s O
+duties O
+. O
+
+Restrict O
+users' O
+ability O
+( O
+permissions O
+) O
+to O
+install O
+and O
+run O
+unwanted O
+software O
+applications O
+, O
+and O
+apply O
+the O
+principle O
+of O
+Least B-TOOL
+Privilege E-TOOL
+to O
+all O
+systems O
+and O
+services O
+. O
+
+Restricting O
+these O
+privileges O
+may O
+prevent O
+malware O
+from O
+running O
+or O
+limit O
+its O
+capability O
+to O
+spread O
+through O
+the O
+network O
+. O
+
+Carefully O
+consider O
+the O
+risks O
+before O
+granting O
+administrative O
+rights O
+to O
+users O
+on O
+their O
+own O
+machines O
+. O
+
+Scrub O
+and O
+verify O
+all O
+administrator O
+accounts O
+regularly O
+. O
+
+Configure O
+Group O
+Policy O
+to O
+restrict O
+all O
+users O
+to O
+only O
+one O
+login O
+session O
+, O
+where O
+possible O
+. O
+
+Enforce O
+secure O
+network O
+authentication O
+, O
+where O
+possible O
+. O
+
+Instruct O
+administrators O
+to O
+use O
+non-privileged O
+accounts O
+for O
+standard O
+functions O
+such O
+as O
+web O
+browsing O
+or O
+checking O
+webmail O
+. O
+
+Segment O
+networks O
+into O
+logical O
+enclaves O
+and O
+restrict O
+host-to-host O
+communication O
+paths O
+. O
+
+Containment O
+provided O
+by O
+enclaving O
+also O
+makes O
+incident O
+cleanup O
+significantly O
+less O
+costly O
+. O
+
+Configure O
+firewalls O
+to O
+disallow O
+Remote B-PROT
+Desktop I-PROT
+Protocol E-PROT
+( O
+RDP S-PROT
+) O
+traffic O
+coming O
+from O
+outside O
+of O
+the O
+network O
+boundary O
+, O
+except O
+for O
+in O
+specific O
+configurations O
+such O
+as O
+when O
+tunneled O
+through O
+a O
+secondary O
+virtual B-TOOL
+private I-TOOL
+network E-TOOL
+( O
+VPN S-TOOL
+) O
+with O
+lower O
+privileges O
+. O
+
+Audit O
+existing O
+firewall S-TOOL
+rules O
+and O
+close O
+all O
+ports O
+that O
+are O
+not O
+explicitly O
+needed O
+for O
+business O
+. O
+
+Specifically O
+, O
+carefully O
+consider O
+which O
+ports O
+should O
+be O
+connecting O
+outbound O
+versus O
+inbound O
+. O
+
+Enforce O
+a O
+strict O
+lockout O
+policy O
+for O
+network O
+users O
+and O
+closely O
+monitor O
+logs O
+for O
+failed O
+login O
+activity O
+. O
+
+Failed O
+login O
+activity O
+can O
+be O
+indicative O
+of O
+failed O
+intrusion O
+activity O
+. O
+
+If O
+remote O
+access O
+between O
+zones O
+is O
+an O
+unavoidable O
+business O
+need O
+, O
+log O
+and O
+monitor O
+these O
+connections O
+closely O
+. O
+
+In O
+environments O
+with O
+a O
+high O
+risk O
+of O
+interception O
+or O
+intrusion O
+, O
+organizations O
+should O
+consider O
+supplementing O
+password O
+authentication O
+with O
+other O
+forms O
+of O
+authentication O
+such O
+as O
+challenge/response O
+or O
+multifactor O
+authentication O
+using O
+biometric O
+or O
+physical O
+tokens O
+. O
+
+System O
+operators O
+should O
+follow O
+these O
+secure O
+logging O
+practices O
+. O
+
+Ensure O
+event O
+logging O
+, O
+including O
+applications O
+, O
+events O
+, O
+login O
+activities O
+, O
+and O
+security O
+attributes O
+, O
+is O
+turned O
+on O
+or O
+monitored O
+for O
+identification O
+of O
+security O
+issues O
+. O
+
+Configure O
+network O
+logs O
+to O
+provide O
+adequate O
+information O
+to O
+assist O
+in O
+quickly O
+developing O
+an O
+accurate O
+determination O
+of O
+a O
+security O
+incident O
+. O
+
+Upgrade O
+PowerShell S-TOOL
+to O
+new O
+versions O
+with O
+enhanced O
+logging O
+features O
+and O
+monitor O
+the O
+logs O
+to O
+detect O
+usage O
+of O
+PowerShell S-TOOL
+commands O
+, O
+which O
+are O
+often O
+malware-related O
+. O
+
+Secure O
+logs O
+in O
+a O
+centralized O
+location O
+and O
+protect O
+them O
+from O
+modification O
+. O
+
+Phantom O
+of O
+the O
+Opaera O
+: O
+
+New O
+KASPERAGENT S-MAL
+Malware O
+Campaign O
+. O
+
+ThreatConnect S-IDTY
+has O
+identified O
+a O
+KASPERAGENT S-MAL
+malware O
+campaign O
+leveraging O
+decoy O
+Palestinian B-IDTY
+Authority E-IDTY
+documents O
+. O
+
+The O
+samples O
+date O
+from O
+April B-TIME
+– I-TIME
+May I-TIME
+2017 E-TIME
+, O
+coinciding O
+with O
+the O
+run O
+up O
+to O
+the O
+May B-TIME
+2017 E-TIME
+Palestinian B-IDTY
+Authority E-IDTY
+elections O
+. O
+
+Although O
+we O
+do O
+not O
+know O
+who O
+is O
+behind O
+the O
+campaign O
+, O
+the O
+decoy O
+documents O
+’ O
+content O
+focuses O
+on O
+timely O
+political O
+issues O
+in O
+Gaza S-LOC
+and O
+the O
+IP O
+address O
+hosting O
+the O
+campaign O
+’s O
+command O
+and O
+control O
+node O
+hosts O
+several O
+other O
+domains O
+with O
+Gaza S-LOC
+registrants O
+. O
+
+In O
+this O
+blog O
+post O
+we O
+will O
+detail O
+our O
+analysis O
+of O
+the O
+malware O
+and O
+associated O
+indicators O
+, O
+look O
+closely O
+at O
+the O
+decoy O
+files O
+, O
+and O
+leverage O
+available O
+information O
+to O
+make O
+an O
+educated O
+guess O
+on O
+the O
+possible O
+intended O
+target O
+. O
+
+Associated O
+indicators O
+and O
+screenshots O
+of O
+the O
+decoy O
+documents O
+are O
+all O
+available O
+here O
+in O
+the O
+ThreatConnect S-SECTEAM
+platform O
+. O
+
+Some O
+of O
+the O
+indicators O
+in O
+the O
+following O
+post O
+were O
+published O
+on O
+AlienVault S-IDTY
+OTX O
+on O
+6/13 S-TIME
+. O
+
+KASPERAGENT S-MAL
+is O
+Microsoft S-IDTY
+Windows S-OS
+malware O
+used O
+in O
+efforts O
+targeting O
+users O
+in O
+the O
+United B-LOC
+States E-LOC
+, O
+Israel S-LOC
+, O
+Palestinian B-LOC
+Territories E-LOC
+, O
+and O
+Egypt S-LOC
+since O
+July B-TIME
+2015 E-TIME
+. O
+
+The O
+malware O
+was O
+discovered O
+by O
+Palo B-IDTY
+Alto I-IDTY
+Networks E-IDTY
+Unit B-SECTEAM
+42 E-SECTEAM
+and O
+ClearSky B-IDTY
+Cyber I-IDTY
+Security E-IDTY
+, O
+and O
+publicized O
+in O
+April B-TIME
+2017 E-TIME
+in O
+the O
+Targeted B-ACT
+Attacks E-ACT
+in O
+the O
+Middle B-LOC
+East E-LOC
+Using O
+KASPERAGENT S-MAL
+and O
+MICROPSIA S-MAL
+blog O
+. O
+
+It O
+is O
+called O
+KASPERAGENT S-MAL
+based O
+on O
+PDB O
+strings O
+identified O
+in O
+the O
+malware O
+such O
+as O
+“ O
+c B-FILE
+: I-FILE
+UsersUSADocumentsVisual I-FILE
+Studio I-FILE
+2008ProjectsNew I-FILE
+folder I-FILE
+( I-FILE
+2 I-FILE
+) I-FILE
+kasperReleasekasper.pdb E-FILE
+” O
+. O
+
+The O
+threat O
+actors O
+used O
+shortened O
+URLs O
+in O
+spear B-ACT
+phishing E-ACT
+messages O
+and O
+fake O
+news O
+websites O
+to O
+direct O
+targets O
+to O
+download O
+KASPERAGENT S-MAL
+. O
+
+Upon O
+execution O
+, O
+KASPERAGENT S-MAL
+drops O
+the O
+payload O
+and O
+a O
+decoy O
+document O
+that O
+displays O
+Arabic O
+names O
+and O
+ID O
+numbers O
+. O
+
+The O
+malware O
+establishes O
+persistence O
+and O
+sends O
+HTTP S-PROT
+requests O
+to O
+the O
+command O
+and O
+control O
+domain O
+mailsinfo.net S-DOM
+. O
+
+Of O
+note O
+, O
+the O
+callbacks O
+were O
+to O
+PHP O
+scripts O
+that O
+included O
+/ O
+dad5 O
+/ O
+in O
+the O
+URLs O
+. O
+
+Most O
+samples O
+of O
+the O
+malware O
+reportedly O
+function O
+as O
+a O
+basic O
+reconnaissance O
+tool O
+and O
+downloader O
+. O
+
+However O
+, O
+some O
+of O
+the O
+recently O
+identified O
+files O
+display O
+“ O
+extended-capability O
+” O
+
+including O
+the O
+functionality O
+to O
+steal O
+passwords O
+, O
+take O
+screenshots O
+, O
+log O
+keystrokes O
+, O
+and O
+steal O
+files O
+. O
+
+These O
+“ O
+extended-capability O
+” O
+
+samples O
+called O
+out O
+to O
+an O
+additional O
+command O
+and O
+control O
+domain O
+, O
+stikerscloud.com S-DOM
+. O
+
+Additionally O
+, O
+early O
+variants O
+of O
+KASPERAGENT S-MAL
+used O
+“ O
+Chrome S-TOOL
+” O
+
+as O
+the O
+user O
+agent O
+, O
+while O
+more O
+recent O
+samples O
+use O
+“ O
+OPAERA O
+” O
+
+– O
+a O
+possible O
+misspelling O
+of O
+the O
+“ O
+Opera S-TOOL
+” O
+
+– O
+browser O
+. O
+
+The O
+indicators O
+associated O
+with O
+the O
+blog O
+article O
+are O
+available O
+in O
+the O
+ThreatConnect S-IDTY
+Technical O
+Blogs O
+and O
+Reports O
+source O
+here O
+. O
+
+The O
+samples O
+we O
+identified O
+leverage O
+the O
+same O
+user O
+agent O
+string O
+“ O
+OPAERA O
+” O
+
+, O
+included O
+the O
+kasper O
+PDB O
+string O
+reported O
+by O
+Unit B-SECTEAM
+42 E-SECTEAM
+, O
+and O
+used O
+similar O
+POST O
+and O
+GET O
+requests O
+. O
+
+The O
+command O
+and O
+control O
+domains O
+were O
+different O
+, O
+and O
+these O
+samples O
+used O
+unique O
+decoy O
+documents O
+to O
+target O
+their O
+victims O
+. O
+
+We O
+didn’t O
+start O
+out O
+looking O
+for O
+KASPERAGENT S-MAL
+, O
+but O
+a O
+file O
+hit O
+on O
+one O
+of O
+our O
+YARA O
+rules O
+for O
+an O
+executable O
+designed O
+to O
+display O
+a O
+fake O
+XLS O
+icon O
+– O
+one O
+way O
+adversaries O
+attempt O
+to O
+trick O
+targets O
+into O
+thinking O
+a O
+malicious O
+file O
+is O
+innocuous O
+. O
+
+The O
+first O
+malicious O
+sample O
+we O
+identified O
+( O
+6843AE9EAC03F69DF301D024BFDEFC88 S-MD5
+) O
+had O
+the O
+file O
+name O
+“ O
+testproj.exe S-FILE
+” O
+
+and O
+was O
+identified O
+within O
+an O
+archive O
+file O
+( O
+4FE7561F63A71CA73C26CB95B28EAEE8 S-MD5
+) O
+with O
+the O
+name O
+“ O
+التفاصيل B-FILE
+الكاملة I-FILE
+لأغتيال I-FILE
+فقهاء.r24 E-FILE
+” O
+. O
+
+This O
+translates O
+to O
+“ O
+The O
+Complete O
+Details O
+of O
+Fuqaha O
+’s O
+Assassination O
+” O
+
+, O
+a O
+reference O
+to O
+Hamas S-IDTY
+military O
+leader O
+Mazen O
+Fuqaha O
+who O
+was O
+assassinated O
+on O
+March B-TIME
+24 I-TIME
+, I-TIME
+2017 E-TIME
+. O
+
+We O
+detonated O
+the O
+file O
+in O
+VxStream S-TOOL
+’s O
+automated O
+malware O
+analysis O
+capability O
+and O
+found O
+testproj.exe S-FILE
+dropped O
+a O
+benign O
+Microsoft S-IDTY
+Word S-TOOL
+document O
+that O
+pulls O
+a O
+jpg O
+file O
+from O
+treestower.com S-DOM
+. O
+
+Malwr.com S-DOM
+observed O
+this O
+site O
+in O
+association O
+with O
+another O
+sample O
+that O
+called O
+out O
+to O
+mailsinfo.net S-DOM
+– O
+a O
+host O
+identified O
+in O
+the O
+Targeted B-ACT
+Attacks E-ACT
+in O
+the O
+Middle B-LOC
+East E-LOC
+Using O
+KASPERAGENT S-MAL
+and O
+MICROPSIA S-MAL
+blog O
+. O
+
+That O
+was O
+our O
+first O
+hint O
+that O
+we O
+were O
+looking O
+at O
+KASPERAGENT S-MAL
+. O
+
+The O
+jpg O
+pulled O
+from O
+treestower.com S-DOM
+displays O
+a O
+graphic O
+picture O
+of O
+a O
+dead O
+man O
+, O
+which O
+also O
+appeared O
+on O
+a O
+Palestinian O
+news O
+website O
+discussing O
+the O
+death O
+of O
+Hamas S-IDTY
+military O
+leader O
+Mazen O
+Fuqaha O
+. O
+
+A O
+separate O
+malicious O
+executable O
+– O
+2DE25306A58D8A5B6CBE8D5E2FC5F3C5 S-MD5
+( O
+vlc.exe S-FILE
+) O
+– O
+runs O
+when O
+the O
+photograph O
+is O
+displayed O
+, O
+using O
+the O
+YouTube B-TOOL
+icon E-TOOL
+and O
+calling O
+out O
+to O
+several O
+URLs O
+on O
+windowsnewupdates.com S-DOM
+. O
+
+This O
+host O
+was O
+registered O
+in O
+late B-TIME
+March E-TIME
+and O
+appears O
+to O
+be O
+unique O
+to O
+this O
+campaign O
+. O
+
+With O
+our O
+interest O
+piqued O
+, O
+we O
+pivoted O
+on O
+the O
+import O
+hashes O
+( O
+also O
+known O
+as O
+an O
+imphash O
+) O
+, O
+which O
+captures O
+the O
+import O
+table O
+of O
+a O
+given O
+file O
+. O
+
+Shared O
+import O
+hashes O
+across O
+multiple O
+files O
+would O
+likely O
+identify O
+files O
+that O
+are O
+part O
+of O
+the O
+same O
+malware O
+family O
+. O
+
+We O
+found O
+nine O
+additional O
+samples O
+sharing O
+the O
+imphash O
+values O
+for O
+the O
+two O
+executables O
+, O
+C66F88D2D76D79210D568D7AD7896B45 S-MD5
+and O
+DCF3AA484253068D8833C7C5B019B07 S-MD5
+. O
+
+Analysis O
+of O
+those O
+files O
+uncovered O
+two O
+more O
+imphashes O
+, O
+0B4E44256788783634A2B1DADF4F9784 S-MD5
+and O
+E44F0BD2ADFB9CBCABCAD314D27ACCFC S-MD5
+, O
+for O
+a O
+total O
+of O
+20 O
+malicious O
+files O
+. O
+
+These O
+additional O
+samples O
+behaved O
+similarly O
+to O
+the O
+initial O
+files O
+; O
+
+testproj.exe S-FILE
+dropped O
+benign O
+decoy O
+files O
+and O
+started O
+malicious O
+executables O
+. O
+
+The O
+malicious O
+executables O
+all O
+called O
+out O
+to O
+the O
+same O
+URLs O
+on O
+windowsnewupdates.com S-DOM
+. O
+
+These O
+malware O
+samples O
+leverage O
+the O
+user O
+agent O
+string O
+“ O
+OPAERA O
+” O
+, O
+the O
+same O
+one O
+identified O
+in O
+the O
+Targeted B-ACT
+Attacks E-ACT
+in O
+the O
+Middle B-LOC
+East E-LOC
+Using O
+KASPERAGENT S-MAL
+and O
+MICROPSIA S-MAL
+blog O
+. O
+
+Although O
+the O
+command O
+and O
+control O
+domain O
+was O
+different O
+from O
+those O
+in O
+the O
+report O
+, O
+the O
+POST O
+and O
+GET O
+requests O
+were O
+similar O
+and O
+included O
+/ O
+dad5 O
+/ O
+in O
+the O
+URL O
+string O
+. O
+
+In O
+addition O
+, O
+the O
+malware O
+samples O
+included O
+the O
+kasper O
+PDB O
+string O
+reported O
+by O
+Unit B-SECTEAM
+42 E-SECTEAM
+, O
+prompting O
+us O
+to O
+conclude O
+that O
+we O
+were O
+likely O
+looking O
+at O
+new O
+variants O
+of O
+KASPERAGENT S-MAL
+. O
+
+Several O
+of O
+the O
+decoy O
+files O
+appeared O
+to O
+be O
+official O
+documents O
+associated O
+with O
+the O
+Palestinian B-IDTY
+Authority E-IDTY
+– O
+the O
+body O
+that O
+governs O
+the O
+Palestinian B-LOC
+Territories E-LOC
+in O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+We O
+do O
+not O
+know O
+whether O
+the O
+files O
+are O
+legitimate O
+Palestinian B-IDTY
+Authority E-IDTY
+documents O
+, O
+but O
+they O
+are O
+designed O
+to O
+look O
+official O
+. O
+
+Additionally O
+, O
+most O
+of O
+the O
+decoy O
+files O
+are O
+publicly O
+available O
+on O
+news O
+websites O
+or O
+social O
+media O
+. O
+
+The O
+first O
+document O
+– O
+dated O
+April B-TIME
+10 I-TIME
+, I-TIME
+2017 E-TIME
+– O
+is O
+marked O
+“ O
+Very O
+Secret O
+” O
+
+and O
+addressed O
+to O
+Yahya O
+Al-Sinwar O
+, O
+who O
+Hamas S-IDTY
+elected O
+as O
+its O
+leader O
+in O
+Gaza S-LOC
+in O
+February B-TIME
+2017 E-TIME
+. O
+
+Like O
+the O
+photo O
+displayed O
+in O
+the O
+first O
+decoy O
+file O
+we O
+found O
+, O
+this O
+document O
+references O
+the O
+death O
+of O
+Mazen O
+Fuqaha O
+. O
+
+The O
+Arabic-language O
+text O
+and O
+English O
+translation O
+of O
+the O
+document O
+are O
+available O
+in O
+ThreatConnect S-IDTY
+here O
+. O
+
+A O
+screenshot O
+of O
+the O
+file O
+is O
+depicted O
+below O
+. O
+
+The O
+second O
+legible O
+file O
+, O
+dated O
+April B-TIME
+23 E-TIME
+, O
+has O
+the O
+same O
+letterhead O
+and O
+also O
+is O
+addressed O
+to O
+Yahya O
+al-Sinwar O
+. O
+
+This O
+file O
+discusses O
+the O
+supposed O
+announcement O
+banning O
+the O
+rival O
+Fatah S-IDTY
+political O
+party O
+, O
+which O
+controls O
+the O
+West B-LOC
+Bank E-LOC
+, O
+from O
+Gaza S-LOC
+. O
+
+It O
+mentions O
+closing O
+the O
+Fatah S-IDTY
+headquarters O
+and O
+houses O
+that O
+were O
+identified O
+as O
+meeting O
+places O
+as O
+well O
+as O
+the O
+arrest O
+of O
+some O
+members O
+of O
+the O
+party O
+. O
+
+We O
+don’t O
+know O
+for O
+sure O
+who O
+is O
+responsible O
+for O
+this O
+campaign O
+, O
+but O
+digging O
+into O
+the O
+passive O
+DNS S-PROT
+results O
+led O
+us O
+to O
+some O
+breadcrumbs O
+. O
+
+Starting O
+with O
+195.154.110.237 S-IP
+, O
+the O
+IP O
+address O
+which O
+is O
+hosting O
+the O
+command O
+and O
+control O
+domain O
+windowsnewupdates.com S-DOM
+, O
+we O
+found O
+that O
+the O
+host O
+is O
+on O
+a O
+dedicated O
+server O
+. O
+
+Using O
+our O
+Farsight S-IDTY
+DNSDB S-TOOL
+integration O
+, O
+we O
+identified O
+other O
+domains O
+currently O
+and O
+previously O
+hosted O
+on O
+the O
+same O
+IP O
+. O
+
+Two O
+of O
+the O
+four O
+domains O
+that O
+have O
+been O
+hosted O
+at O
+this O
+IP O
+since O
+2016 S-TIME
+— O
+upfile2box.com S-DOM
+and O
+7aga.net S-DOM
+— O
+were O
+registered O
+by O
+a O
+freelance O
+web O
+developer O
+in O
+Gaza B-LOC
+, I-LOC
+Palestine E-LOC
+. O
+
+This O
+IP O
+has O
+been O
+used O
+to O
+host O
+a O
+small O
+number O
+of O
+domains O
+, O
+some O
+of O
+which O
+were O
+registered O
+by O
+the O
+same O
+actor O
+, O
+suggesting O
+the O
+IP O
+is O
+dedicated O
+for O
+a O
+single O
+individual O
+or O
+group O
+’s O
+use O
+. O
+
+While O
+not O
+conclusive O
+, O
+it O
+is O
+intriguing O
+that O
+the O
+same O
+IP O
+was O
+observed O
+hosting O
+a O
+domain O
+ostensibly O
+registered O
+in O
+Gaza S-LOC
+AND O
+the O
+command O
+and O
+control O
+domain O
+associated O
+with O
+a O
+series O
+of O
+targeted O
+attacks O
+leveraging O
+Palestinian B-IDTY
+Authority E-IDTY
+-themed O
+decoy O
+documents O
+referencing O
+Gaza S-LOC
+. O
+
+Just O
+like O
+we O
+can’t O
+make O
+a O
+definitive O
+determination O
+as O
+to O
+who O
+conducted O
+this O
+campaign O
+, O
+we O
+do O
+not O
+know O
+for O
+sure O
+who O
+it O
+was O
+intended O
+to O
+target O
+. O
+
+What O
+we O
+do O
+know O
+is O
+that O
+several O
+of O
+the O
+malicious O
+files O
+were O
+submitted O
+to O
+a O
+public O
+malware O
+analysis O
+site O
+from O
+the O
+Palestinian B-LOC
+Territories E-LOC
+. O
+
+This O
+tells O
+us O
+that O
+it O
+is O
+possible O
+either O
+the O
+threat O
+actors O
+or O
+at O
+least O
+one O
+of O
+the O
+targets O
+is O
+located O
+in O
+that O
+area O
+. O
+
+Additionally O
+, O
+as O
+previously O
+mentioned O
+, O
+the O
+decoy O
+document O
+subject O
+matter O
+would O
+likely O
+be O
+of O
+interest O
+to O
+a O
+few O
+different O
+potential O
+targets O
+in O
+the O
+Palestinian B-LOC
+Territories E-LOC
+. O
+
+Potential O
+targets O
+such O
+as O
+Hamas S-IDTY
+who O
+controls O
+the O
+Gaza S-LOC
+strip O
+and O
+counts O
+Mazen O
+Fuqaha O
+and O
+Yahya O
+al-Sinwar O
+as O
+members O
+, O
+Israel S-LOC
+which O
+is O
+accused O
+of O
+involvement O
+in O
+the O
+assassination O
+of O
+Mazen O
+Fuqaha O
+, O
+and O
+the O
+Fatah B-IDTY
+party E-IDTY
+of O
+which O
+the O
+Prime O
+Minister O
+and O
+President O
+of O
+the O
+Palestinian B-IDTY
+Authority E-IDTY
+are O
+members O
+. O
+
+The O
+campaign O
+corresponds O
+with O
+a O
+period O
+of O
+heightened O
+tension O
+in O
+Gaza S-LOC
+. O
+
+Hamas S-IDTY
+, O
+who O
+has O
+historically O
+maintained O
+control O
+over O
+the O
+strip O
+, O
+elected O
+Yahya O
+al-Sinwar O
+– O
+a O
+hardliner O
+from O
+its O
+military O
+wing O
+– O
+as O
+its O
+leader O
+in O
+February S-TIME
+. O
+
+A O
+Humanitarian O
+Bulletin O
+published O
+by O
+the O
+United B-IDTY
+Nations I-IDTY
+’ I-IDTY
+Office E-IDTY
+for O
+the O
+Coordination B-IDTY
+of I-IDTY
+Humanitarian I-IDTY
+Affairs E-IDTY
+indicates O
+in O
+March B-TIME
+2017 E-TIME
+( O
+just O
+before O
+the O
+first O
+malware O
+samples O
+associated O
+with O
+this O
+campaign O
+were O
+identified O
+in O
+early O
+April S-TIME
+) O
+Hamas S-IDTY
+created O
+“ O
+a O
+parallel O
+institution O
+to O
+run O
+local O
+ministries O
+in O
+Gaza S-LOC
+, O
+” O
+
+further O
+straining O
+the O
+relationship O
+between O
+Hamas S-IDTY
+and O
+the O
+Palestinian B-IDTY
+Authority E-IDTY
+who O
+governs O
+the O
+West B-LOC
+Bank E-LOC
+. O
+
+After O
+this O
+announcement O
+, O
+the O
+Palestinian B-IDTY
+Authority E-IDTY
+cut O
+salaries O
+for O
+its O
+employees O
+in O
+Gaza S-LOC
+by O
+30 O
+percent O
+and O
+informed O
+Israel S-LOC
+that O
+it O
+would O
+no O
+longer O
+pay O
+for O
+electricity O
+provided O
+to O
+Gaza S-LOC
+causing O
+blackouts O
+throughout O
+the O
+area O
+and O
+escalating O
+tensions O
+between O
+the O
+rival O
+groups O
+. O
+
+Then O
+, O
+in O
+early O
+May S-TIME
+( O
+two O
+days O
+after O
+the O
+last O
+malware O
+sample O
+was O
+submitted O
+) O
+the O
+Palestinian B-IDTY
+Authority E-IDTY
+held O
+local O
+elections O
+in O
+the O
+West B-LOC
+Bank E-LOC
+which O
+were O
+reportedly O
+seen O
+as O
+a O
+test O
+for O
+the O
+Fatah B-IDTY
+party E-IDTY
+. O
+
+Elections O
+were O
+not O
+held O
+in O
+Gaza S-LOC
+. O
+
+All O
+of O
+that O
+is O
+to O
+say O
+, O
+the O
+decoy O
+documents O
+leveraged O
+in O
+this O
+campaign O
+would O
+likely O
+be O
+relevant O
+and O
+of O
+interest O
+to O
+a O
+variety O
+of O
+targets O
+in O
+Israel S-LOC
+and O
+Palestine S-LOC
+, O
+consistent O
+with O
+previously O
+identified O
+KASPERAGENT S-MAL
+targeting O
+patterns O
+. O
+
+Additionally O
+, O
+the O
+use O
+of O
+what O
+appear O
+to O
+be O
+carefully O
+crafted O
+documents O
+at O
+the O
+very O
+least O
+designed O
+to O
+look O
+like O
+official O
+government O
+correspondence O
+suggests O
+the O
+malware O
+may O
+have O
+been O
+intended O
+for O
+a O
+government O
+employee O
+or O
+contractor O
+who O
+would O
+be O
+interested O
+in O
+the O
+documents O
+’ O
+subject O
+matter O
+. O
+
+APT28 S-APT
+: O
+New O
+Espionage O
+Operations O
+Target O
+Military B-IDTY
+and I-IDTY
+Government I-IDTY
+Organizations E-IDTY
+. O
+
+Recent O
+campaigns O
+see O
+APT28 S-APT
+group O
+return O
+to O
+covert O
+intelligence O
+gathering O
+operations O
+in O
+Europe B-LOC
+and I-LOC
+South I-LOC
+America E-LOC
+. O
+
+After O
+making O
+headlines O
+during O
+2016 S-TIME
+due O
+to O
+its O
+involvement O
+in O
+cyber O
+attacks O
+against O
+an O
+organization O
+involved O
+in O
+the O
+U.S. S-LOC
+presidential B-IDTY
+election E-IDTY
+, O
+APT28 S-APT
+( O
+aka O
+Swallowtail S-APT
+, O
+Fancy B-APT
+Bear E-APT
+) O
+has O
+continued O
+to O
+mount O
+operations O
+during O
+2017 S-TIME
+and O
+2018 S-TIME
+. O
+
+The O
+espionage O
+group O
+, O
+which O
+according O
+to O
+the O
+U.S. S-LOC
+Department B-IDTY
+of I-IDTY
+Homeland I-IDTY
+Security E-IDTY
+( O
+DHS S-IDTY
+) O
+and O
+the O
+Federal B-IDTY
+Bureau I-IDTY
+of I-IDTY
+Investigation E-IDTY
+( O
+FBI S-IDTY
+) O
+is O
+linked O
+to O
+the O
+Russian O
+government O
+, O
+returned O
+to O
+low-key O
+intelligence-gathering O
+operations O
+during O
+2017 S-TIME
+and O
+into O
+2018 S-TIME
+, O
+targeting O
+a O
+range O
+of O
+military O
+and O
+government O
+targets O
+in O
+Europe S-LOC
+and O
+South B-LOC
+America E-LOC
+. O
+
+APT28 S-APT
+has O
+been O
+active O
+since O
+at O
+least O
+January B-TIME
+2007 E-TIME
+but O
+received O
+public O
+attention O
+in O
+a O
+major O
+way O
+during O
+2016 S-TIME
+when O
+it O
+was O
+implicated O
+in O
+a O
+series O
+of O
+cyber O
+attacks O
+in O
+the O
+run O
+up O
+to O
+the O
+U.S. S-LOC
+presidential B-IDTY
+election E-IDTY
+. O
+
+Beginning O
+in O
+the O
+Spring B-TIME
+of I-TIME
+2016 E-TIME
+, O
+APT28 S-APT
+sent O
+spear-phishing S-ACT
+emails S-TOOL
+to O
+political O
+targets O
+including O
+members O
+of O
+the O
+Democratic B-IDTY
+National I-IDTY
+Committee E-IDTY
+( O
+DNC S-IDTY
+) O
+. O
+
+These O
+emails S-TOOL
+were O
+designed O
+to O
+trick O
+recipients O
+into O
+supposedly O
+changing O
+their O
+email S-TOOL
+passwords O
+on O
+a O
+fake O
+webmail O
+domain O
+. O
+
+The O
+attack O
+group O
+then O
+used O
+these O
+stolen O
+credentials O
+to O
+gain O
+access O
+to O
+the O
+DNC S-IDTY
+network O
+, O
+install O
+malware O
+, O
+move O
+across O
+the O
+network O
+, O
+and O
+steal O
+data O
+, O
+including O
+a O
+trove O
+of O
+emails S-TOOL
+. O
+
+The O
+compromised O
+information O
+was O
+later O
+leaked O
+online O
+. O
+
+These O
+election O
+attacks O
+signaled O
+a O
+change O
+of O
+tactics O
+on O
+the O
+part O
+of O
+APT28 S-APT
+, O
+moving O
+away O
+from O
+their O
+prior O
+low-key O
+intelligence O
+gathering O
+towards O
+more O
+overt O
+activity O
+, O
+seemingly O
+intended O
+to O
+destabilize O
+and O
+disrupt O
+victim O
+organizations O
+and O
+countries O
+. O
+
+The O
+group O
+was O
+also O
+responsible O
+for O
+the O
+2016 S-TIME
+attack O
+on O
+the O
+World B-IDTY
+Anti I-IDTY
+Doping I-IDTY
+Agency E-IDTY
+( O
+WADA S-IDTY
+) O
+and O
+the O
+leaking O
+of O
+confidential O
+drug O
+testing O
+information O
+. O
+
+In O
+keeping O
+with O
+its O
+shift O
+to O
+more O
+overt O
+tactics O
+, O
+the O
+group O
+appeared O
+to O
+publicly O
+take O
+credit O
+for O
+the O
+attack O
+, O
+leaking O
+the O
+information O
+on O
+a O
+website O
+using O
+the O
+name O
+“ O
+Fancy B-APT
+Bears E-APT
+” O
+, O
+an O
+industry O
+codename O
+that O
+was O
+already O
+widely O
+used O
+for O
+the O
+group O
+. O
+
+After O
+receiving O
+an O
+unprecedented O
+amount O
+of O
+attention O
+in O
+2016 S-TIME
+, O
+APT28 S-APT
+has O
+continued O
+to O
+mount O
+operations O
+during O
+2017 S-TIME
+and O
+2018 S-TIME
+. O
+
+However O
+, O
+the O
+group O
+’s O
+activities O
+since O
+the O
+beginning O
+of O
+2017 S-TIME
+have O
+again O
+become O
+more O
+covert O
+and O
+appear O
+to O
+be O
+mainly O
+motivated O
+by O
+intelligence O
+gathering O
+. O
+
+The O
+organizations O
+targeted O
+by O
+APT28 S-APT
+during O
+2017 S-TIME
+and O
+2018 S-TIME
+include O
+: O
+
+A O
+well-known O
+international O
+organization O
+Military O
+targets O
+in O
+Europe S-LOC
+Governments O
+in O
+Europe S-LOC
+A O
+government O
+of O
+a O
+South O
+American O
+country O
+An O
+embassy O
+belonging O
+to O
+an O
+Eastern O
+European O
+country O
+. O
+
+APT28 S-APT
+uses O
+a O
+number O
+of O
+tools O
+to O
+compromise O
+its O
+targets O
+. O
+
+The O
+group O
+’s O
+primary O
+malware O
+is O
+Sofacy S-MAL
+, O
+which O
+has O
+two O
+main O
+components O
+. O
+
+Trojan.Sofacy S-FILE
+( O
+also O
+known O
+as O
+Seduploader S-MAL
+) O
+performs O
+basic O
+reconnaissance O
+on O
+an O
+infected O
+computer O
+and O
+can O
+download O
+further O
+malware O
+. O
+
+Backdoor.SofacyX S-FILE
+( O
+also O
+known O
+as O
+X-Agent S-MAL
+) O
+is O
+a O
+second O
+stage O
+piece O
+of O
+malware O
+, O
+capable O
+of O
+stealing O
+information O
+from O
+the O
+infected O
+computer O
+. O
+
+A O
+Mac S-OS
+version O
+of O
+the O
+Trojan S-MAL
+also O
+exists O
+( O
+OSX.Sofacy S-FILE
+) O
+. O
+
+APT28 S-APT
+has O
+continued O
+to O
+develop O
+its O
+tools O
+over O
+the O
+past O
+two O
+years O
+. O
+
+For O
+example O
+, O
+Trojan.Shunnael S-FILE
+( O
+aka O
+X-Tunnel S-MAL
+) O
+, O
+malware O
+used O
+to O
+maintain O
+access O
+to O
+infected O
+networks O
+using O
+an O
+encrypted O
+tunnel O
+, O
+underwent O
+a O
+rewrite O
+to O
+.NET S-TOOL
+. O
+
+In O
+addition O
+to O
+this O
+, O
+as O
+reported O
+by O
+our O
+peers O
+at O
+ESET S-SECTEAM
+last O
+week O
+, O
+the O
+group O
+has O
+also O
+begun O
+using O
+a O
+UEFI S-TOOL
+( O
+Unified B-TOOL
+Extensible I-TOOL
+Firmware I-TOOL
+Interface E-TOOL
+) O
+rootkit O
+known O
+as O
+Lojax S-MAL
+. O
+
+Because O
+the O
+rootkit O
+resides O
+within O
+a O
+computer O
+’s O
+flash O
+memory O
+, O
+it O
+allows O
+the O
+attackers O
+to O
+maintain O
+a O
+persistent O
+presence O
+on O
+a O
+compromised O
+machine O
+even O
+if O
+the O
+hard O
+drive O
+is O
+replaced O
+or O
+the O
+operating O
+system O
+is O
+reinstalled O
+. O
+
+Symantec S-SECTEAM
+products O
+block O
+attempts O
+to O
+install O
+Lojax S-MAL
+with O
+the O
+detection O
+name O
+Trojan.Lojax S-FILE
+. O
+
+Another O
+attack O
+group O
+, O
+Earworm S-APT
+( O
+aka O
+Zebrocy S-APT
+) O
+, O
+has O
+been O
+active O
+since O
+at O
+least O
+May B-TIME
+2016 E-TIME
+and O
+is O
+involved O
+in O
+what O
+appears O
+to O
+be O
+intelligence O
+gathering O
+operations O
+against O
+military O
+targets O
+in O
+Europe S-LOC
+, O
+Central B-LOC
+Asia E-LOC
+, O
+and O
+Eastern B-LOC
+Asia E-LOC
+. O
+
+The O
+group O
+uses O
+spear-phishing S-ACT
+emails S-TOOL
+to O
+compromise O
+its O
+targets O
+and O
+infect O
+them O
+with O
+malware O
+. O
+
+Earworm S-APT
+uses O
+two O
+malware O
+tools O
+. O
+
+Trojan.Zekapab S-FILE
+is O
+a O
+downloader O
+component O
+that O
+is O
+capable O
+of O
+carrying O
+out O
+basic O
+reconnaissance O
+functions O
+and O
+downloading O
+additional O
+malware O
+to O
+the O
+infected O
+computer O
+. O
+
+Backdoor.Zekapab S-FILE
+is O
+installed O
+on O
+selected O
+infected O
+computers O
+and O
+is O
+capable O
+of O
+taking O
+screenshots O
+, O
+executing O
+files O
+and O
+commands O
+, O
+uploading O
+and O
+downloading O
+files O
+, O
+performing O
+registry O
+and O
+file O
+system O
+operations O
+, O
+and O
+carrying O
+out O
+system O
+information O
+tasks O
+. O
+
+Earworm S-APT
+has O
+also O
+on O
+occasion O
+installed O
+additional O
+tools O
+onto O
+infected O
+computers O
+for O
+the O
+purposes O
+of O
+keylogging O
+and O
+password O
+capture O
+. O
+
+During O
+2016 S-TIME
+, O
+Symantec S-SECTEAM
+observed O
+some O
+overlap O
+between O
+the O
+command B-TOOL
+and I-TOOL
+control E-TOOL
+( O
+C&C S-TOOL
+) O
+infrastructure O
+used O
+by O
+Earworm S-APT
+and O
+the O
+C&C S-TOOL
+infrastructure O
+used O
+by O
+Grizzly B-ACT
+Steppe E-ACT
+( O
+the O
+U.S. S-LOC
+government O
+code O
+name O
+for O
+APT28 S-APT
+and O
+related O
+actors O
+) O
+, O
+implying O
+a O
+potential O
+connection O
+between O
+Earworm S-APT
+and O
+APT28 S-APT
+. O
+
+However O
+, O
+Earworm S-APT
+also O
+appears O
+to O
+conduct O
+separate O
+operations O
+from O
+APT28 S-APT
+and O
+thus O
+Symantec S-SECTEAM
+tracks O
+them O
+as O
+a O
+distinct O
+group O
+. O
+
+It O
+is O
+now O
+clear O
+that O
+after O
+being O
+implicated O
+in O
+the O
+U.S. S-LOC
+presidential B-IDTY
+election E-IDTY
+attacks O
+in O
+late O
+2016 S-TIME
+, O
+APT28 S-APT
+was O
+undeterred O
+by O
+the O
+resulting O
+publicity O
+and O
+continues O
+to O
+mount O
+further O
+attacks O
+using O
+its O
+existing O
+tools O
+. O
+
+After O
+its O
+foray O
+into O
+overt O
+and O
+disruptive O
+attacks O
+in O
+2016 S-TIME
+, O
+the O
+group O
+has O
+subsequently O
+returned O
+to O
+its O
+roots O
+, O
+mounting O
+intelligence O
+gathering O
+operations O
+against O
+a O
+range O
+of O
+targets O
+. O
+
+This O
+ongoing O
+activity O
+and O
+the O
+fact O
+that O
+APT28 S-APT
+continues O
+to O
+refine O
+its O
+toolset O
+means O
+that O
+the O
+group O
+will O
+likely O
+continue O
+to O
+pose O
+a O
+significant O
+threat O
+to O
+nation O
+state O
+targets O
+. O
+
+Symantec S-SECTEAM
+has O
+had O
+the O
+following O
+protections O
+in O
+place O
+to O
+protect O
+customers O
+against O
+APT28 S-APT
+attacks O
+: O
+
+Trojan.Sofacy S-MAL
+Backdoor.SofacyX S-MAL
+Infostealer.Sofacy S-MAL
+OSX.Sofacy S-MAL
+Trojan.Shunnael S-MAL
+Trojan.Lojax S-MAL
+. O
+
+The O
+following O
+protections O
+are O
+in O
+place O
+to O
+protect O
+customers O
+against O
+Earworm S-APT
+attacks O
+: O
+
+Trojan.Zekapab S-MAL
+Backdoor.Zekapab S-MAL
+. O
+
+
+A O
+BREXIT-themed O
+lure O
+document O
+that O
+delivers O
+ZEKAPAB S-MAL
+malware O
+. O
+
+SNAKEMACKEREL S-APT
+is O
+an O
+espionage-motivated O
+cyber O
+threat O
+group O
+, O
+also O
+known O
+as O
+Sofacy S-APT
+, O
+Pawn B-APT
+Storm E-APT
+, O
+Sednit S-APT
+, O
+Fancy B-APT
+Bear E-APT
+, O
+APT28 S-APT
+, O
+Group B-APT
+74 E-APT
+, O
+Tsar B-APT
+Team E-APT
+, O
+and O
+Strontium S-APT
+. O
+
+Both O
+the O
+British S-LOC
+and O
+Dutch S-LOC
+governments O
+have O
+publicly O
+attributed O
+SNAKEMACKEREL S-APT
+activities O
+to O
+the O
+Russian B-IDTY
+military I-IDTY
+intelligence I-IDTY
+service E-IDTY
+( O
+RIS S-IDTY
+) O
+and O
+have O
+linked O
+specific O
+cyberattacks O
+to O
+the O
+group O
+, O
+including O
+the O
+targeting O
+of O
+the O
+Organisation B-IDTY
+for I-IDTY
+the I-IDTY
+Prohibition I-IDTY
+of I-IDTY
+Chemical I-IDTY
+Weapons E-IDTY
+( O
+OPCW S-IDTY
+) O
+, O
+the O
+United B-IDTY
+Kingdom I-IDTY
+Defence I-IDTY
+and I-IDTY
+Science I-IDTY
+Technology I-IDTY
+Laboratory E-IDTY
+( O
+DSTL S-IDTY
+) O
+and O
+the O
+United B-IDTY
+Kingdom I-IDTY
+Foreign I-IDTY
+and I-IDTY
+Commonwealth I-IDTY
+Office E-IDTY
+( O
+FCO S-IDTY
+) O
+. O
+
+According O
+to O
+the O
+FBI S-IDTY
+, O
+the O
+SNAKEMACKEREL S-APT
+threat O
+group O
+"is O
+part O
+of O
+an O
+ongoing O
+campaign O
+of O
+cyber-enabled O
+operations O
+directed O
+at O
+the O
+United B-LOC
+States E-LOC
+government O
+and O
+its O
+citizens O
+. O
+
+These O
+cyber O
+operations O
+have O
+included O
+spear B-ACT
+phishing E-ACT
+campaigns O
+targeting O
+government O
+organizations O
+, O
+critical O
+infrastructure O
+entities O
+, O
+think O
+tanks O
+, O
+universities O
+, O
+political O
+organizations O
+, O
+and O
+corporations O
+, O
+leading O
+to O
+the O
+theft O
+of O
+information O
+. O
+
+The O
+creation O
+of O
+this O
+malicious O
+document O
+, O
+coming O
+on O
+the O
+same O
+day O
+that O
+the O
+UK S-LOC
+government O
+announced O
+an O
+initial O
+agreed O
+draft O
+of O
+the O
+BREXIT O
+agreement O
+, O
+suggests O
+that O
+SNAKEMACKEREL S-APT
+is O
+a O
+group O
+that O
+pays O
+close O
+attention O
+to O
+political O
+affairs O
+and O
+is O
+able O
+to O
+leverage O
+the O
+latest O
+news O
+headlines O
+to O
+develop O
+lure O
+documents O
+to O
+deliver O
+firststage O
+malware O
+, O
+such O
+as O
+Zekapab S-MAL
+, O
+to O
+its O
+intended O
+targets O
+. O
+
+The O
+theme O
+also O
+reflects O
+the O
+targeting O
+of O
+the O
+group O
+which O
+primarily O
+focuses O
+on O
+NATO S-IDTY
+members O
+, O
+countries O
+in O
+Central B-LOC
+Asia E-LOC
+and O
+those O
+neighboring O
+Russia S-LOC
+. O
+
+Despite O
+the O
+public O
+reporting O
+and O
+government O
+accusations O
+, O
+SNAKEMACKEREL S-APT
+remains O
+highly O
+active O
+. O
+
+It O
+is O
+behind O
+a O
+large O
+number O
+of O
+cyberattacks O
+targeting O
+global O
+aerospace O
+and O
+defense O
+contractors O
+, O
+military O
+units O
+, O
+political O
+parties O
+, O
+the O
+International B-IDTY
+Olympic I-IDTY
+Committee E-IDTY
+( O
+IOC S-IDTY
+) O
+, O
+anti-doping O
+agencies O
+, O
+government O
+departments O
+and O
+various O
+other O
+verticals O
+. O
+
+NATO S-IDTY
+and O
+EU S-IDTY
+member O
+countries O
+, O
+as O
+well O
+as O
+the O
+United B-IDTY
+States E-IDTY
+, O
+are O
+of O
+particular O
+interest O
+to O
+the O
+group O
+. O
+
+SNAKEMACKEREL S-APT
+operations O
+continue O
+to O
+be O
+some O
+of O
+the O
+most O
+far-reaching O
+and O
+sophisticated O
+cyber O
+espionage O
+and O
+intelligence O
+campaigns O
+to O
+date O
+. O
+
+This O
+report O
+provides O
+a O
+technical O
+overview O
+of O
+a O
+BREXIT-themed O
+lure O
+Microsoft S-IDTY
+Office S-IDTY
+document O
+that O
+is O
+used O
+to O
+drop O
+a O
+Delphi S-TOOL
+version O
+of O
+the O
+Zekapab S-MAL
+first-stage O
+malware O
+which O
+has O
+been O
+previously O
+reported O
+by O
+iDefense S-IDTY
+analysts O
+. O
+
+However O
+, O
+additional O
+research O
+on O
+the O
+C2 S-TOOL
+server O
+109.248.148.42 S-IP
+revealed O
+a O
+new O
+.NET S-TOOL
+version O
+of O
+Zekapab S-MAL
+that O
+is O
+designed O
+for O
+the O
+same O
+purpose O
+. O
+iDefense S-IDTY
+analysts O
+recently O
+came O
+across O
+the O
+following O
+malicious O
+document O
+that O
+is O
+purportedly O
+related O
+to O
+the O
+recent O
+BREXIT O
+negotiations O
+between O
+the O
+UK S-LOC
+and O
+the O
+EU S-IDTY
+. O
+
+Brexit B-FILE
+15.11.2018.docx E-FILE
+: O
+
+405655be03df45881aa88b55603bef1d S-MD5
+. O
+
+Of O
+note O
+, O
+the O
+Company O
+name O
+Grizli777 S-IDTY
+is O
+indicative O
+of O
+a O
+cracked O
+version O
+of O
+Microsoft S-IDTY
+Word S-TOOL
+. O
+
+To O
+trick O
+the O
+targeted O
+individual O
+into O
+enabling O
+macros O
+, O
+the O
+attackers O
+deliberately O
+used O
+jumbled-up O
+text O
+as O
+content O
+. O
+
+The O
+document O
+loads O
+malicious O
+content O
+from O
+http://109.248.148.42/office/thememl/2012/main/attachedTemplate.dotm S-URL
+via O
+the O
+settings.xml.rels S-FILE
+component O
+that O
+is O
+embedded O
+within O
+the O
+DOCX S-TOOL
+document O
+. O
+
+The O
+downloaded O
+macro O
+component O
+includes O
+a O
+function O
+called O
+AutoClose() O
+as O
+well O
+as O
+two O
+payloads O
+embedded O
+via O
+Base64 S-ENCR
+encoded O
+strings O
+. O
+
+Research O
+on O
+the O
+malicious O
+IP O
+address O
+109.248.148.42 S-IP
+revealed O
+two O
+different O
+.dotm S-FILE
+components O
+: O
+
+Filename O
+: O
+attachedTemplate.dotm S-FILE
+MD5 S-ENCR
+: O
+018611b879b2bbd886e86b62484494da S-MD5
+Filename O
+: O
+templates.dotm S-FILE
+MD5 S-ENCR
+: O
+2a794b55b839b3237482098957877326 S-MD5
+. O
+
+The O
+two O
+components O
+are O
+dropped O
+from O
+the O
+following O
+URLs O
+respectively O
+: O
+
+http://109.248.148.42/office/thememl/2012/main/attachedTemplate.dotm S-URL
+http://109.248.148.42/officeDocument/2006/relationships/templates.dotm S-URL
+. O
+
+Both O
+components O
+contain O
+an O
+identical O
+VBA S-TOOL
+macro O
+code O
+as O
+shown O
+above O
+, O
+each O
+containing O
+two O
+different O
+embedded O
+payloads O
+: O
+one O
+is O
+an O
+executable O
+binary O
+file O
+and O
+the O
+other O
+is O
+a O
+.docm S-FILE
+file O
+. O
+attachedTemplate.dotm S-FILE
+dropped O
+the O
+following O
+: O
+
+Filename O
+: O
+ntslwin.exe S-FILE
+MD5 S-ENCR
+: O
+7e67122d3a052e4755b02965e2e56a2e S-MD5
+Filename O
+: O
+~de03fc12a.docm S-FILE
+MD5 S-ENCR
+: O
+9d703d31795bac83c4dd90527d149796 S-MD5
+. O
+templates.dotm S-FILE
+dropped O
+the O
+following O
+: O
+
+Filename O
+: O
+ntslwin.exe S-FILE
+MD5 S-ENCR
+: O
+a13c864980159cd9bdc94074b2389dda S-MD5
+Filename O
+: O
+~de03fc12a.docm S-FILE
+MD5 S-ENCR
+: O
+9d703d31795bac83c4dd90527d149796 S-MD5
+. O
+
+The O
+second O
+macro O
+file O
+~de03fc12a.docm S-FILE
+dropped O
+includes O
+a O
+simple O
+macro O
+to O
+execute O
+the O
+dropped O
+executable O
+. O
+
+Analysis O
+into O
+the O
+two O
+binaries O
+shows O
+that O
+they O
+are O
+in O
+fact O
+a O
+Delphi S-TOOL
+( O
+initially O
+UPX S-TOOL
+packed O
+) O
+and O
+.NET S-TOOL
+version O
+of O
+the O
+Zekapab S-MAL
+first-stage O
+malware O
+. O
+
+The O
+following O
+network O
+traffic O
+is O
+performed O
+by O
+the O
+Delphi S-TOOL
+sample O
+which O
+has O
+the O
+following O
+metadata O
+once O
+unpacked O
+by O
+UPX S-TOOL
+: O
+
+Filename O
+: O
+ntslwin.exe S-FILE
+MD5 S-ENCR
+: O
+f4cab3a393462a57639faa978a75d10a S-MD5
+. O
+
+Exhibit O
+4 O
+shows O
+the O
+network O
+traffic O
+generated O
+by O
+the O
+sample O
+, O
+a O
+http S-PROT
+POST O
+request O
+containing O
+the O
+system O
+information O
+collected O
+. O
+
+On O
+the O
+other O
+hand O
+, O
+the O
+network O
+traffic O
+generated O
+by O
+the O
+.NET S-TOOL
+version O
+is O
+unencoded O
+. O
+
+Both O
+versions O
+are O
+designed O
+to O
+collect O
+system O
+information O
+and O
+running O
+processes O
+and O
+send O
+them O
+to O
+the O
+designated O
+C2 S-TOOL
+server O
+using O
+http S-PROT
+POST O
+to O
+the O
+URI O
+used O
+in O
+both O
+cases O
+is O
+/agr-enum/progress-inform/cube.php?res= O
+. O
+
+If O
+the O
+system O
+is O
+deemed O
+interesting O
+, O
+the O
+next O
+stage O
+malware O
+would O
+be O
+delivered O
+into O
+corresponding O
+directories O
+. O
+
+The O
+second-stage O
+malware O
+is O
+delivered O
+to O
+different O
+destinations O
+with O
+an O
+autorun O
+registry O
+key O
+set O
+respectively O
+. O
+
+For O
+the O
+Delphi S-TOOL
+version O
+, O
+the O
+following O
+registry O
+key O
+and O
+value O
+are O
+used O
+for O
+persistence O
+: O
+
+Key O
+: O
+HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AudioMgr O
+Value O
+: O
+%AppData%\Video\videodrv.exe S-FILE
+. O
+
+For O
+the O
+.NET S-TOOL
+version O
+, O
+the O
+following O
+registry O
+key O
+and O
+value O
+are O
+used O
+for O
+persistence O
+: O
+
+Key O
+: O
+HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleIndexer O
+Value O
+: O
+%AppData%\Platform\sslwin.exe S-FILE
+. O
+
+The O
+list O
+of O
+information O
+collected O
+includes O
+: O
+
+Results O
+from O
+the O
+commands O
+systeminfo O
+and O
+tasklist O
+Current O
+execution O
+path O
+Capture O
+screenshot O
+Drive O
+enumeration O
+Drive O
+serial O
+number O
+. O
+
+The O
+code O
+for O
+downloading O
+and O
+executing O
+the O
+next O
+stage O
+malware O
+. O
+
+As O
+shown O
+, O
+the O
+delivery O
+of O
+the O
+next-stage O
+malware O
+is O
+dependent O
+on O
+the O
+information O
+collected O
+. O
+
+To O
+mitigate O
+the O
+threat O
+described O
+in O
+this O
+report O
+, O
+iDefense S-IDTY
+recommends O
+blocking O
+access O
+to O
+the O
+IP O
+address O
+and O
+URI O
+pattern O
+: O
+
+109.248.148.42 S-IP
+/agr-enum/progress-inform/cube.php?res= O
+. O
+
+For O
+threat O
+hunting O
+, O
+iDefense O
+recommends O
+searching O
+for O
+the O
+following O
+: O
+
+Network O
+: O
+Presence O
+of O
+http S-PROT
+and O
+DNS S-PROT
+traffic O
+to O
+the O
+network O
+IOCs O
+shared O
+above O
+. O
+
+System O
+: O
+Presence O
+of O
+the O
+following O
+artifacts O
+. O
+
+Persistence O
+mechanism O
+Registry O
+Key O
+: O
+
+Key O
+: O
+HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AudioMgr O
+Key O
+: O
+HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleIndexer O
+. O
+
+On O
+disk O
+artefacts O
+File O
+with O
+the O
+full O
+path O
+: O
+%AppData%\Video\videodrv.exe S-FILE
+File O
+with O
+the O
+full O
+path O
+: O
+%AppData%\Platform\sslwin.exe S-FILE
+Files O
+with O
+following O
+file O
+hashes O
+. O
+
+
+“ O
+Cyber O
+Conflict O
+” O
+Decoy O
+Document O
+Used O
+In O
+Real O
+Cyber O
+Conflict O
+. O
+
+Cisco O
+Talos O
+discovered O
+a O
+new O
+malicious O
+campaign O
+from O
+the O
+well O
+known O
+actor O
+Group B-APT
+74 E-APT
+( O
+aka O
+Tsar B-APT
+Team E-APT
+, O
+Sofacy S-APT
+, O
+APT28 S-APT
+, O
+Fancy B-APT
+Bear E-APT
+) O
+. O
+
+Ironically O
+the O
+decoy O
+document O
+is O
+a O
+deceptive O
+flyer O
+relating O
+to O
+the O
+Cyber O
+Conflict O
+U.S. S-LOC
+conference O
+. O
+
+CyCon S-IDTY
+US S-LOC
+is O
+a O
+collaborative O
+effort O
+between O
+the O
+Army B-SECTEAM
+Cyber I-SECTEAM
+Institute E-SECTEAM
+at O
+the O
+United B-IDTY
+States I-IDTY
+Military I-IDTY
+Academy E-IDTY
+and O
+the O
+NATO S-IDTY
+Cooperative B-IDTY
+Cyber I-IDTY
+Military I-IDTY
+Academy E-IDTY
+and O
+the O
+NATO S-IDTY
+Cooperative B-IDTY
+Cyber I-IDTY
+Defence I-IDTY
+Centre I-IDTY
+of I-IDTY
+Excellence E-IDTY
+. O
+
+Due O
+to O
+the O
+nature O
+of O
+this O
+document O
+, O
+we O
+assume O
+that O
+this O
+campaign O
+targets O
+people O
+with O
+an O
+interest O
+in O
+cyber O
+security O
+. O
+
+Unlike O
+previous O
+campaigns O
+from O
+this O
+actor O
+, O
+the O
+flyer O
+does O
+not O
+contain O
+an O
+Office O
+exploit O
+or O
+a O
+0-day O
+, O
+it O
+simply O
+contains O
+a O
+malicious O
+Visual B-TOOL
+Basic I-TOOL
+for I-TOOL
+Applications E-TOOL
+( O
+VBA S-TOOL
+) O
+macro O
+. O
+
+The O
+VBA S-TOOL
+drops O
+and O
+executes O
+a O
+new O
+variant O
+of O
+Seduploader S-MAL
+. O
+
+This O
+reconnaissance O
+malware O
+has O
+been O
+used O
+by O
+Group B-APT
+74 E-APT
+for O
+years O
+and O
+it O
+is O
+composed O
+of O
+2 O
+files O
+: O
+a O
+dropper O
+and O
+a O
+payload O
+. O
+
+The O
+dropper O
+and O
+the O
+payload O
+are O
+quite O
+similar O
+to O
+the O
+previous O
+versions O
+but O
+the O
+author O
+modified O
+some O
+public O
+information O
+such O
+as O
+MUTEX O
+name O
+, O
+obfuscation O
+keys..
+. O
+
+We O
+assume O
+that O
+these O
+modifications O
+were O
+performed O
+to O
+avoid O
+detection O
+based O
+on O
+public O
+IOCs O
+. O
+
+The O
+article O
+describes O
+the O
+malicious O
+document O
+and O
+the O
+Seduploader S-MAL
+reconnaissance O
+malware O
+, O
+especially O
+the O
+difference O
+with O
+the O
+previous O
+versions O
+. O
+
+The O
+decoy O
+document O
+is O
+a O
+flyer O
+concerning O
+the O
+Cyber O
+Conflict O
+U.S. S-LOC
+conference O
+with O
+the O
+following O
+filename O
+Conference_on_Cyber_Conflict.doc S-FILE
+. O
+
+The O
+Office S-TOOL
+document O
+contains O
+a O
+VBA S-TOOL
+script O
+. O
+
+The O
+goal O
+of O
+this O
+code O
+is O
+to O
+get O
+information O
+from O
+the O
+properties O
+of O
+the O
+document O
+( O
+"Subject" O
+, O
+"Company" O
+, O
+"Category" O
+, O
+"Hyperlink O
+base" O
+and O
+finally O
+"Comments" O
+) O
+. O
+
+Some O
+of O
+this O
+information O
+can O
+be O
+directly O
+extracted O
+from O
+the O
+Windows S-OS
+explorer O
+by O
+looking O
+at O
+the O
+properties O
+of O
+the O
+file O
+. O
+
+The O
+"Hyperlink O
+Base" O
+must O
+be O
+extracted O
+using O
+another O
+tool O
+, O
+strings O
+is O
+capable O
+of O
+obtaining O
+this O
+by O
+looking O
+for O
+long O
+strings O
+. O
+
+Pay O
+close O
+attention O
+to O
+the O
+contents O
+of O
+these O
+fields O
+as O
+they O
+appear O
+base64 S-ENCR
+encoded O
+. O
+
+This O
+extracted O
+information O
+is O
+concatenated O
+together O
+to O
+make O
+a O
+single O
+variable O
+. O
+
+This O
+variable O
+is O
+decoded O
+with O
+the O
+base64 S-ENCR
+algorithm O
+in O
+order O
+to O
+get O
+a O
+Windows S-OS
+library O
+( O
+PE S-TOOL
+file O
+) O
+which O
+is O
+written O
+to O
+disk O
+. O
+
+The O
+file O
+is O
+named O
+netwf.dat S-FILE
+. O
+
+On O
+the O
+next O
+step O
+this O
+file O
+is O
+executed O
+by O
+rundll32.exe S-FILE
+via O
+the O
+KlpSvc S-TOOL
+export O
+. O
+
+We O
+see O
+that O
+this O
+file O
+drops O
+2 O
+additional O
+files O
+: O
+netwf.bat S-FILE
+and O
+netwf.dll S-FILE
+. O
+
+The O
+final O
+part O
+of O
+the O
+VBA S-TOOL
+script O
+changes O
+the O
+properties O
+of O
+these O
+two O
+files O
+, O
+setting O
+their O
+attributes O
+to O
+Hidden O
+. O
+
+We O
+can O
+also O
+see O
+2 O
+VBA S-TOOL
+variable O
+names O
+: O
+PathPld O
+, O
+probably O
+for O
+Path O
+Payload O
+, O
+and O
+PathPldBt O
+, O
+for O
+Path O
+Payload O
+Batch O
+. O
+
+As O
+opposed O
+to O
+previous O
+campaigns O
+performed O
+by O
+this O
+actor O
+, O
+this O
+latest O
+version O
+does O
+not O
+contain O
+privilege O
+escalation O
+and O
+it O
+simply O
+executes O
+the O
+payload O
+and O
+configures O
+persistence O
+mechanisms O
+. O
+
+The O
+dropper O
+installs O
+2 O
+files O
+: O
+
+netwf.bat S-FILE
+: O
+
+executes O
+netwf.dll S-FILE
+netwf.dll S-FILE
+: O
+
+the O
+payload O
+. O
+
+The O
+dropper O
+implements O
+2 O
+persistence O
+mechanisms O
+: O
+
+HKCU\Environment\UserInitMprLogonScript O
+to O
+execute O
+the O
+netwf.bat S-FILE
+file O
+COM O
+Object O
+hijack O
+of O
+the O
+following O
+CLSID S-TOOL
+: O
+{BCDE0395-E52F-467C-8E3D-C4579291692E} O
+, O
+the O
+CLSID S-TOOL
+of O
+the O
+class O
+MMDeviceEnumerator O
+. O
+
+These O
+2 O
+techniques O
+have O
+also O
+been O
+previously O
+used O
+by O
+this O
+actor O
+. O
+
+Finally O
+the O
+payload O
+is O
+executed O
+by O
+rundll32.exe S-FILE
+( O
+and O
+the O
+ordinal O
+#1 O
+in O
+argument O
+) O
+or O
+by O
+explorer.exe S-FILE
+if O
+the O
+COM O
+Object O
+hijack O
+is O
+performed O
+. O
+
+In O
+this O
+case O
+, O
+explorer.exe S-FILE
+will O
+instance O
+the O
+MMDeviceEnumerator O
+class O
+and O
+will O
+execute O
+the O
+payload O
+. O
+
+The O
+payload O
+features O
+are O
+similar O
+to O
+the O
+previous O
+versions O
+of O
+Seduploader S-MAL
+. O
+
+We O
+can O
+compare O
+it O
+to O
+the O
+sample O
+e338d49c270baf64363879e5eecb8fa6bdde8ad9 S-SHA1
+used O
+in O
+May B-TIME
+2017 E-TIME
+by O
+Group B-APT
+74 E-APT
+. O
+
+Of O
+the O
+195 O
+functions O
+of O
+the O
+new O
+sample O
+, O
+149 O
+are O
+strictly O
+identical O
+, O
+16 O
+match O
+at O
+90% O
+and O
+2 O
+match O
+at O
+80% O
+. O
+
+In O
+the O
+previous O
+campaign O
+where O
+adversaries O
+used O
+Office S-TOOL
+document O
+exploits O
+as O
+an O
+infection O
+vector O
+, O
+the O
+payload O
+was O
+executed O
+in O
+the O
+Office S-TOOL
+word O
+process O
+. O
+
+In O
+this O
+campaign O
+, O
+adversaries O
+did O
+not O
+use O
+any O
+exploit O
+. O
+
+Instead O
+,the O
+payload O
+is O
+executed O
+in O
+standalone O
+mode O
+by O
+rundll32.exe S-FILE
+. O
+
+Adversaries O
+also O
+changed O
+some O
+constants O
+, O
+such O
+as O
+the O
+XOR S-ENCR
+key O
+used O
+in O
+the O
+previous O
+version O
+. O
+
+The O
+key O
+in O
+our O
+version O
+is O
+: O
+key=b"\x08\x7A\x05\x04\x60\x7c\x3e\x3c\x5d\x0b\x18\x3c\x55\x64" O
+. O
+
+The O
+MUTEX O
+name O
+is O
+different O
+too O
+: O
+FG00nxojVs4gLBnwKc7HhmdK0h O
+. O
+
+Here O
+are O
+some O
+of O
+the O
+Seduploader S-MAL
+features O
+: O
+
+Screenshot O
+capture O
+( O
+with O
+the O
+GDI S-TOOL
+API S-TOOL
+) O
+; O
+
+data/configuration O
+Exfiltration S-ACT
+; O
+
+Execution O
+of O
+code O
+; O
+
+File O
+downloading O
+; O
+
+The O
+Command B-TOOL
+& I-TOOL
+Control E-TOOL
+( O
+CC S-TOOL
+) O
+of O
+the O
+analysed O
+sample O
+is O
+myinvestgroup[.]com S-DOM
+. O
+
+During O
+the O
+investigation O
+, O
+the O
+server O
+did O
+not O
+provide O
+any O
+configuration O
+to O
+the O
+infected O
+machines O
+. O
+
+Based O
+on O
+the O
+metadata O
+of O
+the O
+Office S-TOOL
+documents O
+and O
+the O
+PE S-TOOL
+files O
+, O
+the O
+attackers O
+had O
+created O
+the O
+file O
+on O
+Wednesday S-TIME
+, O
+the B-TIME
+4th I-TIME
+of I-TIME
+October E-TIME
+. O
+
+Analysis O
+of O
+this O
+campaign O
+shows O
+us O
+once O
+more O
+that O
+attackers O
+are O
+creative O
+and O
+use O
+the O
+news O
+to O
+compromise O
+the O
+targets O
+. O
+
+This O
+campaign O
+has O
+most O
+likely O
+been O
+created O
+to O
+allow O
+the O
+targeting O
+of O
+people O
+linked O
+to O
+or O
+interested O
+by O
+cybersecurity O
+, O
+so O
+probably O
+the O
+people O
+who O
+are O
+more O
+sensitive O
+to O
+cybersecurity O
+threats O
+. O
+
+In O
+this O
+case O
+, O
+Group B-APT
+74 E-APT
+did O
+not O
+use O
+an O
+exploit O
+or O
+any O
+0-day S-VULNAME
+but O
+simply O
+used O
+scripting O
+language O
+embedded O
+within O
+the O
+Microsoft S-IDTY
+Office S-TOOL
+document O
+. O
+
+Due O
+to O
+this O
+change O
+, O
+the O
+fundamental O
+compromise O
+mechanism O
+is O
+different O
+as O
+the O
+payload O
+is O
+executed O
+in O
+a O
+standalone O
+mode O
+. O
+
+The O
+reasons O
+for O
+this O
+are O
+unknown O
+, O
+but O
+, O
+we O
+could O
+suggest O
+that O
+they O
+did O
+not O
+want O
+to O
+utilize O
+any O
+exploits O
+to O
+ensure O
+they O
+remained O
+viable O
+for O
+any O
+other O
+operations O
+. O
+
+Actors O
+will O
+often O
+not O
+use O
+exploits O
+due O
+to O
+the O
+fact O
+that O
+researchers O
+can O
+find O
+and O
+eventually O
+patch O
+these O
+which O
+renders O
+the O
+actors O
+weaponized O
+platforms O
+defunct O
+. O
+
+Additionally O
+the O
+author O
+did O
+some O
+small O
+updates O
+after O
+publications O
+from O
+the O
+security O
+community O
+, O
+again O
+this O
+is O
+common O
+for O
+actors O
+of O
+this O
+sophisticated O
+nature O
+, O
+once O
+their O
+campaigns O
+have O
+been O
+exposed O
+they O
+will O
+often O
+try O
+to O
+change O
+tooling O
+to O
+ensure O
+better O
+avoidance O
+. O
+
+For O
+example O
+the O
+actor O
+changed O
+the O
+XOR S-ENCR
+key O
+and O
+the O
+MUTEX O
+name O
+. O
+
+
+APT28 S-APT
+: O
+AT O
+THE O
+CENTER O
+OF O
+THE O
+STORM O
+. O
+
+The O
+Democratic B-IDTY
+National I-IDTY
+Committee E-IDTY
+’s O
+( O
+DNC S-IDTY
+) O
+June B-TIME
+2016 E-TIME
+announcement O
+attributing O
+its O
+network O
+breach O
+to O
+the O
+Russian O
+Government O
+triggered O
+an O
+international O
+debate O
+over O
+Russia S-LOC
+’s O
+sponsorship O
+of O
+information O
+operations O
+against O
+the O
+U.S. S-LOC
+
+Our O
+visibility O
+into O
+the O
+operations O
+of O
+APT28 S-APT
+- O
+a O
+group O
+we O
+believe O
+the O
+Russian O
+Government O
+sponsors O
+- O
+has O
+given O
+us O
+insight O
+into O
+some O
+of O
+the O
+government O
+’s O
+targets O
+, O
+as O
+well O
+as O
+its O
+objectives O
+and O
+the O
+activities O
+designed O
+to O
+further O
+them O
+. O
+
+We O
+have O
+tracked O
+and O
+profiled O
+this O
+group O
+through O
+multiple O
+investigations O
+, O
+endpoint O
+and O
+network O
+detections O
+, O
+and O
+continuous O
+monitoring O
+. O
+
+Our O
+visibility O
+into O
+APT28 S-APT
+’s O
+operations O
+, O
+which O
+date O
+to O
+at O
+least O
+2007 S-TIME
+, O
+has O
+allowed O
+us O
+to O
+understand O
+the O
+group O
+’s O
+malware O
+, O
+operational O
+changes O
+, O
+and O
+motivations O
+. O
+
+This O
+intelligence O
+has O
+been O
+critical O
+to O
+protecting O
+and O
+informing O
+our O
+clients O
+, O
+exposing O
+this O
+threat O
+, O
+and O
+strengthening O
+our O
+confidence O
+in O
+attributing O
+APT28 S-APT
+to O
+the O
+Russian O
+Government O
+. O
+
+On O
+December B-TIME
+29 I-TIME
+, I-TIME
+2016 E-TIME
+, O
+the O
+Department B-IDTY
+of I-IDTY
+Homeland I-IDTY
+Security E-IDTY
+( O
+DHS S-IDTY
+) O
+and O
+Federal B-IDTY
+Bureau I-IDTY
+of I-IDTY
+Investigation E-IDTY
+( O
+FBI S-IDTY
+) O
+released O
+a O
+Joint O
+Analysis O
+Report O
+confirming O
+FireEye S-SECTEAM
+’s O
+long O
+held O
+public O
+assessment O
+that O
+the O
+Russian O
+Government O
+sponsors O
+APT28 S-APT
+. O
+
+Since O
+at O
+least O
+2007 S-TIME
+, O
+APT28 S-APT
+has O
+engaged O
+in O
+extensive O
+operations O
+in O
+support O
+of O
+Russian O
+strategic O
+interests O
+. O
+
+The O
+group O
+, O
+almost O
+certainly O
+compromised O
+of O
+a O
+sophisticated O
+and O
+prolific O
+set O
+of O
+developers O
+and O
+operators O
+, O
+has O
+historically O
+collected O
+intelligence O
+on O
+defense O
+and O
+geopolitical O
+issues O
+. O
+
+APT28 S-APT
+espionage O
+activity O
+has O
+primarily O
+targeted O
+entities O
+in O
+the O
+U.S. S-LOC
+, O
+Europe S-LOC
+, O
+and O
+the O
+countries O
+of O
+the O
+former O
+Soviet B-LOC
+Union E-LOC
+, O
+including O
+governments O
+and O
+militaries O
+, O
+defense O
+attaches O
+, O
+media O
+entities O
+, O
+and O
+dissidents O
+and O
+figures O
+opposed O
+to O
+the O
+current O
+Russian O
+Government O
+. O
+
+Over O
+the O
+past O
+two O
+years O
+, O
+Russia S-LOC
+appears O
+to O
+have O
+increasingly O
+leveraged O
+APT28 S-APT
+to O
+conduct O
+information O
+operations O
+commensurate O
+with O
+broader O
+strategic O
+military O
+doctrine O
+. O
+
+After O
+compromising O
+a O
+victim O
+organization O
+, O
+APT28 S-APT
+will O
+steal O
+internal O
+data O
+that O
+is O
+then O
+leaked O
+to O
+further O
+political O
+narratives O
+aligned O
+with O
+Russian O
+interests O
+. O
+
+To O
+date O
+these O
+have O
+included O
+the O
+conflict O
+in O
+Syria S-LOC
+, O
+NATO-Ukraine O
+relations O
+, O
+the O
+European B-IDTY
+Union E-IDTY
+refugee O
+and O
+migrant O
+crisis O
+, O
+the O
+2016 S-TIME
+Olympics S-IDTY
+and O
+Paralympics S-IDTY
+Russian O
+athlete O
+doping O
+scandal O
+, O
+public O
+accusations O
+regarding O
+Russian O
+state-sponsored O
+hacking O
+, O
+and O
+the O
+2016 S-TIME
+U.S. S-LOC
+presidential O
+election O
+. O
+
+This O
+report O
+details O
+our O
+observations O
+of O
+APT28 S-APT
+’s O
+targeting O
+, O
+and O
+our O
+investigation O
+into O
+a O
+related O
+breach O
+. O
+
+We O
+also O
+provide O
+an O
+update O
+on O
+shifts O
+in O
+the O
+group O
+’s O
+tool O
+development O
+and O
+use O
+, O
+and O
+summarize O
+the O
+tactics O
+APT28 S-APT
+employs O
+to O
+compromise O
+its O
+victims O
+. O
+
+In O
+October B-TIME
+2014 E-TIME
+, O
+FireEye S-SECTEAM
+released O
+APT28 S-APT
+: O
+A O
+Window S-OS
+into O
+Russia S-LOC
+’s O
+Cyber O
+Espionage O
+Operations? O
+, O
+and O
+characterized O
+APT28 S-APT
+’s O
+activity O
+as O
+aligning O
+with O
+the O
+Russian O
+Government O
+’s O
+strategic O
+intelligence O
+requirements O
+. O
+
+While O
+tracking O
+APT28 S-APT
+, O
+we O
+noted O
+the O
+group O
+’s O
+interest O
+in O
+foreign O
+governments O
+and O
+militaries O
+, O
+particularly O
+those O
+of O
+European O
+and O
+Eastern O
+European O
+nations O
+, O
+as O
+well O
+as O
+regional O
+security O
+organizations O
+, O
+such O
+as O
+the O
+North B-IDTY
+Atlantic I-IDTY
+Treaty I-IDTY
+Organization E-IDTY
+( O
+NATO S-IDTY
+) O
+and O
+the O
+Organization B-IDTY
+for I-IDTY
+Security I-IDTY
+and I-IDTY
+Cooperation I-IDTY
+in I-IDTY
+Europe E-IDTY
+( O
+OSCE S-IDTY
+) O
+, O
+among O
+others O
+. O
+
+Table O
+1 O
+highlights O
+some O
+recent O
+examples O
+of O
+this O
+activity O
+. O
+
+OSCE S-IDTY
+: O
+
+NOVEMBER B-TIME
+2016 E-TIME
+, O
+The O
+OSCE S-IDTY
+confirmed O
+that O
+it O
+had O
+suffered O
+an O
+intrusion O
+, O
+which O
+a O
+Western O
+intelligence O
+service O
+attributed O
+to O
+APT28 S-APT
+. O
+
+Germany S-LOC
+'s O
+Christian B-IDTY
+Democratic I-IDTY
+Union E-IDTY
+( O
+CDU S-IDTY
+) O
+: O
+
+APRIL B-TIME
+- I-TIME
+MAY I-TIME
+2016 E-TIME
+, O
+Researchers O
+at O
+Trend O
+Micro O
+observed O
+APT28 S-APT
+establish O
+a O
+fake O
+CDU S-IDTY
+email S-TOOL
+server O
+and O
+launch O
+phishing E-ACT
+emails S-TOOL
+against O
+CDU S-IDTY
+members O
+in O
+an O
+attempt O
+to O
+obtain O
+their O
+email S-TOOL
+credentials O
+and O
+access O
+their O
+accounts O
+. O
+
+Pussy O
+Riot O
+AUGUST S-TIME
+: O
+
+2015 S-TIME
+, O
+APT28 S-APT
+targets O
+Russian O
+rockers O
+and O
+dissidents O
+Pussy O
+Riot O
+via O
+spear-phishing S-ACT
+emails S-TOOL
+. O
+
+NATO S-IDTY
+, O
+Afghan B-IDTY
+Ministry I-IDTY
+of I-IDTY
+Foreign I-IDTY
+Affairs E-IDTY
+, O
+Pakistani B-IDTY
+Military E-IDTY
+: O
+
+JULY B-TIME
+2015 E-TIME
+, O
+APT28 S-APT
+used O
+two O
+domains O
+( O
+nato-news.com S-DOM
+and O
+bbc-news.org S-DOM
+) O
+to O
+host O
+an O
+Adobe S-IDTY
+Flash S-TOOL
+zero-day S-VULNAME
+exploit O
+to O
+target O
+NATO S-IDTY
+, O
+the O
+Afghan B-IDTY
+Ministry I-IDTY
+of I-IDTY
+Foreign I-IDTY
+Affairs E-IDTY
+, O
+and O
+the O
+Pakistani B-IDTY
+military E-IDTY
+. O
+
+German B-IDTY
+Bundestag I-IDTY
+& I-IDTY
+Political I-IDTY
+Parties E-IDTY
+: O
+
+JUNE B-TIME
+2015 E-TIME
+, O
+Germany S-LOC
+’s O
+Federal O
+Office O
+for O
+Security O
+in O
+Information O
+Technology O
+( O
+BSI O
+) O
+announced O
+that O
+APT28 S-APT
+was O
+likely O
+responsible O
+for O
+the O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+sent O
+to O
+members O
+of O
+several O
+German O
+political O
+parties O
+. O
+
+The O
+head O
+of O
+Germany S-LOC
+’s O
+domestic O
+intelligence O
+agency O
+, O
+Bundesamt B-IDTY
+für I-IDTY
+Verfassungsschutz E-IDTY
+( O
+BfV S-IDTY
+) O
+, O
+also O
+attributed O
+the O
+June B-TIME
+2015 E-TIME
+compromise O
+of O
+the O
+Bundestag O
+’s O
+networks O
+to O
+APT28 S-APT
+. O
+
+Kyrgyzstan B-IDTY
+Ministry I-IDTY
+of I-IDTY
+Foreign I-IDTY
+Affairs E-IDTY
+: O
+
+OCTOBER B-TIME
+2014 E-TIME
+THROUGH O
+SEPTEMBER B-TIME
+2015 E-TIME
+, O
+FireEye S-SECTEAM
+iSight O
+Intelligence O
+identified O
+changes O
+made O
+to O
+domain O
+name O
+server O
+( O
+DNS S-PROT
+) O
+records O
+that O
+suggest O
+that O
+APT28 S-APT
+intercepted O
+email S-TOOL
+traffic O
+from O
+the O
+Kyrgyzstan B-IDTY
+Ministry I-IDTY
+of I-IDTY
+Foreign I-IDTY
+Affairs E-IDTY
+after O
+maliciously O
+modifying O
+DNS S-PROT
+records O
+of O
+the O
+ministry O
+’s O
+authoritative O
+DNS S-PROT
+servers O
+. O
+
+Polish O
+Government O
+& O
+Power O
+Exchange O
+websites O
+: O
+
+JUNE B-TIME
+AND I-TIME
+SEPTEMBER I-TIME
+2014 E-TIME
+, O
+APT28 S-APT
+employed O
+“ O
+Sedkit S-MAL
+” O
+in O
+conjunction O
+with O
+strategic O
+web O
+compromises O
+to O
+deliver O
+“ O
+Sofacy S-MAL
+” O
+malware O
+on O
+Polish O
+Government O
+websites O
+, O
+and O
+the O
+websites O
+of O
+Polish O
+energy O
+company O
+Power O
+Exchange O
+. O
+
+On O
+September B-TIME
+13 E-TIME
+, O
+WADA S-IDTY
+confirmed O
+that O
+APT28 S-APT
+had O
+compromised O
+its O
+networks O
+and O
+accessed O
+athlete O
+medical O
+data O
+. O
+
+On O
+September B-TIME
+12 I-TIME
+, I-TIME
+2016 E-TIME
+, O
+the O
+“ O
+Fancy B-APT
+Bears E-APT
+’ O
+Hack O
+Team O
+” O
+persona O
+claimed O
+to O
+have O
+compromised O
+WADA S-IDTY
+and O
+released O
+athletes O
+’ O
+medical O
+records O
+as O
+“ O
+proof O
+of O
+American O
+athletes O
+taking O
+doping. O
+” O
+
+The O
+DNC S-IDTY
+announced O
+it O
+had O
+suffered O
+a O
+network O
+compromise O
+and O
+that O
+a O
+subsequent O
+investigation O
+found O
+evidence O
+of O
+two O
+breaches O
+, O
+attributed O
+to O
+APT28 S-APT
+and O
+APT29 S-APT
+. O
+
+FireEye S-SECTEAM
+analyzed O
+the O
+malware O
+found O
+on O
+DNC S-IDTY
+networks O
+and O
+determined O
+that O
+it O
+was O
+consistent O
+with O
+our O
+previous O
+observations O
+of O
+APT28 S-APT
+tools O
+. O
+
+In O
+June B-TIME
+2016 E-TIME
+, O
+shortly O
+after O
+the O
+DNC S-IDTY
+’s O
+announcement O
+, O
+the O
+Guccifer S-APT
+2.0 O
+persona O
+claimed O
+responsibility O
+for O
+the O
+DNC S-IDTY
+breach O
+and O
+leaked O
+documents O
+taken O
+from O
+the O
+organization O
+’s O
+network O
+. O
+
+Guccifer S-APT
+2.0 O
+continued O
+to O
+leak O
+batches O
+of O
+DNC S-IDTY
+documents O
+through O
+September S-TIME
+. O
+
+Investigators O
+found O
+that O
+John O
+Podesta O
+, O
+Hillary O
+Clinton O
+’s O
+presidential O
+campaign O
+chairman O
+, O
+was O
+one O
+of O
+thousands O
+of O
+individuals O
+targeted O
+in O
+a O
+mass O
+phishing E-ACT
+scheme O
+using O
+shortened O
+URLs O
+that O
+security O
+researchers O
+attributed O
+to O
+APT28 S-APT
+. O
+
+Throughout O
+October S-TIME
+and O
+into O
+early O
+November S-TIME
+, O
+WikiLeaks S-TOOL
+published O
+34 O
+batches O
+of O
+email S-TOOL
+correspondence O
+stolen O
+from O
+John O
+Podesta O
+’s O
+personal O
+email S-TOOL
+account O
+. O
+
+Correspondence O
+of O
+other O
+individuals O
+targeted O
+in O
+the O
+same O
+phishing E-ACT
+campaign O
+, O
+including O
+former O
+Secretary O
+of O
+State O
+Colin O
+Powell O
+and O
+Clinton O
+campaign O
+staffer O
+William O
+Rinehart O
+, O
+were O
+published O
+on O
+the O
+“ O
+DC O
+Leaks O
+” O
+website O
+. O
+
+In O
+July S-TIME
+, O
+the O
+DCCC S-IDTY
+announced O
+that O
+it O
+was O
+investigating O
+an O
+ongoing O
+“ O
+cybersecurity O
+incident O
+” O
+that O
+the O
+FBI S-IDTY
+believed O
+was O
+linked O
+to O
+the O
+compromise O
+of O
+the O
+DNC S-IDTY
+. O
+
+House O
+Speaker O
+Nancy O
+Pelosi O
+later O
+confirmed O
+that O
+the O
+DCCC S-IDTY
+had O
+suffered O
+a O
+network O
+compromise O
+. O
+
+Investigators O
+indicated O
+that O
+the O
+actors O
+may O
+have O
+gained O
+access O
+to O
+DCCC S-IDTY
+systems O
+as O
+early O
+as O
+March S-TIME
+. O
+
+In O
+August S-TIME
+, O
+the O
+Guccifer S-APT
+2.0 O
+persona O
+contacted O
+reporters O
+covering O
+U.S. S-LOC
+House B-IDTY
+of I-IDTY
+Representative E-IDTY
+races O
+to O
+announce O
+newly O
+leaked O
+documents O
+from O
+the O
+DCCC S-IDTY
+pertaining O
+to O
+Democratic O
+candidates O
+. O
+
+From O
+August S-TIME
+to O
+October S-TIME
+, O
+Guccifer S-APT
+2.0 O
+posted O
+several O
+additional O
+installments O
+of O
+what O
+appear O
+to O
+be O
+internal O
+DCCC S-IDTY
+documents O
+on O
+“ O
+his O
+” O
+WordPress O
+site O
+. O
+
+In O
+February S-TIME
+, O
+FireEye S-SECTEAM
+identified O
+CORESHELL S-TOOL
+traffic O
+beaconing O
+from O
+TV5Monde S-IDTY
+’s O
+network O
+, O
+confirming O
+that O
+APT28 S-APT
+had O
+compromised O
+TV5Monde S-IDTY
+’s O
+network O
+. O
+
+In O
+April B-TIME
+2015 E-TIME
+, O
+alleged O
+pro-ISIS O
+hacktivist O
+group O
+CyberCaliphate S-APT
+defaced O
+TV5Monde S-IDTY
+’s O
+websites O
+and O
+social O
+media O
+profiles O
+and O
+forced O
+the O
+company O
+’s O
+11 O
+broadcast O
+channels O
+offline O
+. O
+
+FireEye S-SECTEAM
+identified O
+overlaps O
+between O
+the O
+domain O
+registration O
+details O
+of O
+CyberCaliphate S-APT
+’s O
+website O
+and O
+APT28 S-APT
+infrastructure O
+. O
+
+Ukrainian O
+officials O
+revealed O
+that O
+the O
+investigation O
+into O
+the O
+compromise O
+of O
+the O
+CEC S-IDTY
+’s O
+internal O
+network O
+identified O
+malware O
+traced O
+to O
+APT28 S-APT
+. O
+
+During O
+the O
+May B-TIME
+2014 E-TIME
+Ukrainian O
+presidential O
+election O
+, O
+purported O
+pro-Russian O
+hacktivists O
+CyberBerkut S-APT
+conducted O
+a O
+series O
+of O
+malicious O
+activities O
+against O
+the O
+CEC S-IDTY
+including O
+a O
+system O
+compromise O
+, O
+data O
+destruction O
+, O
+a O
+data O
+leak O
+, O
+a O
+distributed B-ACT
+denial-of-service E-ACT
+( O
+DDoS S-ACT
+) O
+attack O
+, O
+and O
+an O
+attempted O
+defacement O
+of O
+the O
+CEC S-IDTY
+website O
+with O
+fake O
+election O
+results O
+. O
+
+As O
+news O
+of O
+the O
+DNC S-IDTY
+breach O
+spread O
+, O
+APT28 S-APT
+was O
+preparing O
+for O
+another O
+set O
+of O
+operations O
+: O
+countering O
+the O
+condemnation O
+that O
+Russia S-LOC
+was O
+facing O
+after O
+doping O
+allegations O
+and O
+a O
+threatened O
+blanket O
+ban O
+of O
+the O
+Russian O
+team O
+from O
+the O
+upcoming O
+Rio B-IDTY
+Games E-IDTY
+. O
+
+Russia S-LOC
+, O
+like O
+many O
+nations O
+, O
+has O
+long O
+viewed O
+success O
+in O
+the O
+Olympic O
+Games O
+as O
+a O
+source O
+of O
+national O
+prestige O
+and O
+soft O
+power O
+on O
+the O
+world O
+stage O
+. O
+
+The O
+doping O
+allegations O
+and O
+prospective O
+ban O
+from O
+the O
+Games O
+further O
+ostracized O
+Russia S-LOC
+, O
+and O
+likely O
+provided O
+motivation O
+to O
+actively O
+counter O
+the O
+allegations O
+by O
+attempting O
+to O
+discredit O
+anti-doping O
+agencies O
+and O
+policies O
+. O
+
+Our O
+investigation O
+of O
+APT28 S-APT
+’s O
+compromise O
+of O
+WADA S-IDTY
+’s O
+network O
+, O
+and O
+our O
+observations O
+of O
+the O
+surrounding O
+events O
+reveal O
+how O
+Russia S-LOC
+sought O
+to O
+counteract O
+a O
+damaging O
+narrative O
+and O
+delegitimize O
+the O
+institutions O
+leveling O
+criticism O
+. O
+
+Since O
+releasing O
+our O
+2014 S-TIME
+report O
+, O
+we O
+continue O
+to O
+assess O
+that O
+APT28 S-APT
+is O
+sponsored O
+by O
+the O
+Russian O
+Government O
+. O
+
+We O
+further O
+assess O
+that O
+APT28 S-APT
+is O
+the O
+group O
+responsible O
+for O
+the O
+network O
+compromises O
+of O
+WADA S-IDTY
+and O
+the O
+DNC S-IDTY
+and O
+other O
+entities O
+related O
+to O
+the O
+2016 S-TIME
+U.S. S-LOC
+presidential O
+election O
+cycle O
+. O
+
+These O
+breaches O
+involved O
+the O
+theft O
+of O
+internal O
+data O
+- O
+mostly O
+emails S-TOOL
+– O
+that O
+was O
+later O
+strategically O
+leaked O
+through O
+multiple O
+forums O
+and O
+propagated O
+in O
+a O
+calculated O
+manner O
+almost O
+certainly O
+intended O
+to O
+advance O
+particular O
+Russian O
+Government O
+aims O
+. O
+
+In O
+a O
+report O
+released O
+on O
+January B-TIME
+7 I-TIME
+2017 E-TIME
+, O
+the O
+U.S. S-LOC
+Directorate B-IDTY
+of I-IDTY
+National I-IDTY
+Intelligence E-IDTY
+described O
+this O
+activity O
+as O
+an O
+“ O
+influence O
+campaign. O
+” O
+This O
+influence O
+campaign O
+- O
+a O
+combination O
+of O
+network O
+compromises O
+and O
+subsequent O
+data O
+leaks O
+- O
+aligns O
+closely O
+with O
+the O
+Russian O
+military O
+’s O
+publicly O
+stated O
+intentions O
+and O
+capabilities O
+. O
+
+Influence O
+operations O
+, O
+also O
+frequently O
+called O
+“ O
+information O
+operations O
+, O
+” O
+have O
+a O
+long O
+history O
+of O
+inclusion O
+in O
+Russian O
+strategic O
+doctrine O
+, O
+and O
+have O
+been O
+intentionally O
+developed O
+, O
+deployed O
+, O
+and O
+modernized O
+with O
+the O
+advent O
+of O
+the O
+internet O
+. O
+
+The O
+recent O
+activity O
+in O
+the O
+U.S. S-LOC
+is O
+but O
+one O
+of O
+many O
+instances O
+of O
+Russian O
+Government O
+influence O
+operations O
+conducted O
+in O
+support O
+of O
+strategic O
+political O
+objectives O
+, O
+and O
+it O
+will O
+not O
+be O
+the O
+last O
+. O
+
+As O
+the O
+2017 S-TIME
+elections O
+in O
+Europe S-LOC
+approach O
+- O
+most O
+notably O
+in O
+Germany S-LOC
+, O
+France S-LOC
+, O
+and O
+the O
+Netherlands S-LOC
+- O
+we O
+are O
+already O
+seeing O
+the O
+makings O
+of O
+similarly O
+concerted O
+efforts O
+. O
+
+In O
+our O
+2014 S-TIME
+report O
+, O
+we O
+identified O
+APT28 S-APT
+as O
+a O
+suspected O
+Russian O
+government-sponsored O
+espionage O
+actor O
+. O
+
+We O
+came O
+to O
+this O
+conclusion O
+in O
+part O
+based O
+on O
+forensic O
+details O
+left O
+in O
+the O
+malware O
+that O
+APT28 S-APT
+had O
+employed O
+since O
+at O
+least O
+2007 S-TIME
+. O
+
+We O
+have O
+provided O
+an O
+updated O
+version O
+of O
+those O
+conclusions O
+, O
+a O
+layout O
+of O
+the O
+tactics O
+that O
+they O
+generally O
+employ O
+, O
+as O
+well O
+as O
+observations O
+of O
+apparent O
+tactical O
+shifts O
+. O
+
+For O
+full O
+details O
+, O
+please O
+reference O
+our O
+2014 S-TIME
+report O
+, O
+APT28 S-APT
+: O
+A O
+Window S-OS
+into O
+Russia S-LOC
+’s O
+Cyber O
+Espionage O
+Operations O
+? O
+APT28 S-APT
+employs O
+a O
+suite O
+of O
+malware O
+with O
+features O
+indicative O
+of O
+the O
+group O
+’s O
+plans O
+for O
+continued O
+operations O
+, O
+as O
+well O
+as O
+the O
+group O
+’s O
+access O
+to O
+resources O
+and O
+skilled O
+developers O
+. O
+
+CHOPSTICK S-MAL
+: O
+
+backdoor O
+, O
+Xagent S-MAL
+, O
+webhp S-MAL
+, O
+SPLM S-MAL
+. O
+
+EVILTOSS S-MAL
+: O
+
+backdoor O
+, O
+Sedreco S-MAL
+, O
+AZZY S-MAL
+, O
+Xagent S-MAL
+, O
+ADVSTORESHELL S-MAL
+, O
+NETUI S-MAL
+. O
+
+GAMEFISH S-MAL
+: O
+
+backdoor O
+, O
+Sednit S-MAL
+, O
+Seduploader S-MAL
+, O
+JHUHUGIT S-MAL
+, O
+Sofacy S-MAL
+. O
+
+SOURFACE S-MAL
+: O
+
+downloader O
+, O
+Older O
+version O
+of O
+CORESHELL S-MAL
+, O
+Sofacy S-MAL
+. O
+
+OLDBAIT S-MAL
+: O
+
+credential O
+harvester O
+, O
+Sasfis S-MAL
+. O
+
+CORESHELL S-MAL
+: O
+
+downloader O
+, O
+Newer O
+version O
+of O
+SOURFACE S-MAL
+, O
+Sofacy S-MAL
+. O
+
+APT28 S-APT
+continues O
+to O
+evolve O
+its O
+toolkit O
+and O
+refine O
+its O
+tactics O
+in O
+what O
+is O
+almost O
+certainly O
+an O
+effort O
+to O
+protect O
+its O
+operational O
+effectiveness O
+in O
+the O
+face O
+of O
+heightened O
+public O
+exposure O
+and O
+scrutiny O
+. O
+
+In O
+addition O
+to O
+the O
+continued O
+evolution O
+of O
+the O
+group O
+’s O
+first O
+stage O
+tools O
+, O
+we O
+have O
+also O
+noted O
+APT28 S-APT
+: O
+Leveraging O
+zero-day S-VULNAME
+vulnerabilities O
+in O
+Adobe S-IDTY
+Flash S-TOOL
+Player S-TOOL
+, O
+Java S-TOOL
+, O
+and O
+Windows S-OS
+, O
+including O
+CVE-2015-1701 S-VULID
+, O
+CVE-2015-2424 S-VULID
+, O
+CVE-2015-2590 S-VULID
+, O
+CVE-2015-3043 S-VULID
+, O
+CVE-2015-5119 S-VULID
+, O
+and O
+CVE-2015-7645 S-VULID
+. O
+
+Using O
+a O
+profiling O
+script O
+to O
+deploy O
+zero-days S-VULNAME
+and O
+other O
+tools O
+more O
+selectively O
+, O
+decreasing O
+the O
+chance O
+that O
+researchers O
+and O
+others O
+will O
+gain O
+access O
+to O
+the O
+group O
+’s O
+tools O
+. O
+
+Increasing O
+reliance O
+on O
+public O
+code O
+depositories O
+, O
+such O
+as O
+Carberp S-MAL
+, O
+PowerShell S-TOOL
+Empire S-TOOL
+, O
+P.A.S. S-TOOL
+webshell O
+, O
+Metasploit S-TOOL
+modules O
+, O
+and O
+others O
+in O
+a O
+likely O
+effort O
+to O
+accelerate O
+their O
+development O
+cycle O
+and O
+provide O
+plausible O
+deniability O
+. O
+
+Obtaining O
+credentials O
+through O
+fabricated O
+Google S-IDTY
+App O
+authorization O
+and O
+Oauth S-PROT
+access O
+requests O
+that O
+allow O
+the O
+group O
+to O
+bypass O
+two-factor O
+authentication O
+and O
+other O
+security O
+measures O
+. O
+
+Moving O
+laterally O
+through O
+a O
+network O
+relying O
+only O
+on O
+legitimate O
+tools O
+that O
+already O
+exist O
+within O
+the O
+victims O
+’ O
+systems O
+, O
+at O
+times O
+forgoing O
+their O
+traditional O
+toolset O
+for O
+the O
+duration O
+of O
+the O
+compromise O
+. O
+
+
+Threat B-APT
+Group I-APT
+4127 E-APT
+Targets O
+Hillary O
+Clinton O
+Presidential O
+Campaign O
+. O
+
+The O
+Hillary O
+Clinton O
+email S-TOOL
+leak O
+was O
+the O
+center O
+of O
+the O
+latest O
+scandal O
+in O
+the O
+news O
+caused O
+by O
+Threat B-APT
+Group-4127 E-APT
+( O
+TG-4127 S-APT
+) O
+. O
+
+SecureWorks B-SECTEAM
+Counter I-SECTEAM
+Threat I-SECTEAM
+Unit E-SECTEAM
+( O
+CTU S-SECTEAM
+) O
+researchers O
+track O
+the O
+activities O
+of O
+Threat B-SECTEAM
+Group-4127 E-SECTEAM
+, O
+which O
+targets O
+governments O
+, O
+military O
+, O
+and O
+international O
+non-governmental O
+organizations O
+( O
+NGOs O
+) O
+. O
+
+Components O
+of O
+TG-4127 S-APT
+operations O
+have O
+been O
+reported O
+under O
+the O
+names O
+APT28 S-APT
+, O
+Sofacy S-APT
+, O
+Sednit S-APT
+, O
+and O
+Pawn B-APT
+Storm E-APT
+. O
+
+CTU S-SECTEAM
+researchers O
+assess O
+with O
+moderate O
+confidence O
+that O
+the O
+group O
+is O
+operating O
+from O
+the O
+Russian O
+Federation O
+and O
+is O
+gathering O
+intelligence O
+on O
+behalf O
+of O
+the O
+Russian O
+government O
+. O
+
+Between O
+October B-TIME
+2015 E-TIME
+and O
+May B-TIME
+2016 E-TIME
+, O
+CTU S-SECTEAM
+researchers O
+analyzed O
+8,909 O
+Bitly S-TOOL
+links O
+that O
+targeted O
+3,907 O
+individual O
+Gmail S-TOOL
+accounts O
+and O
+corporate O
+and O
+organizational O
+email S-TOOL
+accounts O
+that O
+use O
+Gmail S-TOOL
+as O
+a O
+service O
+. O
+
+In O
+March B-TIME
+2016 E-TIME
+, O
+CTU S-SECTEAM
+researchers O
+identified O
+a O
+spearphishing S-ACT
+campaign O
+using O
+Bitly S-TOOL
+accounts O
+to O
+shorten O
+malicious O
+URLs O
+. O
+
+The O
+targets O
+were O
+similar O
+to O
+a O
+2015 S-TIME
+TG-4127 S-APT
+campaign O
+— O
+individuals O
+in O
+Russia S-LOC
+and O
+the O
+former O
+Soviet O
+states O
+, O
+current O
+and O
+former O
+military O
+and O
+government O
+personnel O
+in O
+the O
+U.S. S-LOC
+and O
+Europe S-LOC
+, O
+individuals O
+working O
+in O
+the O
+defense O
+and O
+government O
+supply O
+chain O
+, O
+and O
+authors O
+and O
+journalists O
+— O
+but O
+also O
+included O
+email S-TOOL
+accounts O
+linked O
+to O
+the O
+November B-TIME
+2016 E-TIME
+United B-LOC
+States E-LOC
+presidential O
+election O
+. O
+
+Specific O
+targets O
+include O
+staff O
+working O
+for O
+or O
+associated O
+with O
+Hillary O
+Clinton's O
+presidential O
+campaign O
+and O
+the O
+Democratic B-IDTY
+National I-IDTY
+Committee E-IDTY
+( O
+DNC S-IDTY
+) O
+, O
+including O
+individuals O
+managing O
+Clinton's O
+communications O
+, O
+travel O
+, O
+campaign O
+finances O
+, O
+and O
+advising O
+her O
+on O
+policy O
+. O
+
+The O
+short O
+links O
+in O
+the O
+spearphishing S-ACT
+emails S-TOOL
+redirected O
+victims O
+to O
+a O
+TG-4127 S-APT
+controlled O
+URL O
+that O
+spoofed O
+a O
+legitimate O
+Google S-IDTY
+domain O
+. O
+
+A O
+Base64 S-ENCR
+encoded O
+string O
+containing O
+the O
+victim's O
+full O
+email S-TOOL
+address O
+is O
+passed O
+with O
+this O
+URL O
+, O
+prepopulating O
+a O
+fake O
+Google S-IDTY
+login O
+page O
+displayed O
+to O
+the O
+victim O
+. O
+
+If O
+a O
+victim O
+enters O
+their O
+credentials O
+, O
+TG-4127 S-APT
+can O
+establish O
+a O
+session O
+with O
+Google S-IDTY
+and O
+access O
+the O
+victim's O
+account O
+. O
+
+The O
+threat O
+actors O
+may O
+be O
+able O
+to O
+keep O
+this O
+session O
+alive O
+and O
+maintain O
+persistent O
+access O
+. O
+
+The O
+Hillary O
+for O
+America S-LOC
+presidential O
+campaign O
+owns O
+the O
+hillaryclinton.com S-DOM
+domain O
+, O
+which O
+is O
+used O
+for O
+the O
+campaign O
+website O
+( O
+www.hillaryclinton.com S-DOM
+) O
+and O
+for O
+email S-TOOL
+addresses O
+used O
+by O
+campaign O
+staff O
+. O
+
+An O
+examination O
+of O
+the O
+hillaryclinton.com S-DOM
+DNS S-PROT
+records O
+shows O
+that O
+the O
+domain's O
+MX S-TOOL
+records O
+, O
+which O
+indicate O
+the O
+mail O
+server O
+used O
+by O
+the O
+domain O
+, O
+point O
+to O
+aspmx.l.google.com S-DOM
+, O
+the O
+mail O
+server O
+used O
+by O
+Google S-IDTY
+Apps O
+. O
+
+Google S-IDTY
+Apps O
+allows O
+organizations O
+to O
+use O
+Gmail S-TOOL
+as O
+their O
+organizational O
+mail O
+solution O
+. O
+
+TG-4127 S-APT
+exploited O
+the O
+Hillary O
+for O
+America S-LOC
+campaign's O
+use O
+of O
+Gmail S-TOOL
+and O
+leveraged O
+campaign O
+employees' O
+expectation O
+of O
+the O
+standard O
+Gmail S-TOOL
+login O
+page O
+to O
+access O
+their O
+email S-TOOL
+account O
+. O
+
+When O
+presented O
+with O
+TG-4127 S-APT
+'s O
+spoofed O
+login O
+page O
+, O
+victims O
+might O
+be O
+convinced O
+it O
+was O
+the O
+legitimate O
+login O
+page O
+for O
+their O
+hillaryclinton.com S-DOM
+email S-TOOL
+account O
+. O
+
+CTU S-SECTEAM
+researchers O
+observed O
+the O
+first O
+short O
+links O
+targeting O
+hillaryclinton.com S-DOM
+email S-TOOL
+addresses O
+being O
+created O
+in O
+mid-March B-TIME
+2016 E-TIME
+; O
+the O
+last O
+link O
+was O
+created O
+in O
+mid-May S-TIME
+. O
+
+During O
+this O
+period O
+, O
+TG-4127 S-APT
+created O
+213 O
+short O
+links O
+targeting O
+108 O
+email S-TOOL
+addresses O
+on O
+the O
+hillaryclinton.com S-DOM
+domain O
+. O
+
+Through O
+open-source O
+research O
+, O
+CTU S-SECTEAM
+researchers O
+identified O
+the O
+owners O
+of O
+66 O
+of O
+the O
+targeted O
+email S-TOOL
+addresses O
+. O
+
+There O
+was O
+no O
+open-source O
+footprint O
+for O
+the O
+remaining O
+42 O
+addresses O
+, O
+suggesting O
+that O
+TG-4127 S-APT
+acquired O
+them O
+from O
+another O
+source O
+, O
+possibly O
+other O
+intelligence O
+activity O
+. O
+
+The O
+identified O
+email S-TOOL
+owners O
+held O
+a O
+wide O
+range O
+of O
+responsibilities O
+within O
+the O
+Hillary O
+for O
+America S-LOC
+campaign O
+, O
+extending O
+from O
+senior O
+figures O
+to O
+junior O
+employees O
+and O
+the O
+group O
+mailboxes O
+for O
+various O
+regional O
+offices O
+. O
+
+Targeted O
+senior O
+figures O
+managed O
+communications O
+and O
+media O
+affairs O
+, O
+policy O
+, O
+speech O
+writing O
+, O
+finance O
+, O
+and O
+travel O
+, O
+while O
+junior O
+figures O
+arranged O
+schedules O
+and O
+travel O
+for O
+Hillary O
+Clinton's O
+campaign O
+trail O
+. O
+
+Targets O
+held O
+the O
+following O
+titles O
+: O
+
+National O
+political O
+director O
+Finance O
+director O
+Director O
+of O
+strategic O
+communications O
+Director O
+of O
+scheduling O
+Director O
+of O
+travel O
+Traveling O
+press O
+secretary O
+Travel O
+coordinator O
+. O
+
+Publicly O
+available O
+Bitly S-TOOL
+data O
+reveals O
+how O
+many O
+of O
+the O
+short O
+links O
+were O
+clicked O
+, O
+likely O
+by O
+a O
+victim O
+opening O
+a O
+spearphishing S-ACT
+email S-TOOL
+and O
+clicking O
+the O
+link O
+to O
+the O
+fake O
+Gmail S-TOOL
+login O
+page O
+. O
+
+Only O
+20 O
+of O
+the O
+213 O
+short O
+links O
+have O
+been O
+clicked O
+as O
+of O
+this O
+publication O
+. O
+
+Eleven O
+of O
+the O
+links O
+were O
+clicked O
+once O
+, O
+four O
+were O
+clicked O
+twice O
+, O
+two O
+were O
+clicked O
+three O
+times O
+, O
+and O
+two O
+were O
+clicked O
+four O
+times O
+. O
+
+The O
+U.S. S-LOC
+Democratic O
+party's O
+governing O
+body O
+, O
+the O
+Democratic B-IDTY
+National I-IDTY
+Committee E-IDTY
+( O
+DNC S-IDTY
+) O
+, O
+uses O
+the O
+dnc.org S-DOM
+domain O
+for O
+its O
+staff O
+email S-TOOL
+. O
+
+Between O
+mid-March S-TIME
+and O
+mid-April B-TIME
+2016 E-TIME
+, O
+TG-4127 S-APT
+created O
+16 O
+short O
+links O
+targeting O
+nine O
+dnc.org S-DOM
+email S-TOOL
+accounts O
+. O
+
+CTU S-SECTEAM
+researchers O
+identified O
+the O
+owners O
+of O
+three O
+of O
+these O
+accounts O
+; O
+two O
+belonged O
+to O
+the O
+DNC S-IDTY
+'s O
+secretary O
+emeritus O
+, O
+and O
+one O
+belonged O
+to O
+the O
+communications O
+director O
+. O
+
+Four O
+of O
+the O
+16 O
+short O
+links O
+were O
+clicked O
+, O
+three O
+by O
+the O
+senior O
+staff O
+members O
+. O
+
+As O
+of O
+this O
+publication O
+, O
+dnc.org S-DOM
+does O
+not O
+use O
+the O
+Google S-IDTY
+Apps O
+Gmail O
+email S-TOOL
+service O
+. O
+
+However O
+, O
+because O
+dnc.org S-DOM
+email S-TOOL
+accounts O
+were O
+targeted O
+in O
+the O
+same O
+way O
+as O
+hillaryclinton.com S-DOM
+accounts O
+, O
+it O
+is O
+likely O
+that O
+dnc.org S-DOM
+did O
+use O
+Gmail S-TOOL
+at O
+that O
+time O
+and O
+later O
+moved O
+to O
+a O
+different O
+service O
+. O
+
+CTU S-SECTEAM
+researchers O
+do O
+not O
+have O
+evidence O
+that O
+these O
+spearphishing S-ACT
+emails S-TOOL
+are O
+connected O
+to O
+the O
+DNC S-IDTY
+network O
+compromise O
+that O
+was O
+revealed O
+on O
+June B-TIME
+14 E-TIME
+. O
+
+However O
+, O
+a O
+coincidence O
+seems O
+unlikely O
+, O
+and O
+CTU S-SECTEAM
+researchers O
+suspect O
+that O
+TG-4127 S-APT
+used O
+the O
+spearphishing S-ACT
+emails S-TOOL
+or O
+similar O
+techniques O
+to O
+gain O
+an O
+initial O
+foothold O
+in O
+the O
+DNC S-IDTY
+network O
+. O
+
+CTU S-SECTEAM
+researchers O
+identified O
+TG-4127 S-APT
+targeting O
+26 O
+personal O
+gmail.com O
+accounts O
+belonging O
+to O
+individuals O
+linked O
+to O
+the O
+Hillary O
+for O
+America S-LOC
+campaign O
+, O
+the O
+DNC S-IDTY
+, O
+or O
+other O
+aspects O
+of O
+U.S. S-LOC
+national O
+politics O
+. O
+
+Five O
+of O
+the O
+individuals O
+also O
+had O
+a O
+hillaryclinton.com S-DOM
+email S-TOOL
+account O
+that O
+was O
+targeted O
+by O
+TG-4127 S-APT
+. O
+
+Many O
+of O
+these O
+individuals O
+held O
+communications O
+, O
+media O
+, O
+finance O
+, O
+or O
+policy O
+roles O
+. O
+
+They O
+include O
+the O
+director O
+of O
+speechwriting O
+for O
+Hillary O
+for O
+America S-LOC
+and O
+the O
+deputy O
+director O
+office O
+of O
+the O
+chair O
+at O
+the O
+DNC S-IDTY
+. O
+
+TG-4127 S-APT
+created O
+150 O
+short O
+links O
+targeting O
+this O
+group O
+. O
+
+As O
+of O
+this O
+publication O
+, O
+40 O
+of O
+the O
+links O
+have O
+been O
+clicked O
+at O
+least O
+once O
+. O
+
+Although O
+the O
+2015 S-TIME
+campaign O
+did O
+not O
+focus O
+on O
+individuals O
+associated O
+with O
+U.S. S-LOC
+politics O
+, O
+open-source O
+evidence O
+suggests O
+that O
+TG-4127 S-APT
+targeted O
+individuals O
+connected O
+to O
+the O
+U.S. S-LOC
+White O
+House O
+in O
+early O
+2015 S-TIME
+. O
+
+The O
+threat O
+group O
+also O
+reportedly O
+targeted O
+the O
+German O
+parliament O
+and O
+German O
+Chancellor O
+Angela O
+Merkel's O
+Christian O
+Democratic O
+Union O
+party O
+. O
+
+CTU S-SECTEAM
+researchers O
+have O
+not O
+observed O
+TG-4127 S-APT
+use O
+this O
+technique O
+( O
+using O
+Bitly S-TOOL
+short O
+links O
+) O
+to O
+target O
+the O
+U.S. S-LOC
+Republican O
+party O
+or O
+the O
+other O
+U.S. S-LOC
+presidential O
+candidates O
+whose O
+campaigns O
+were O
+active O
+between O
+mid-March S-TIME
+and O
+mid-May S-TIME
+: O
+Donald O
+Trump O
+, O
+Bernie O
+Sanders O
+, O
+Ted O
+Cruz O
+, O
+Marco O
+Rubio O
+, O
+and O
+John O
+Kasich O
+. O
+
+However O
+, O
+the O
+following O
+email S-TOOL
+domains O
+do O
+not O
+use O
+Google S-IDTY
+mail O
+servers O
+and O
+may O
+have O
+been O
+targeted O
+by O
+other O
+means O
+: O
+
+gop.com S-DOM
+— O
+used O
+by O
+the O
+Republican B-IDTY
+National I-IDTY
+Committee E-IDTY
+, O
+donaldjtrump.com S-DOM
+— O
+used O
+by O
+the O
+Donald O
+Trump O
+campaign O
+, O
+johnkasich.com S-DOM
+— O
+used O
+by O
+the O
+John O
+Kasich O
+campaign O
+. O
+
+Access O
+to O
+targets' O
+Google S-IDTY
+accounts O
+allows O
+TG-4127 S-APT
+to O
+review O
+internal O
+emails S-TOOL
+and O
+potentially O
+access O
+other O
+Google S-IDTY
+Apps O
+services O
+used O
+by O
+these O
+organizations O
+, O
+such O
+as O
+Google S-IDTY
+Drive S-TOOL
+. O
+
+In O
+addition O
+to O
+the O
+value O
+of O
+the O
+intelligence O
+, O
+the O
+threat O
+actors O
+could O
+also O
+exploit O
+this O
+access O
+for O
+other O
+malicious O
+activity O
+, O
+such O
+as O
+generating O
+spearphishing S-ACT
+emails S-TOOL
+from O
+internal O
+email S-TOOL
+addresses O
+to O
+compromise O
+the O
+organizations' O
+networks O
+with O
+malware O
+. O
+
+The O
+Russian O
+government O
+views O
+the O
+U.S. S-LOC
+as O
+a O
+strategic O
+rival O
+and O
+is O
+known O
+to O
+task O
+its O
+intelligence O
+agencies O
+with O
+gathering O
+confidential O
+information O
+about O
+individuals O
+and O
+organizations O
+close O
+to O
+the O
+center O
+of O
+power O
+in O
+the O
+U.S. S-LOC
+Individuals O
+working O
+for O
+the O
+Hillary O
+for O
+America S-LOC
+campaign O
+could O
+have O
+information O
+about O
+proposed O
+policies O
+for O
+a O
+Clinton O
+presidency O
+, O
+including O
+foreign-policy O
+positions O
+, O
+which O
+would O
+be O
+valuable O
+to O
+the O
+Russian O
+government O
+. O
+
+Information O
+about O
+travel O
+plans O
+and O
+campaign O
+scheduling O
+could O
+provide O
+short-term O
+opportunities O
+for O
+other O
+intelligence O
+operations O
+. O
+
+Long-term O
+access O
+to O
+email S-TOOL
+accounts O
+of O
+senior O
+campaign O
+advisors O
+, O
+who O
+may O
+be O
+appointed O
+to O
+staff O
+positions O
+in O
+a O
+Clinton O
+administration O
+, O
+could O
+provide O
+TG-4127 S-APT
+and O
+the O
+Russian O
+government O
+with O
+access O
+to O
+those O
+individual's O
+accounts O
+. O
+
+While O
+TG-4127 S-APT
+continues O
+to O
+primarily O
+threaten O
+organizations O
+and O
+individuals O
+operating O
+in O
+Russia O
+and O
+former O
+Soviet O
+states O
+, O
+this O
+campaign O
+illustrates O
+its O
+willingness O
+to O
+expand O
+its O
+scope O
+to O
+other O
+targets O
+that O
+have O
+intelligence O
+of O
+interest O
+to O
+the O
+Russian O
+government O
+. O
+
+Non-governmental O
+political O
+organizations O
+may O
+provide O
+access O
+to O
+desirable O
+national O
+policy O
+information O
+, O
+especially O
+foreign O
+policy O
+, O
+but O
+may O
+not O
+have O
+the O
+same O
+level O
+of O
+protection O
+and O
+security O
+as O
+governmental O
+organizations O
+. O
+
+Targeting O
+individuals O
+linked O
+to O
+presidential O
+campaigns O
+could O
+represent O
+an O
+intelligence O
+‘ O
+long O
+game O
+,' O
+as O
+establishing O
+access O
+to O
+potential O
+U.S. S-LOC
+administration O
+staff O
+before O
+they O
+are O
+appointed O
+could O
+be O
+easier O
+than O
+targeting O
+them O
+when O
+they O
+are O
+established O
+in O
+the O
+White B-IDTY
+House E-IDTY
+. O
+
+Access O
+to O
+an O
+individual's O
+personal O
+or O
+corporate O
+email S-TOOL
+account O
+provides O
+a O
+substantial O
+amount O
+of O
+useful O
+intelligence O
+, O
+and O
+threat O
+actors O
+could O
+also O
+leverage O
+the O
+access O
+to O
+launch O
+additional O
+attacks O
+to O
+penetrate O
+the O
+network O
+of O
+an O
+associated O
+organization O
+. O
+
+Users O
+rarely O
+check O
+the O
+full O
+URL O
+associated O
+with O
+short O
+links O
+, O
+so O
+threat O
+groups O
+can O
+use O
+URL-shortening O
+services O
+to O
+effectively O
+hide O
+malicious O
+URLs O
+. O
+
+Threat O
+actors O
+can O
+use O
+the O
+services' O
+detailed O
+statistics O
+about O
+which O
+links O
+were O
+clicked O
+when O
+, O
+and O
+from O
+what O
+location O
+, O
+to O
+track O
+the O
+success O
+of O
+a O
+spearphishing S-ACT
+campaign O
+. O
+
+A O
+single O
+compromised O
+account O
+could O
+allow O
+TG-4127 S-APT
+to O
+achieve O
+its O
+operational O
+goals O
+. O
+
+CTU S-SECTEAM
+researchers O
+recommend O
+that O
+clients O
+take O
+appropriate O
+precautions O
+to O
+minimize O
+the O
+risk O
+of O
+these O
+types O
+of O
+attacks O
+: O
+
+Educate O
+users O
+about O
+the O
+risks O
+of O
+spearphishing S-ACT
+emails S-TOOL
+. O
+
+Use O
+caution O
+and O
+exercise O
+due O
+diligence O
+when O
+faced O
+with O
+a O
+shortened O
+link O
+, O
+especially O
+in O
+unsolicited O
+email S-TOOL
+messages O
+. O
+
+Pasting O
+Bitly S-TOOL
+URLs O
+, O
+appended O
+with O
+a O
+plus O
+sign O
+, O
+into O
+the O
+address O
+bar O
+of O
+a O
+web O
+browser O
+reveals O
+the O
+full O
+URL O
+. O
+
+
+Sofacy S-APT
+APT O
+hits O
+high O
+profile O
+targets O
+with O
+updated O
+toolset O
+. O
+
+Sofacy S-APT
+( O
+also O
+known O
+as O
+“ O
+Fancy B-APT
+Bear E-APT
+” O
+, O
+“ O
+Sednit S-APT
+” O
+, O
+“ O
+STRONTIUM S-APT
+” O
+and O
+“ O
+APT28 S-APT
+” O
+) O
+is O
+an O
+advanced O
+threat O
+group O
+that O
+has O
+been O
+active O
+since O
+around O
+2008 S-TIME
+, O
+targeting O
+mostly O
+military O
+and O
+government O
+entities O
+worldwide O
+, O
+with O
+a O
+focus O
+on O
+NATO S-IDTY
+countries O
+. O
+
+More O
+recently O
+, O
+we O
+have O
+also O
+seen O
+an O
+increase O
+in O
+activity O
+targeting O
+Ukraine S-LOC
+. O
+
+Back O
+in O
+2011-2012 S-TIME
+, O
+the O
+group O
+used O
+a O
+relatively O
+tiny O
+implant O
+( O
+known O
+as O
+“ O
+Sofacy S-APT
+” O
+or O
+SOURFACE S-MAL
+) O
+as O
+its O
+first O
+stage O
+malware O
+. O
+
+The O
+implant O
+shared O
+certain O
+similarities O
+with O
+the O
+old O
+Miniduke S-APT
+implants O
+. O
+
+This O
+led O
+us O
+to O
+believe O
+the O
+two O
+groups O
+were O
+connected O
+, O
+at O
+least O
+to O
+begin O
+with O
+, O
+although O
+it O
+appears O
+they O
+parted O
+ways O
+in O
+2014 S-TIME
+, O
+with O
+the O
+original O
+Miniduke S-APT
+group O
+switching O
+to O
+the O
+CosmicDuke S-MAL
+implant O
+. O
+
+At O
+some O
+point O
+during O
+2013 S-TIME
+, O
+the O
+Sofacy S-APT
+group O
+expanded O
+its O
+arsenal O
+and O
+added O
+more O
+backdoors O
+and O
+tools O
+, O
+including O
+CORESHELL S-TOOL
+, O
+SPLM S-MAL
+( O
+aka O
+Xagent S-MAL
+, O
+aka O
+CHOPSTICK S-MAL
+) O
+, O
+JHUHUGIT S-MAL
+( O
+which O
+is O
+built O
+with O
+code O
+from O
+the O
+Carberp S-MAL
+sources O
+) O
+, O
+AZZY S-MAL
+( O
+aka O
+ADVSTORESHELL S-MAL
+, O
+NETUI S-MAL
+, O
+EVILTOSS S-MAL
+, O
+and O
+spans O
+across O
+four O
+to O
+five O
+generations O
+) O
+and O
+a O
+few O
+others O
+. O
+
+We O
+’ve O
+seen O
+quite O
+a O
+few O
+versions O
+of O
+these O
+implants O
+and O
+they O
+were O
+relatively O
+widespread O
+for O
+a O
+time O
+. O
+
+Sofacy S-APT
+’s O
+August B-TIME
+2015 E-TIME
+attack O
+wave O
+. O
+
+In O
+the O
+months O
+leading O
+up O
+to O
+August S-TIME
+, O
+the O
+Sofacy S-APT
+group O
+launched O
+several O
+waves O
+of O
+attacks O
+relying O
+on O
+zero-day S-VULNAME
+exploits O
+in O
+Microsoft S-IDTY
+Office S-TOOL
+, O
+Oracle S-TOOL
+Sun O
+Java S-TOOL
+, O
+Adobe S-TOOL
+Flash S-TOOL
+Player S-TOOL
+and O
+Windows S-OS
+itself O
+. O
+
+For O
+instance O
+, O
+its O
+JHUHUGIT S-MAL
+implant O
+was O
+delivered O
+through O
+a O
+Flash S-TOOL
+zero-day S-VULNAME
+and O
+used O
+a O
+Windows S-OS
+EoP S-TOOL
+exploit O
+to O
+break O
+out O
+of O
+the O
+sandbox O
+. O
+
+The O
+JHUHUGIT S-MAL
+implant O
+became O
+a O
+relatively O
+popular O
+first O
+stage O
+for O
+the O
+Sofacy S-APT
+attacks O
+and O
+was O
+used O
+again O
+with O
+a O
+Java S-TOOL
+zero-day S-VULNAME
+( O
+CVE-2015-2590 S-VULID
+) O
+in O
+July B-TIME
+2015 E-TIME
+. O
+
+While O
+the O
+JHUHUGIT S-MAL
+( O
+and O
+more O
+recently O
+, O
+“ O
+JKEYSKW S-MAL
+” O
+) O
+implant O
+used O
+in O
+most O
+of O
+the O
+Sofacy S-APT
+attacks O
+, O
+high O
+profile O
+victims O
+are O
+being O
+targeted O
+with O
+another O
+first O
+level O
+implant O
+, O
+representing O
+the O
+latest O
+evolution O
+of O
+their O
+AZZYTrojan S-MAL
+. O
+
+The O
+first O
+versions O
+of O
+the O
+new O
+AZZY S-MAL
+implant O
+appeared O
+in O
+August S-TIME
+of O
+this O
+year O
+. O
+
+During O
+a O
+high O
+profile O
+incident O
+we O
+investigated O
+, O
+our O
+products O
+successfully O
+detected O
+and O
+blocked O
+a O
+“ O
+standard O
+” O
+Sofacy S-APT
+“ O
+AZZY S-MAL
+” O
+sample O
+that O
+was O
+used O
+to O
+target O
+a O
+range O
+of O
+defense O
+contractors O
+. O
+
+The O
+sample O
+used O
+in O
+this O
+attack O
+( O
+MD5 S-ENCR
+A96F4B8AC7AA9DBF4624424B7602D4F7 S-MD5
+, O
+compiled O
+July B-TIME
+29th I-TIME
+, I-TIME
+2015 E-TIME
+) O
+was O
+a O
+pretty O
+standard O
+Sofacy S-APT
+x64 O
+AZZY S-MAL
+implant O
+, O
+which O
+has O
+the O
+internal O
+name O
+“ O
+advshellstore.dll S-FILE
+” O
+. O
+
+Interestingly O
+, O
+the O
+fact O
+that O
+the O
+attack O
+was O
+blocked O
+didn’t O
+appear O
+to O
+stop O
+the O
+Sofacy S-APT
+team O
+. O
+
+Just O
+an O
+hour O
+and O
+a O
+half O
+later O
+they O
+had O
+compiled O
+and O
+delivered O
+another O
+AZZY S-MAL
+x64 O
+backdoor O
+( O
+md5: O
+9D2F9E19DB8C20DC0D20D50869C7A373 S-MD5
+, O
+compiled O
+August B-TIME
+4th I-TIME
+, I-TIME
+2015 E-TIME
+) O
+. O
+
+This O
+was O
+no O
+longer O
+detectable O
+with O
+static O
+signatures O
+by O
+our O
+product O
+. O
+
+However O
+, O
+it O
+was O
+detected O
+dynamically O
+by O
+the O
+host O
+intrusion O
+prevention O
+subsystem O
+when O
+it O
+appeared O
+in O
+the O
+system O
+and O
+was O
+executed O
+. O
+
+This O
+recurring O
+, O
+blindingly-fast O
+Sofacy S-APT
+attack O
+attracted O
+our O
+attention O
+as O
+neither O
+sample O
+was O
+delivered O
+through O
+a O
+zero-day S-VULNAME
+vulnerability O
+— O
+instead O
+, O
+they O
+appeared O
+to O
+be O
+downloaded O
+and O
+installed O
+by O
+another O
+malware O
+. O
+
+This O
+separate O
+malware O
+was O
+installed O
+by O
+an O
+unknown O
+attack O
+as O
+“ O
+AppData\Local\Microsoft\Windows\msdeltemp.dll S-FILE
+” O
+( O
+md5: O
+CE8B99DF8642C065B6AF43FDE1F786A3 S-MD5
+) O
+. O
+
+The O
+top O
+level O
+malware O
+, O
+CE8B99DF8642C065B6AF43FDE1F786A3 S-MD5
+( O
+named O
+by O
+its O
+authors O
+“ O
+msdeltemp.dll S-FILE
+” O
+according O
+to O
+internal O
+strings O
+, O
+and O
+compiled O
+July B-TIME
+28th I-TIME
+, I-TIME
+2015 E-TIME
+) O
+is O
+a O
+rare O
+type O
+of O
+the O
+Sofacy S-APT
+AZZY S-MAL
+implant O
+. O
+
+It O
+has O
+been O
+modified O
+to O
+drop O
+a O
+separate O
+C&C S-TOOL
+helper O
+, O
+( O
+md5: O
+8C4D896957C36EC4ABEB07B2802268B9 S-MD5
+) O
+as O
+“ O
+tf394kv.dll S-FILE
+“ O
+. O
+
+The O
+dropped O
+“ O
+tf394kv.dll S-FILE
+” O
+file O
+is O
+an O
+external O
+C&C S-TOOL
+communications O
+library O
+, O
+compiled O
+on O
+July B-TIME
+24th I-TIME
+, I-TIME
+2015 E-TIME
+and O
+used O
+by O
+the O
+main O
+backdoor O
+for O
+all O
+Internet-based O
+communications O
+. O
+
+This O
+code O
+modification O
+marks O
+an O
+unusual O
+departure O
+from O
+the O
+typical O
+AZZY B-MAL
+backdoors E-MAL
+, O
+with O
+its O
+C&C S-TOOL
+communication O
+functions O
+moved O
+to O
+an O
+external O
+DLL S-TOOL
+file O
+. O
+
+In O
+the O
+past O
+, O
+the O
+Sofacy S-APT
+developers O
+modified O
+earlier O
+AZZY B-MAL
+backdoors E-MAL
+to O
+use O
+a O
+C&C S-TOOL
+server O
+encoded O
+in O
+the O
+registry O
+, O
+instead O
+of O
+storing O
+it O
+in O
+the O
+malware O
+itself O
+, O
+so O
+this O
+code O
+modularisation O
+follows O
+the O
+same O
+line O
+of O
+thinking O
+. O
+
+In O
+addition O
+to O
+the O
+new O
+AZZY B-MAL
+backdoors E-MAL
+with O
+side-DLL S-TOOL
+for O
+C&C S-TOOL
+, O
+we O
+observed O
+a O
+new O
+set O
+of O
+data-theft O
+modules O
+deployed O
+against O
+victims O
+by O
+the O
+Sofacy S-APT
+group O
+. O
+
+Among O
+the O
+most O
+popular O
+modern O
+defense O
+mechanisms O
+against O
+APTs O
+are O
+air-gaps O
+— O
+isolated O
+network O
+segments O
+without O
+Internet O
+access O
+, O
+where O
+sensitive O
+data O
+is O
+stored O
+. O
+
+In O
+the O
+past O
+, O
+we O
+’ve O
+seen O
+groups O
+such O
+as O
+Equation S-APT
+and O
+Flame S-APT
+use O
+malware O
+to O
+steal O
+data O
+from O
+air-gapped O
+networks O
+. O
+
+The O
+Sofacy S-APT
+group O
+uses O
+such O
+tools O
+as O
+well O
+. O
+
+The O
+first O
+versions O
+of O
+these O
+new O
+USB B-TOOL
+stealer E-TOOL
+modules O
+appeared O
+around O
+February B-TIME
+2015 E-TIME
+and O
+the O
+latest O
+appear O
+to O
+have O
+been O
+compiled O
+in O
+May B-TIME
+2015 E-TIME
+. O
+
+Older O
+versions O
+of O
+these O
+USBSTEALER S-TOOL
+modules O
+were O
+previously O
+described O
+by O
+our O
+colleagues O
+from O
+ESET S-SECTEAM
+. O
+
+One O
+example O
+of O
+the O
+new O
+Sofacy S-APT
+USBSTEALER S-TOOL
+modules O
+is O
+8b238931a7f64fddcad3057a96855f6c S-MD5
+, O
+which O
+is O
+named O
+internally O
+as O
+msdetltemp.dll S-FILE
+. O
+
+This O
+data O
+theft O
+module O
+appears O
+to O
+have O
+been O
+compiled O
+in O
+May B-TIME
+2015 E-TIME
+and O
+is O
+designed O
+to O
+watch O
+removable O
+drives O
+and O
+collect O
+files O
+from O
+them O
+, O
+depending O
+on O
+a O
+set O
+of O
+rules O
+defined O
+by O
+the O
+attackers O
+. O
+
+The O
+stolen O
+data O
+is O
+copied O
+into O
+a O
+hidden O
+directory O
+as O
+“ O
+%MYPICTURES%\%volume O
+serial O
+number% O
+“ O
+, O
+from O
+where O
+it O
+can O
+be O
+exfiltrated O
+by O
+the O
+attackers O
+using O
+one O
+of O
+the O
+AZZY S-MAL
+implants O
+. O
+
+More O
+details O
+on O
+the O
+new O
+USB S-TOOL
+stealers O
+are O
+available O
+in O
+the O
+section O
+on O
+technical O
+analysis O
+. O
+
+Over O
+the O
+last O
+year O
+, O
+the O
+Sofacy S-APT
+group O
+has O
+increased O
+its O
+activity O
+almost O
+tenfold O
+when O
+compared O
+to O
+previous O
+years O
+, O
+becoming O
+one O
+of O
+the O
+most O
+prolific O
+, O
+agile O
+and O
+dynamic O
+threat O
+actors O
+in O
+the O
+arena O
+. O
+
+This O
+activity O
+spiked O
+in O
+July B-TIME
+2015 E-TIME
+, O
+when O
+the O
+group O
+dropped O
+two O
+completely O
+new O
+exploits O
+, O
+an O
+Office S-TOOL
+and O
+Java S-TOOL
+zero-day S-VULNAME
+. O
+
+At O
+the O
+beginning O
+of O
+August S-TIME
+, O
+Sofacy S-APT
+began O
+a O
+new O
+wave O
+of O
+attacks O
+, O
+focusing O
+on O
+defense-related O
+targets O
+. O
+
+As O
+of O
+November B-TIME
+2015 E-TIME
+, O
+this O
+wave O
+of O
+attacks O
+is O
+ongoing O
+. O
+
+The O
+attackers O
+deploy O
+a O
+rare O
+modification O
+of O
+the O
+AZZY B-MAL
+backdoor E-MAL
+, O
+which O
+is O
+used O
+for O
+the O
+initial O
+reconnaissance O
+. O
+
+Once O
+a O
+foothold O
+is O
+established O
+, O
+they O
+try O
+to O
+upload O
+more O
+backdoors O
+, O
+USB S-TOOL
+stealers O
+as O
+well O
+as O
+other O
+hacking O
+tools O
+such O
+as O
+“ O
+Mimikatz S-TOOL
+” O
+for O
+lateral O
+movement O
+. O
+
+Two O
+recurring O
+characteristics O
+of O
+the O
+Sofacy S-APT
+group O
+that O
+we O
+keep O
+seeing O
+in O
+its O
+attacks O
+are O
+speed O
+and O
+the O
+use O
+of O
+multi-backdoor O
+packages O
+for O
+extreme O
+resilience O
+. O
+
+In O
+the O
+past O
+, O
+the O
+group O
+used O
+droppers O
+that O
+installed O
+both O
+the O
+SPLM S-MAL
+and O
+AZZY B-MAL
+backdoors E-MAL
+on O
+the O
+same O
+machine O
+. O
+
+If O
+one O
+of O
+them O
+was O
+detected O
+, O
+the O
+other O
+one O
+provided O
+the O
+attacker O
+with O
+continued O
+access O
+. O
+
+Internal O
+name O
+: O
+DWN_DLL_MAIN.dll S-FILE
+File O
+format O
+: O
+PE32 O
+DLL S-TOOL
+MD5: O
+ce8b99df8642c065b6af43fde1f786a3 S-MD5
+Linker O
+version O
+: O
+11.0 O
+, O
+Microsoft S-IDTY
+Visual B-TOOL
+Studio E-TOOL
+Linker O
+timestamp O
+: O
+2015.07.28 B-TIME
+13:05:20 E-TIME
+( O
+GMT S-TOOL
+) O
+. O
+
+The O
+library O
+starts O
+its O
+main O
+worker O
+thread O
+from O
+the O
+DllMain O
+function O
+. O
+
+Most O
+of O
+the O
+strings O
+inside O
+the O
+module O
+are O
+encrypted O
+with O
+a O
+homebrew O
+XOR-based S-ENCR
+algorithm O
+. O
+
+In O
+addition O
+to O
+that O
+, O
+API O
+function O
+names O
+are O
+reversed O
+, O
+presumably O
+to O
+avoid O
+detection O
+in O
+memory O
+. O
+
+Once O
+started O
+, O
+the O
+code O
+in O
+the O
+main O
+thread O
+resolves O
+the O
+basic O
+API O
+functions O
+it O
+needs O
+and O
+loads O
+an O
+additional O
+library O
+from O
+the O
+following O
+location O
+: O
+“ O
+%TEMP%\tf394kv.dll S-FILE
+” O
+. O
+
+If O
+this O
+file O
+is O
+not O
+present O
+, O
+it O
+is O
+recreated O
+from O
+a O
+hardcoded O
+encrypted O
+array O
+inside O
+the O
+body O
+of O
+the O
+DLL S-TOOL
+. O
+
+Next O
+, O
+the O
+module O
+enters O
+an O
+infinite O
+loop O
+. O
+
+Every O
+five O
+minutes O
+it O
+collects O
+basic O
+system O
+information O
+and O
+sends O
+it O
+to O
+the O
+C2 S-TOOL
+server O
+. O
+
+The O
+main O
+thread O
+also O
+spawns O
+a O
+separate O
+thread O
+for O
+receiving O
+new O
+commands O
+from O
+the O
+C2 S-TOOL
+servers O
+. O
+
+Every O
+10 B-TIME
+minutes E-TIME
+, O
+it O
+sends O
+a O
+new O
+request O
+to O
+the O
+server O
+. O
+
+The O
+server O
+is O
+expected O
+to O
+send O
+back O
+executable O
+code O
+and O
+one O
+of O
+the O
+following O
+commands O
+: O
+
+Write O
+a O
+new O
+file O
+“ O
+%LOCAL_APPDATA%\dllhost.exe S-FILE
+” O
+or O
+“ O
+%TEMP%\dllhost.exe S-FILE
+” O
+and O
+execute O
+it O
+, O
+then O
+delete O
+the O
+file O
+, O
+Write O
+a O
+new O
+file O
+“ O
+%LOCAL_APPDATA%\sechost.dll S-FILE
+” O
+or O
+“ O
+%TEMP%\sechost.dll S-FILE
+” O
+and O
+call O
+its O
+first O
+exported O
+function O
+using O
+“ O
+rundll32.exe S-FILE
+” O
+or O
+Windows S-OS
+API O
+, O
+then O
+delete O
+the O
+file O
+, O
+Run O
+shellcode O
+provided O
+by O
+the O
+server O
+in O
+a O
+new O
+thread O
+While O
+processing O
+the O
+commands O
+, O
+the O
+backdoor O
+logs O
+all O
+errors O
+and O
+execution O
+results O
+. O
+
+The O
+module O
+also O
+reads O
+the O
+contents O
+of O
+the O
+file O
+“ O
+%APPDATA%\chkdbg.log S-FILE
+” O
+and O
+appends O
+it O
+to O
+the O
+results O
+. O
+
+It O
+then O
+sends O
+the O
+aggregated O
+log O
+back O
+to O
+the O
+C2 S-TOOL
+server O
+. O
+
+The O
+module O
+aborts O
+the O
+thread O
+receiving O
+C2 S-TOOL
+command O
+after O
+it O
+fails O
+to O
+correctly O
+execute O
+commands O
+more O
+than O
+six O
+times O
+in O
+a O
+row O
+, O
+i.e. O
+if O
+file O
+or O
+process O
+creation O
+fails O
+. O
+
+The O
+export O
+called O
+“ O
+k O
+” O
+is O
+a O
+wrapper O
+for O
+the O
+“ O
+LoadLibraryA O
+” O
+API O
+function O
+. O
+
+The O
+export O
+called O
+“ O
+SendDataToServer_2 O
+” O
+does O
+exactly O
+what O
+the O
+name O
+means O
+: O
+it O
+encrypts O
+all O
+collected O
+data O
+, O
+encodes O
+it O
+using O
+Base64 S-ENCR
+encoding O
+and O
+calls O
+its O
+additional O
+library O
+to O
+send O
+the O
+data O
+to O
+the O
+C2 S-TOOL
+server O
+. O
+
+The O
+names O
+of O
+the O
+C2 S-TOOL
+servers O
+are O
+hardcoded O
+. O
+
+The O
+two O
+C&C S-TOOL
+’s O
+hardcoded O
+in O
+the O
+configuration O
+block O
+of O
+the O
+main O
+binary O
+are O
+: O
+
+intelnetservice.com S-DOM
+intelsupport.net S-DOM
+The O
+export O
+called O
+“ O
+Applicate O
+” O
+runs O
+a O
+standard O
+Windows S-OS
+application O
+message O
+loop O
+until O
+a O
+“ O
+WM_ENDSESSION O
+” O
+message O
+is O
+received O
+. O
+
+It O
+then O
+terminates O
+the O
+main O
+thread O
+. O
+
+Internal O
+name O
+: O
+snd.dll S-FILE
+File O
+format O
+: O
+PE32 O
+DLL S-TOOL
+MD5: O
+8c4d896957c36ec4abeb07b2802268b9 S-MD5
+Linker O
+version O
+: O
+11.0 O
+, O
+Microsoft S-IDTY
+Visual B-TOOL
+Studio E-TOOL
+Linker O
+timestamp O
+: O
+2015.07.24 B-TIME
+12:07:27 E-TIME
+( O
+GMT S-TOOL
+) O
+Exported O
+functions O
+: O
+
+10001580: O
+Init O
+10001620: O
+InternetExchange O
+10001650: O
+SendData O
+This O
+external O
+library O
+implements O
+a O
+simple O
+Wininet-based O
+transport O
+for O
+the O
+main O
+module O
+. O
+
+The O
+strings O
+inside O
+the O
+binary O
+are O
+encrypted O
+using O
+3DES S-ENCR
+and O
+XOR S-ENCR
+and O
+reversed O
+. O
+
+The O
+DllMain O
+function O
+initializes O
+the O
+library O
+and O
+resolves O
+all O
+required O
+Windows S-OS
+API O
+functions O
+. O
+
+The O
+“ O
+Init O
+” O
+export O
+establishes O
+connection O
+to O
+port O
+80 O
+of O
+a O
+C2 S-TOOL
+server O
+using O
+Wininet S-TOOL
+API O
+. O
+
+The O
+user O
+agent O
+string O
+employed O
+is O
+“ O
+MSIE S-TOOL
+8.0 O
+” O
+. O
+
+The O
+“ O
+SendData O
+” O
+export O
+sends O
+a O
+HTTP S-PROT
+POST O
+request O
+using O
+a O
+hardcoded O
+URI O
+“ O
+/store/ O
+“ O
+. O
+
+The O
+reply O
+, O
+if O
+its O
+length O
+is O
+not O
+equal O
+to O
+six O
+and O
+its O
+contents O
+do O
+not O
+contain O
+“ O
+OK O
+” O
+is O
+returned O
+back O
+to O
+the O
+caller O
+. O
+
+The O
+“ O
+InternetExchange O
+” O
+export O
+closes O
+the O
+established O
+connection O
+and O
+frees O
+associated O
+handles O
+. O
+
+Sofacy S-APT
+AZZY S-MAL
+4.3 O
+dropper O
+analysis O
+File O
+format O
+: O
+PE32 O
+EXE S-TOOL
+File O
+size O
+: O
+142,336 O
+bytes O
+MD5: O
+c3ae4a37094ecfe95c2badecf40bf5bb S-MD5
+Linker O
+version O
+: O
+11.0 O
+, O
+Microsoft S-IDTY
+Visual B-TOOL
+Studio E-TOOL
+Linker O
+timestamp O
+: O
+2015.02.10 B-TIME
+10:01:59 E-TIME
+( O
+GMT S-TOOL
+) O
+Most O
+of O
+the O
+strings O
+and O
+data O
+in O
+the O
+file O
+are O
+encrypted O
+using O
+3DES S-ENCR
+and O
+XOR S-ENCR
+. O
+
+The O
+code O
+makes O
+use O
+of O
+the O
+Windows S-OS
+Crypto S-TOOL
+API O
+for O
+3DES S-ENCR
+and O
+the O
+decryption O
+key O
+is O
+stored O
+as O
+a O
+standard O
+Windows S-OS
+PUBLICKEYSTRUC S-TOOL
+structure O
+. O
+
+First O
+, O
+it O
+creates O
+a O
+new O
+directory O
+: O
+“ O
+%LOCAL_APPDATA%\Microsoft\Windows S-OS
+” O
+. O
+
+If O
+the O
+directory O
+creation O
+fails O
+it O
+tries O
+to O
+install O
+into O
+“ O
+%TEMP% O
+” O
+directory O
+instead O
+. O
+
+Next O
+it O
+writes O
+a O
+hardcoded O
+binary O
+from O
+its O
+body O
+to O
+“ O
+msdeltemp.dll S-FILE
+” O
+into O
+the O
+target O
+directory O
+. O
+
+If O
+the O
+file O
+exists O
+it O
+then O
+moves O
+it O
+to O
+“ O
+__tmpdt.tmp S-FILE
+” O
+in O
+the O
+same O
+directory O
+and O
+continues O
+the O
+installation O
+. O
+
+Sets O
+file O
+creation O
+timestamp O
+to O
+that O
+of O
+“ O
+%SYSTEM%\sfc.dll S-FILE
+” O
+. O
+
+Finally O
+, O
+the O
+program O
+removes O
+itself O
+by O
+starting O
+the O
+following O
+command O
+: O
+“ O
+cmd S-TOOL
+/c O
+DEL O
+%path O
+to O
+self% O
+“ O
+The O
+MD5 S-ENCR
+of O
+the O
+dropped O
+file O
+is O
+f6f88caf49a3e32174387cacfa144a89 S-MD5
+. O
+
+Dropper O
+payload O
+– O
+downloader O
+DLL S-TOOL
+Internal O
+name O
+: O
+msdetltemp.dll S-FILE
+File O
+format O
+: O
+PE32 O
+DLL S-TOOL
+File O
+size O
+: O
+73 O
+728 O
+bytes O
+MD5: O
+f6f88caf49a3e32174387cacfa144a89 S-MD5
+Linker O
+version O
+: O
+11.0 O
+, O
+Microsoft S-IDTY
+Visual B-TOOL
+Studio E-TOOL
+Linker O
+timestamp O
+: O
+2015.02.10 B-TIME
+07:20:02 E-TIME
+( O
+GMT S-TOOL
+) O
+Exported O
+functions O
+: O
+
+10002B55: O
+Applicate O
+Most O
+of O
+the O
+strings O
+inside O
+the O
+binary O
+are O
+encrypted O
+using O
+a O
+homebrew O
+XOR-based S-ENCR
+algorithm O
+and O
+reversed O
+. O
+
+The O
+library O
+is O
+an O
+older O
+version O
+of O
+the O
+“ O
+DWN_DLL_MAIN.dll S-FILE
+” O
+( O
+md5: O
+ce8b99df8642c065b6af43fde1f786a3 S-MD5
+) O
+. O
+
+The O
+DllMain O
+function O
+is O
+identical O
+and O
+starts O
+the O
+main O
+thread O
+; O
+the O
+“ O
+Applicate O
+” O
+function O
+is O
+identical O
+to O
+the O
+one O
+in O
+the O
+newer O
+library O
+. O
+
+This O
+version O
+of O
+the O
+module O
+does O
+not O
+rely O
+on O
+an O
+external O
+transport O
+DLL S-TOOL
+for O
+communicating O
+with O
+its O
+C2 S-TOOL
+servers O
+; O
+instead O
+it O
+directly O
+uses O
+Wininet S-TOOL
+API O
+functions O
+. O
+
+The O
+module O
+contains O
+the O
+following O
+hardcoded O
+C2 S-TOOL
+server O
+names O
+: O
+
+drivres-update.info S-DOM
+softupdates.info S-DOM
+The O
+module O
+uses O
+a O
+hardcoded O
+URL O
+( O
+“ O
+/check/ O
+“ O
+) O
+for O
+sending O
+HTTP S-PROT
+POST O
+requests O
+to O
+its O
+C2 S-TOOL
+servers O
+. O
+
+
+Sofacy S-APT
+APT O
+hits O
+high O
+profile O
+targets O
+with O
+updated O
+toolset O
+. O
+
+File O
+collection O
+module O
+( O
+“ O
+USB B-TOOL
+Stealer E-TOOL
+” O
+) O
+Internal O
+name O
+: O
+msdetltemp.dll S-FILE
+( O
+from O
+resources O
+) O
+File O
+size O
+: O
+50,176 O
+bytes O
+File O
+format O
+: O
+PE32 O
+EXE S-TOOL
+MD5: O
+0369620eb139c3875a62e36bb7abdae8 S-MD5
+Linker O
+version O
+: O
+10.0 O
+, O
+Microsoft S-IDTY
+Visual B-TOOL
+Studio E-TOOL
+Linker O
+timestamp O
+: O
+2015.02.09 B-TIME
+11:48:01 E-TIME
+( O
+GMT S-TOOL
+) O
+Most O
+of O
+the O
+strings O
+inside O
+the O
+binary O
+are O
+encrypted O
+using O
+3DES S-ENCR
+and O
+XOR S-ENCR
+and O
+reversed O
+. O
+
+The O
+program O
+creates O
+the O
+mutex O
+“ O
+mtx O
+” O
+and O
+an O
+event O
+named O
+“ O
+WerTyQ34C O
+” O
+. O
+
+Upon O
+start O
+, O
+it O
+creates O
+a O
+window O
+with O
+the O
+class O
+name O
+“ O
+Hello O
+” O
+and O
+title O
+“ O
+Program O
+” O
+, O
+subscribes O
+for O
+device O
+arrival O
+notifications O
+for O
+that O
+window O
+and O
+enters O
+a O
+standard O
+Windows S-OS
+message O
+processing O
+loop O
+. O
+
+The O
+message O
+processing O
+function O
+waits O
+for O
+the O
+WM_DEVICECHANGE O
+event O
+and O
+starts O
+a O
+new O
+thread O
+on O
+its O
+arrival O
+. O
+
+The O
+module O
+inspects O
+every O
+new O
+disk O
+volume O
+attached O
+to O
+the O
+system O
+. O
+
+For O
+every O
+disk O
+it O
+creates O
+a O
+“ O
+stash O
+” O
+directory O
+in O
+“ O
+%root O
+stash O
+directory O
+location%\%volume O
+serial O
+number O
+in O
+hex% O
+” O
+with O
+attributes O
+FILE_ATTRIBUTE_HIDDEN O
+and O
+FILE_ATTRIBUTE_SYSTEM O
+. O
+
+The O
+root O
+stash O
+directory O
+location O
+may O
+be O
+read O
+from O
+the O
+configuration O
+file O
+or O
+set O
+to O
+the O
+default O
+location O
+which O
+is O
+“ O
+%MYPICTURES% O
+” O
+. O
+
+Then O
+, O
+it O
+traverses O
+the O
+filesystem O
+of O
+the O
+volume O
+looking O
+for O
+files O
+. O
+
+Depending O
+on O
+the O
+settings O
+read O
+from O
+the O
+configuration O
+file O
+, O
+the O
+scope O
+may O
+be O
+narrowed O
+to O
+files O
+with O
+particular O
+extensions O
+and/or O
+files O
+created O
+after O
+a O
+specified O
+date O
+. O
+
+It O
+is O
+worth O
+noting O
+that O
+if O
+the O
+source O
+file O
+location O
+contains O
+the O
+string O
+“ O
+System O
+Volume O
+Information\S-1-5-21-1315235578-283289242\ O
+” O
+, O
+then O
+the O
+file O
+is O
+deleted O
+after O
+copying O
+to O
+the O
+“ O
+stash O
+” O
+directory O
+. O
+
+There O
+are O
+known O
+related O
+samples O
+that O
+are O
+able O
+to O
+create O
+such O
+directories O
+on O
+removable O
+drives O
+, O
+i.e O
+. O
+the O
+sample O
+with O
+md5: O
+8cb08140ddb00ac373d29d37657a03cc S-MD5
+. O
+
+The O
+configuration O
+file O
+is O
+loaded O
+from O
+the O
+same O
+directory O
+as O
+the O
+module O
+and O
+is O
+expected O
+to O
+have O
+a O
+name O
+“ O
+NvCpld.dat S-FILE
+“ O
+. O
+
+It O
+is O
+a O
+text O
+file O
+that O
+may O
+contain O
+the O
+following O
+configuration O
+parameters O
+: O
+
+Path O
+– O
+location O
+of O
+the O
+root O
+“ O
+stash O
+” O
+directory O
+Ext O
+– O
+search O
+for O
+files O
+with O
+one O
+of O
+these O
+extensions O
+only O
+Date O
+– O
+search O
+for O
+files O
+not O
+earlier O
+than O
+this O
+date O
+Internal O
+name O
+: O
+NvCpld.dll S-FILE
+( O
+from O
+export O
+table O
+) O
+, O
+msdetltemp.dll S-FILE
+( O
+from O
+resources O
+) O
+, O
+IGFSRVC.dll S-FILE
+( O
+from O
+resources O
+) O
+File O
+format O
+: O
+PE32 O
+DLL S-TOOL
+File O
+size O
+: O
+76,288 O
+bytes O
+MD5s O
+: O
+8b238931a7f64fddcad3057a96855f6c S-MD5
+, O
+ce151285e8f0e7b2b90162ba171a4b90 S-MD5
+Linker O
+version O
+: O
+11.0 O
+, O
+Microsoft S-IDTY
+Visual B-TOOL
+Studio E-TOOL
+Linker O
+timestamps O
+: O
+2015.05.29 B-TIME
+11:20:32 E-TIME
+( O
+GMT S-TOOL
+) O
+, O
+2006.11.25 B-TIME
+04:39:15 E-TIME
+( O
+GMT S-TOOL
+) O
+Exported O
+functions O
+: O
+
+10002500: O
+NvMswt O
+10002860: O
+NvReg O
+10002880: O
+NvStart O
+10002A80: O
+NvStop O
+This O
+library O
+is O
+a O
+newer O
+version O
+of O
+the O
+file O
+collection O
+module O
+( O
+md5: O
+0369620eb139c3875a62e36bb7abdae8 S-MD5
+) O
+wrapped O
+in O
+a O
+DLL S-TOOL
+file O
+. O
+
+There O
+are O
+two O
+known O
+variants O
+of O
+this O
+module O
+; O
+they O
+only O
+differ O
+in O
+timestamp O
+values O
+and O
+version O
+information O
+in O
+the O
+resource O
+section O
+. O
+
+The O
+DllMain O
+function O
+only O
+decrypts O
+the O
+data O
+structures O
+and O
+initializes O
+Windows S-OS
+API O
+pointers O
+. O
+
+The O
+function O
+“ O
+NvMswt O
+” O
+is O
+a O
+wrapper O
+for O
+the O
+API O
+function O
+MsgWaitForMultipleObjects O
+. O
+
+The O
+function O
+“ O
+NvReg O
+” O
+is O
+a O
+wrapper O
+for O
+the O
+API O
+function O
+RegisterClassW O
+. O
+
+The O
+function O
+“ O
+NvStart O
+” O
+is O
+similar O
+to O
+the O
+main O
+function O
+of O
+the O
+older O
+module O
+; O
+it O
+creates O
+a O
+window O
+and O
+enters O
+the O
+message O
+loop O
+waiting O
+for O
+device O
+arrival O
+notifications O
+. O
+
+The O
+only O
+difference O
+introduced O
+is O
+that O
+an O
+event O
+named O
+“ O
+WerTyQ34C O
+” O
+can O
+be O
+signalled O
+by O
+the O
+function O
+“ O
+NvStop O
+” O
+to O
+terminate O
+the O
+message O
+loop O
+and O
+stop O
+processing O
+. O
+
+
+How O
+they O
+did O
+it O
+: O
+GRU O
+hackers O
+vs
+. O
+
+US O
+elections O
+. O
+
+In O
+a O
+press O
+briefing O
+just O
+two O
+weeks O
+ago O
+, O
+Deputy O
+Attorney O
+General O
+Rod O
+Rosenstein O
+announced O
+that O
+the O
+grand O
+jury O
+assembled O
+by O
+Special O
+Counsel O
+Robert O
+Mueller O
+had O
+returned O
+an O
+indictment O
+against O
+12 O
+officers O
+of O
+Russia S-LOC
+'s O
+Main O
+Intelligence O
+Directorate O
+of O
+the O
+Russian O
+General O
+Staff O
+( O
+better O
+known O
+as O
+Glavnoye B-IDTY
+razvedyvatel'noye I-IDTY
+upravleniye E-IDTY
+, O
+or O
+GRU S-IDTY
+) O
+. O
+
+The O
+indictment O
+was O
+for O
+conducting O
+" O
+active O
+cyber O
+operations O
+with O
+the O
+intent O
+of O
+interfering O
+in O
+the O
+2016 S-TIME
+presidential O
+election O
+. O
+" O
+The O
+espionage O
+operation O
+was O
+run O
+by O
+Unit B-APT
+26165 E-APT
+, O
+commanded O
+by O
+GRU S-IDTY
+Officer O
+Viktor O
+Borisovich O
+Netykshko O
+. O
+
+Unit B-APT
+26165 E-APT
+appears O
+to O
+be O
+the O
+organization O
+behind O
+at O
+least O
+part O
+of O
+the O
+"threat O
+group" O
+of O
+tools O
+, O
+techniques O
+, O
+and O
+procedures O
+known O
+as O
+" O
+Fancy B-APT
+Bear E-APT
+, O
+" O
+" O
+Sofacy S-APT
+, O
+" O
+" O
+APT28 S-APT
+, O
+" O
+and O
+" O
+Sednit S-APT
+" O
+. O
+
+Within O
+the O
+unit O
+, O
+two O
+divisions O
+were O
+involved O
+in O
+the O
+breaches O
+: O
+one O
+specializing O
+in O
+operations O
+and O
+the O
+second O
+in O
+development O
+and O
+maintenance O
+of O
+hacking O
+tools O
+and O
+infrastructure O
+. O
+
+The O
+operations O
+division O
+, O
+supervised O
+by O
+Major O
+Boris O
+Alekseyevich O
+Antonov O
+, O
+specialized O
+in O
+targeting O
+organizations O
+of O
+intelligence O
+interest O
+through O
+spear-phishing S-ACT
+campaigns O
+and O
+the O
+exploitation O
+of O
+stolen O
+credentials O
+. O
+
+Antonov's O
+group O
+included O
+Ivan O
+Sergeyevich O
+Yermakov O
+and O
+Senior O
+Lieutenant O
+Aleksey O
+Viktorovich O
+Lukashev O
+, O
+according O
+to O
+the O
+indictment O
+, O
+and O
+they O
+were O
+responsible O
+for O
+targeting O
+the O
+email S-TOOL
+accounts O
+that O
+were O
+exposed O
+on O
+the O
+" O
+DCLeaks S-APT
+" O
+site O
+prior O
+to O
+the O
+election O
+operations O
+. O
+
+The O
+second O
+division O
+, O
+overseen O
+by O
+Lieutenant O
+Colonel O
+Sergey O
+Aleksandrovich O
+Morgachev O
+, O
+managed O
+the O
+development O
+and O
+maintenance O
+of O
+malware O
+and O
+hacking O
+tools O
+used O
+by O
+Unit B-APT
+26165 E-APT
+, O
+including O
+the O
+X-Agent S-MAL
+" O
+implant O
+" O
+. O
+
+X-Agent S-MAL
+is O
+a O
+signature O
+tool O
+of O
+Fancy B-APT
+Bear E-APT
+operations—a O
+cross-platform O
+backdoor O
+toolset O
+with O
+variants O
+for O
+Windows S-OS
+, O
+MacOS S-OS
+, O
+Android S-OS
+, O
+and O
+iOS S-OS
+. O
+
+The O
+Windows S-OS
+and O
+MacOS S-OS
+versions O
+of O
+X-Agent S-MAL
+are O
+capable O
+of O
+recording O
+keystrokes O
+, O
+taking O
+screenshots O
+, O
+and O
+exfiltrating O
+files O
+from O
+infected O
+systems O
+back O
+to O
+a O
+command O
+and O
+control O
+server O
+. O
+
+Lieutenant O
+Captain O
+Nikolay O
+Kozacheck O
+( O
+who O
+used O
+the O
+hacker O
+monikers O
+" O
+kazak O
+" O
+and O
+" O
+blablabla1234465 O
+" O
+) O
+was O
+the O
+primary O
+developer O
+and O
+maintainer O
+of O
+X-Agent S-MAL
+, O
+according O
+to O
+the O
+indictment O
+, O
+and O
+he O
+was O
+assisted O
+by O
+another O
+officer O
+, O
+Pavel O
+Yershov O
+, O
+in O
+preparing O
+it O
+for O
+deployment O
+. O
+
+Once O
+X-Agent S-MAL
+was O
+implanted O
+on O
+the O
+DNC S-TOOL
+and O
+DCCC S-TOOL
+networks O
+, O
+Second O
+Lieutenant O
+Artem O
+Malyshev O
+( O
+AKA O
+" O
+djangomagicdev O
+" O
+and O
+" O
+realblatr O
+" O
+) O
+monitored O
+the O
+implants O
+through O
+the O
+command O
+and O
+control O
+network O
+configured O
+for O
+the O
+task O
+. O
+
+The O
+information O
+operations O
+unit O
+, O
+Unit B-APT
+74455 E-APT
+, O
+was O
+commanded O
+by O
+Colonel O
+Aleksandr O
+Vladimirovich O
+Osadchuk O
+. O
+
+Unit B-APT
+74455 E-APT
+'s O
+members O
+would O
+be O
+responsible O
+for O
+the O
+distribution O
+of O
+some O
+of O
+the O
+stolen O
+data O
+from O
+the O
+breaches O
+through O
+the O
+" O
+DCLeaks S-APT
+" O
+and O
+" O
+Guccifer S-APT
+2.0 O
+" O
+websites O
+. O
+
+This O
+group O
+famously O
+also O
+reached O
+out O
+to O
+WikiLeaks S-TOOL
+( O
+referred O
+to O
+as O
+" O
+Organization O
+1 O
+" O
+in O
+the O
+indictment O
+) O
+to O
+amplify O
+their O
+information O
+operation O
+, O
+and O
+they O
+promoted O
+the O
+leaks O
+to O
+journalists O
+through O
+GRU S-IDTY
+-controlled O
+email S-TOOL
+and O
+social O
+media O
+accounts O
+. O
+
+Within O
+Unit B-APT
+74455 E-APT
+, O
+Officer O
+Aleksy O
+Potemkin—a O
+department O
+supervisor—oversaw O
+information O
+operations O
+infrastructure O
+. O
+
+His O
+group O
+configured O
+the O
+DCLeaks S-APT
+and O
+Guccifer S-APT
+2.0 O
+blogs O
+and O
+social O
+media O
+accounts O
+that O
+would O
+later O
+be O
+used O
+to O
+spread O
+data O
+stolen O
+from O
+the O
+DNC S-TOOL
+, O
+DCCC S-TOOL
+, O
+and O
+Clinton O
+campaigns O
+. O
+
+
+Bears O
+in O
+the O
+Midst O
+: O
+Intrusion O
+Into O
+the O
+Democratic B-IDTY
+National I-IDTY
+Committee E-IDTY
+. O
+
+There O
+is O
+rarely O
+a O
+dull O
+day O
+at O
+CrowdStrike S-SECTEAM
+where O
+we O
+are O
+not O
+detecting O
+or O
+responding O
+to O
+a O
+breach O
+at O
+a O
+company O
+somewhere O
+around O
+the O
+globe O
+. O
+
+In O
+all O
+of O
+these O
+cases O
+, O
+we O
+operate O
+under O
+strict O
+confidentiality O
+rules O
+with O
+our O
+customers O
+and O
+cannot O
+reveal O
+publicly O
+any O
+information O
+about O
+these O
+attacks O
+. O
+
+But O
+on O
+rare O
+occasions O
+, O
+a O
+customer O
+decides O
+to O
+go O
+public O
+with O
+information O
+about O
+their O
+incident O
+and O
+give O
+us O
+permission O
+to O
+share O
+our O
+knowledge O
+of O
+the O
+adversary O
+tradecraft O
+with O
+the O
+broader O
+community O
+and O
+help O
+protect O
+even O
+those O
+who O
+do O
+not O
+happen O
+to O
+be O
+our O
+customers O
+. O
+
+This O
+story O
+is O
+about O
+one O
+of O
+those O
+cases O
+. O
+
+CrowdStrike S-SECTEAM
+Services O
+Inc. O
+, O
+our O
+Incident B-SECTEAM
+Response E-SECTEAM
+group O
+, O
+was O
+called O
+by O
+the O
+Democratic B-IDTY
+National I-IDTY
+Committee E-IDTY
+( O
+DNC S-IDTY
+) O
+, O
+the O
+formal O
+governing O
+body O
+for O
+the O
+US S-LOC
+Democratic O
+Party O
+, O
+to O
+respond O
+to O
+a O
+suspected O
+breach O
+. O
+
+We O
+deployed O
+our O
+IR S-SECTEAM
+team O
+and O
+technology O
+and O
+immediately O
+identified O
+two O
+sophisticated O
+adversaries O
+on O
+the O
+network O
+– O
+COZY B-APT
+BEAR E-APT
+and O
+FANCY B-APT
+BEAR E-APT
+. O
+
+We O
+’ve O
+had O
+lots O
+of O
+experience O
+with O
+both O
+of O
+these O
+actors O
+attempting O
+to O
+target O
+our O
+customers O
+in O
+the O
+past O
+and O
+know O
+them O
+well O
+. O
+
+In O
+fact O
+, O
+our O
+team O
+considers O
+them O
+some O
+of O
+the O
+best O
+threat O
+actors O
+out O
+of O
+all O
+the O
+numerous O
+nation-state O
+, O
+criminal O
+and O
+hacktivist/terrorist O
+groups O
+we O
+encounter O
+on O
+a O
+daily O
+basis O
+. O
+
+Their O
+tradecraft O
+is O
+superb O
+, O
+operational O
+security O
+second O
+to O
+none O
+and O
+the O
+extensive O
+usage O
+of O
+‘ O
+living-off-the-land O
+’ O
+techniques O
+enables O
+them O
+to O
+easily O
+bypass O
+many O
+security O
+solutions O
+they O
+encounter O
+. O
+
+In O
+particular O
+, O
+we O
+identified O
+advanced O
+methods O
+consistent O
+with O
+nation-state O
+level O
+capabilities O
+including O
+deliberate O
+targeting O
+and O
+‘ O
+access O
+management O
+’ O
+tradecraft O
+– O
+both O
+groups O
+were O
+constantly O
+going O
+back O
+into O
+the O
+environment O
+to O
+change O
+out O
+their O
+implants O
+, O
+modify O
+persistent O
+methods O
+, O
+move O
+to O
+new O
+Command B-TOOL
+& I-TOOL
+Control E-TOOL
+channels O
+and O
+perform O
+other O
+tasks O
+to O
+try O
+to O
+stay O
+ahead O
+of O
+being O
+detected O
+. O
+
+Both O
+adversaries O
+engage O
+in O
+extensive O
+political O
+and O
+economic O
+espionage O
+for O
+the O
+benefit O
+of O
+the O
+government O
+of O
+the O
+Russian O
+Federation O
+and O
+are O
+believed O
+to O
+be O
+closely O
+linked O
+to O
+the O
+Russian O
+government O
+’s O
+powerful O
+and O
+highly O
+capable O
+intelligence O
+services O
+. O
+
+COZY B-APT
+BEAR E-APT
+( O
+also O
+referred O
+to O
+in O
+some O
+industry O
+reports O
+as O
+CozyDuke S-APT
+or O
+APT B-APT
+29 E-APT
+) O
+is O
+the O
+adversary O
+group O
+that O
+last O
+year O
+successfully O
+infiltrated O
+the O
+unclassified O
+networks O
+of O
+the O
+White B-IDTY
+House E-IDTY
+, O
+State B-IDTY
+Department E-IDTY
+, O
+and O
+US S-LOC
+Joint B-IDTY
+Chiefs I-IDTY
+of I-IDTY
+Staff E-IDTY
+. O
+
+In O
+addition O
+to O
+the O
+US S-LOC
+government O
+, O
+they O
+have O
+targeted O
+organizations O
+across O
+the O
+Defense O
+, O
+Energy O
+, O
+Extractive O
+, O
+Financial O
+, O
+Insurance O
+, O
+Legal O
+, O
+Manufacturing O
+Media O
+, O
+Think O
+Tanks O
+, O
+Pharmaceutical O
+, O
+Research O
+and O
+Technology O
+industries O
+, O
+along O
+with O
+Universities O
+. O
+
+Victims O
+have O
+also O
+been O
+observed O
+in O
+Western B-LOC
+Europe E-LOC
+, O
+Brazil S-LOC
+, O
+China S-LOC
+, O
+Japan S-LOC
+, O
+Mexico S-LOC
+, O
+New B-LOC
+Zealand E-LOC
+, O
+South B-LOC
+Korea E-LOC
+, O
+Turkey S-LOC
+and O
+Central O
+Asian O
+countries O
+. O
+
+COZY B-APT
+BEAR E-APT
+’s O
+preferred O
+intrusion O
+method O
+is O
+a O
+broadly O
+targeted O
+spearphish O
+campaign O
+that O
+typically O
+includes O
+web O
+links O
+to O
+a O
+malicious O
+dropper O
+. O
+
+Once O
+executed O
+on O
+the O
+machine O
+, O
+the O
+code O
+will O
+deliver O
+one O
+of O
+a O
+number O
+of O
+sophisticated O
+Remote B-TOOL
+Access I-TOOL
+Tools E-TOOL
+( O
+RATs S-TOOL
+) O
+, O
+including O
+AdobeARM S-TOOL
+, O
+ATI-Agent S-TOOL
+, O
+and O
+MiniDionis S-TOOL
+. O
+
+On O
+many O
+occasions O
+, O
+both O
+the O
+dropper O
+and O
+the O
+payload O
+will O
+contain O
+a O
+range O
+of O
+techniques O
+to O
+ensure O
+the O
+sample O
+is O
+not O
+being O
+analyzed O
+on O
+a O
+virtual O
+machine O
+, O
+using O
+a O
+debugger O
+, O
+or O
+located O
+within O
+a O
+sandbox O
+. O
+
+They O
+have O
+extensive O
+checks O
+for O
+the O
+various O
+security O
+software O
+that O
+is O
+installed O
+on O
+the O
+system O
+and O
+their O
+specific O
+configurations O
+. O
+
+When O
+specific O
+versions O
+are O
+discovered O
+that O
+may O
+cause O
+issues O
+for O
+the O
+RAT S-TOOL
+, O
+it O
+promptly O
+exits O
+. O
+
+These O
+actions O
+demonstrate O
+a O
+well-resourced O
+adversary O
+with O
+a O
+thorough O
+implant-testing O
+regime O
+that O
+is O
+highly O
+attuned O
+to O
+slight O
+configuration O
+issues O
+that O
+may O
+result O
+in O
+their O
+detection O
+, O
+and O
+which O
+would O
+cause O
+them O
+to O
+deploy O
+a O
+different O
+tool O
+instead O
+. O
+
+The O
+implants O
+are O
+highly O
+configurable O
+via O
+encrypted O
+configuration O
+files O
+, O
+which O
+allow O
+the O
+adversary O
+to O
+customize O
+various O
+components O
+, O
+including O
+C2 S-TOOL
+servers O
+, O
+the O
+list O
+of O
+initial O
+tasks O
+to O
+carry O
+out O
+, O
+persistence O
+mechanisms O
+, O
+encryption O
+keys O
+and O
+others O
+. O
+
+An O
+HTTP S-PROT
+protocol O
+with O
+encrypted O
+payload O
+is O
+used O
+for O
+the O
+Command B-TOOL
+& I-TOOL
+Control E-TOOL
+communication O
+. O
+
+FANCY B-APT
+BEAR E-APT
+( O
+also O
+known O
+as O
+Sofacy S-APT
+or O
+APT B-APT
+28 E-APT
+) O
+is O
+a O
+separate O
+Russian-based O
+threat O
+actor O
+, O
+which O
+has O
+been O
+active O
+since O
+mid B-TIME
+2000s E-TIME
+, O
+and O
+has O
+been O
+responsible O
+for O
+targeted O
+intrusion O
+campaigns O
+against O
+the O
+Aerospace O
+, O
+Defense O
+, O
+Energy O
+, O
+Government O
+and O
+Media O
+sectors O
+. O
+
+Their O
+victims O
+have O
+been O
+identified O
+in O
+the O
+United B-LOC
+States E-LOC
+, O
+Western B-LOC
+Europe E-LOC
+, O
+Brazil S-LOC
+, O
+Canada S-LOC
+, O
+China S-LOC
+, O
+Georgia S-LOC
+, O
+Iran S-LOC
+, O
+Japan S-LOC
+, O
+Malaysia S-LOC
+and O
+South B-LOC
+Korea E-LOC
+. O
+
+Extensive O
+targeting O
+of O
+defense O
+ministries O
+and O
+other O
+military O
+victims O
+has O
+been O
+observed O
+, O
+the O
+profile O
+of O
+which O
+closely O
+mirrors O
+the O
+strategic O
+interests O
+of O
+the O
+Russian O
+government O
+, O
+and O
+may O
+indicate O
+affiliation O
+with O
+GRU S-IDTY
+, O
+Russia S-LOC
+’s O
+premier O
+military O
+intelligence O
+service O
+. O
+
+This O
+adversary O
+has O
+a O
+wide O
+range O
+of O
+implants O
+at O
+their O
+disposal O
+, O
+which O
+have O
+been O
+developed O
+over O
+the O
+course O
+of O
+many O
+years O
+and O
+include O
+Sofacy S-APT
+, O
+X-Agent S-MAL
+, O
+X-Tunnel S-TOOL
+, O
+WinIDS S-MAL
+, O
+Foozer S-MAL
+and O
+DownRage S-MAL
+droppers O
+, O
+and O
+even O
+malware O
+for O
+Linux S-OS
+, O
+OSX S-OS
+, O
+IOS S-OS
+, O
+Android S-OS
+and O
+Windows S-OS
+Phones O
+. O
+
+This O
+group O
+is O
+known O
+for O
+its O
+technique O
+of O
+registering O
+domains O
+that O
+closely O
+resemble O
+domains O
+of O
+legitimate O
+organizations O
+they O
+plan O
+to O
+target O
+. O
+
+Afterwards O
+, O
+they O
+establish O
+phishing E-ACT
+sites O
+on O
+these O
+domains O
+that O
+spoof O
+the O
+look O
+and O
+feel O
+of O
+the O
+victim O
+’s O
+web-based O
+email S-TOOL
+services O
+in O
+order O
+to O
+steal O
+their O
+credentials O
+. O
+
+FANCY B-APT
+BEAR E-APT
+has O
+also O
+been O
+linked O
+publicly O
+to O
+intrusions O
+into O
+the O
+German S-LOC
+Bundestag S-IDTY
+and O
+France S-LOC
+’s O
+TV5 B-IDTY
+Monde E-IDTY
+TV O
+station O
+in O
+April B-TIME
+2015 E-TIME
+. O
+
+At O
+DNC S-IDTY
+, O
+COZY B-APT
+BEAR E-APT
+intrusion O
+has O
+been O
+identified O
+going O
+back O
+to O
+summer B-TIME
+of I-TIME
+2015 E-TIME
+, O
+while O
+FANCY B-APT
+BEAR E-APT
+separately O
+breached O
+the O
+network O
+in O
+April B-TIME
+2016 E-TIME
+. O
+
+We O
+have O
+identified O
+no O
+collaboration O
+between O
+the O
+two O
+actors O
+, O
+or O
+even O
+an O
+awareness O
+of O
+one O
+by O
+the O
+other O
+. O
+
+Instead O
+, O
+we O
+observed O
+the O
+two O
+Russian O
+espionage O
+groups O
+compromise O
+the O
+same O
+systems O
+and O
+engage O
+separately O
+in O
+the O
+theft O
+of O
+identical O
+credentials O
+. O
+
+While O
+you O
+would O
+virtually O
+never O
+see O
+Western O
+intelligence O
+agencies O
+going O
+after O
+the O
+same O
+target O
+without O
+de-confliction O
+for O
+fear O
+of O
+compromising O
+each O
+other O
+’s O
+operations O
+, O
+in O
+Russia S-LOC
+this O
+is O
+not O
+an O
+uncommon O
+scenario O
+. O
+“ O
+Putin O
+’s O
+Hydra O
+: O
+Inside O
+Russia S-LOC
+’s O
+Intelligence O
+Services O
+” O
+, O
+a O
+recent O
+paper O
+from O
+European O
+Council O
+on O
+Foreign O
+Relations O
+, O
+does O
+an O
+excellent O
+job O
+outlining O
+the O
+highly O
+adversarial O
+relationship O
+between O
+Russia S-LOC
+’s O
+main O
+intelligence O
+services O
+– O
+FSB S-IDTY
+, O
+the O
+primary O
+domestic O
+intelligence O
+agency O
+but O
+one O
+with O
+also O
+significant O
+external O
+collection O
+and O
+‘ O
+active O
+measures O
+’ O
+
+remit O
+, O
+SVR O
+, O
+the O
+primary O
+foreign O
+intelligence O
+agency O
+, O
+and O
+the O
+aforementioned O
+GRU S-IDTY
+. O
+
+Not O
+only O
+do O
+they O
+have O
+overlapping O
+areas O
+of O
+responsibility O
+, O
+but O
+also O
+rarely O
+share O
+intelligence O
+and O
+even O
+occasionally O
+steal O
+sources O
+from O
+each O
+other O
+and O
+compromise O
+operations O
+. O
+
+Thus O
+, O
+it O
+is O
+not O
+surprising O
+to O
+see O
+them O
+engage O
+in O
+intrusions O
+against O
+the O
+same O
+victim O
+, O
+even O
+when O
+it O
+may O
+be O
+a O
+waste O
+of O
+resources O
+and O
+lead O
+to O
+the O
+discovery O
+and O
+potential O
+compromise O
+of O
+mutual O
+operations O
+. O
+
+The O
+COZY B-APT
+BEAR E-APT
+intrusion O
+relied O
+primarily O
+on O
+the O
+SeaDaddy S-MAL
+implant O
+developed O
+in O
+Python S-TOOL
+and O
+compiled O
+with O
+py2exe S-TOOL
+and O
+another O
+Powershell S-TOOL
+backdoor O
+with O
+persistence O
+accomplished O
+via O
+Windows S-OS
+Management B-TOOL
+Instrumentation E-TOOL
+( O
+WMI S-TOOL
+) O
+system O
+, O
+which O
+allowed O
+the O
+adversary O
+to O
+launch O
+malicious O
+code O
+automatically O
+after O
+a O
+specified O
+period O
+of O
+system O
+uptime O
+or O
+on O
+a O
+specific O
+schedule O
+. O
+
+The O
+Powershell S-TOOL
+backdoor O
+is O
+ingenious O
+in O
+its O
+simplicity O
+and O
+power O
+. O
+
+This O
+one-line O
+powershell S-TOOL
+command O
+, O
+stored O
+only O
+in O
+WMI S-TOOL
+database O
+, O
+establishes O
+an O
+encrypted O
+connection O
+to O
+C2 S-TOOL
+and O
+downloads O
+additional O
+powershell S-TOOL
+modules O
+from O
+it O
+, O
+executing O
+them O
+in O
+memory O
+. O
+
+In O
+theory O
+, O
+the O
+additional O
+modules O
+can O
+do O
+virtually O
+anything O
+on O
+the O
+victim O
+system O
+. O
+
+The O
+encryption O
+keys O
+in O
+the O
+script O
+were O
+different O
+on O
+every O
+system O
+. O
+
+Powershell S-TOOL
+version O
+of O
+credential O
+theft O
+tool O
+MimiKatz S-MAL
+was O
+also O
+used O
+by O
+the O
+actors O
+to O
+facilitate O
+credential O
+acquisition O
+for O
+lateral O
+movement O
+purposes O
+. O
+
+FANCY B-APT
+BEAR E-APT
+adversary O
+used O
+different O
+tradecraft O
+, O
+deploying O
+X-Agent S-MAL
+malware O
+with O
+capabilities O
+to O
+do O
+remote O
+command O
+execution O
+, O
+file O
+transmission O
+and O
+keylogging O
+. O
+
+It O
+was O
+executed O
+via O
+rundll32 O
+commands O
+such O
+as O
+: O
+rundll32.exe S-FILE
+“ O
+C:\Windows\twain_64.dll S-FILE
+” O
+. O
+
+In O
+addition O
+, O
+FANCY B-APT
+BEAR E-APT
+’s O
+X-Tunnel S-TOOL
+network O
+tunneling O
+tool O
+, O
+which O
+facilitates O
+connections O
+to O
+NAT-ed S-TOOL
+environments O
+, O
+was O
+used O
+to O
+also O
+execute O
+remote O
+commands O
+. O
+
+Both O
+tools O
+were O
+deployed O
+via O
+RemCOM S-IDTY
+, O
+an O
+open-source O
+replacement O
+for O
+PsExec S-TOOL
+available O
+from O
+GitHub S-TOOL
+. O
+
+Intelligence O
+collection O
+directed O
+by O
+nation O
+state O
+actors O
+against O
+US S-LOC
+political O
+targets O
+provides O
+invaluable O
+insight O
+into O
+the O
+requirements O
+directed O
+upon O
+those O
+actors O
+. O
+
+Regardless O
+of O
+the O
+agency O
+or O
+unit O
+tasked O
+with O
+this O
+collection O
+, O
+the O
+upcoming O
+US S-LOC
+election O
+, O
+and O
+the O
+associated O
+candidates O
+and O
+parties O
+are O
+of O
+critical O
+interest O
+to O
+both O
+hostile O
+and O
+friendly O
+nation O
+states O
+. O
+
+The O
+2016 S-TIME
+presidential O
+election O
+has O
+the O
+world O
+’s O
+attention O
+, O
+and O
+leaders O
+of O
+other O
+states O
+are O
+anxiously O
+watching O
+and O
+planning O
+for O
+possible O
+outcomes O
+. O
+
+
+Corporate O
+IoT S-TOOL
+– O
+a O
+path O
+to O
+intrusion O
+. O
+
+Several O
+sources O
+estimate O
+that O
+by O
+the O
+year O
+2020 S-TIME
+some O
+50 O
+billion O
+IoT S-TOOL
+devices O
+will O
+be O
+deployed O
+worldwide O
+. O
+
+IoT S-TOOL
+devices O
+are O
+purposefully O
+designed O
+to O
+connect O
+to O
+a O
+network O
+and O
+many O
+are O
+simply O
+connected O
+to O
+the O
+internet O
+with O
+little O
+management O
+or O
+oversight.Some O
+IoT S-TOOL
+devices O
+may O
+even O
+communicate O
+basic O
+telemetry O
+back O
+to O
+the O
+device O
+manufacturer O
+or O
+have O
+means O
+to O
+receive O
+software O
+updates O
+. O
+
+In O
+2016 S-TIME
+, O
+the O
+Mirai B-TOOL
+botnet E-TOOL
+was O
+discovered O
+by O
+the O
+malware O
+research O
+group O
+MalwareMustDie S-SECTEAM
+. O
+
+The O
+botnet O
+initially O
+consisted O
+of O
+IP O
+cameras O
+and O
+basic O
+home O
+routers O
+, O
+two O
+types O
+of O
+IoT S-TOOL
+devices O
+commonly O
+found O
+in O
+the O
+household O
+. O
+
+As O
+more O
+variants O
+of O
+Mirai S-TOOL
+emerged O
+, O
+so O
+did O
+the O
+list O
+IoT S-TOOL
+devices O
+it O
+was O
+targeting O
+. O
+
+The O
+source O
+code O
+for O
+the O
+malware O
+powering O
+this O
+botnet O
+was O
+eventually O
+leaked O
+online O
+. O
+
+In O
+2018 S-TIME
+, O
+hundreds O
+of O
+thousands O
+of O
+home O
+and O
+small O
+business O
+networking O
+and O
+storage O
+devices O
+were O
+compromised O
+and O
+loaded O
+with O
+the O
+so-called O
+“ O
+VPN B-MAL
+Filter E-MAL
+” O
+malware O
+. O
+
+The O
+FBI S-IDTY
+has O
+publicly O
+attributed O
+this O
+activity O
+to O
+a O
+nation-state O
+actor O
+and O
+took O
+subsequent O
+actions O
+to O
+disrupt O
+this O
+botnet O
+, O
+although O
+the O
+devices O
+would O
+remain O
+vulnerable O
+to O
+re-infection O
+unless O
+proper O
+firmware O
+or O
+security O
+controls O
+were O
+put O
+in O
+place O
+by O
+the O
+user O
+. O
+
+In O
+April S-TIME
+, O
+security O
+researchers O
+in O
+the O
+Microsoft S-IDTY
+Threat B-TOOL
+Intelligence I-TOOL
+Center E-TOOL
+discovered O
+infrastructure O
+of O
+a O
+known O
+adversary O
+communicating O
+to O
+several O
+external O
+devices O
+. O
+
+Further O
+research O
+uncovered O
+attempts O
+by O
+the O
+actor O
+to O
+compromise O
+popular O
+IoT S-TOOL
+devices O
+( O
+a O
+VOIP B-TOOL
+phone E-TOOL
+, O
+an O
+office B-TOOL
+printer E-TOOL
+, O
+and O
+a O
+video B-TOOL
+decoder E-TOOL
+) O
+across O
+multiple O
+customer O
+locations O
+. O
+
+The O
+investigation O
+uncovered O
+that O
+an O
+actor O
+had O
+used O
+these O
+devices O
+to O
+gain O
+initial O
+access O
+to O
+corporate O
+networks O
+. O
+
+In O
+two O
+of O
+the O
+cases O
+, O
+the O
+passwords O
+for O
+the O
+devices O
+were O
+deployed O
+without O
+changing O
+the O
+default O
+manufacturer O
+’s O
+passwords O
+and O
+in O
+the O
+third O
+instance O
+the O
+latest O
+security O
+update O
+had O
+not O
+been O
+applied O
+to O
+the O
+device O
+. O
+
+These O
+devices O
+became O
+points O
+of O
+ingress O
+from O
+which O
+the O
+actor O
+established O
+a O
+presence O
+on O
+the O
+network O
+and O
+continued O
+looking O
+for O
+further O
+access O
+. O
+
+Once O
+the O
+actor O
+had O
+successfully O
+established O
+access O
+to O
+the O
+network O
+, O
+a O
+simple O
+network O
+scan O
+to O
+look O
+for O
+other O
+insecure O
+devices O
+allowed O
+them O
+to O
+discover O
+and O
+move O
+across O
+the O
+network O
+in O
+search O
+of O
+higher-privileged O
+accounts O
+that O
+would O
+grant O
+access O
+to O
+higher-value O
+data O
+. O
+
+After O
+gaining O
+access O
+to O
+each O
+of O
+the O
+IoT S-TOOL
+devices O
+, O
+the O
+actor O
+ran O
+tcpdump O
+to O
+sniff O
+network O
+traffic O
+on O
+local O
+subnets O
+. O
+
+They O
+were O
+also O
+seen O
+enumerating O
+administrative O
+groups O
+to O
+attempt O
+further O
+exploitation O
+. O
+
+As O
+the O
+actor O
+moved O
+from O
+one O
+device O
+to O
+another O
+, O
+they O
+would O
+drop O
+a O
+simple O
+shell O
+script O
+to O
+establish O
+persistence O
+on O
+the O
+network O
+which O
+allowed O
+extended O
+access O
+to O
+continue O
+hunting O
+. O
+
+Analysis O
+of O
+network O
+traffic O
+showed O
+the O
+devices O
+were O
+also O
+communicating O
+with O
+an O
+external O
+command B-TOOL
+and I-TOOL
+control E-TOOL
+( O
+C2 S-TOOL
+) O
+server O
+. O
+
+The O
+following O
+IP O
+addresses O
+are O
+believed O
+to O
+have O
+been O
+used O
+by O
+the O
+actor O
+for O
+command B-TOOL
+and I-TOOL
+control E-TOOL
+( O
+C2 S-TOOL
+) O
+during O
+these O
+intrusions O
+: O
+
+167.114.153.55 S-IP
+94.237.37.28 S-IP
+82.118.242.171 S-IP
+31.220.61.251 S-IP
+128.199.199.187 S-IP
+. O
+
+We O
+attribute O
+the O
+attacks O
+on O
+these O
+customers O
+using O
+three O
+popular O
+IoT S-TOOL
+devices O
+to O
+an O
+activity O
+group O
+that O
+Microsoft S-IDTY
+refers O
+to O
+as O
+STRONTIUM S-APT
+. O
+
+Since O
+we O
+identified O
+these O
+attacks O
+in O
+the O
+early O
+stages O
+, O
+we O
+have O
+not O
+been O
+able O
+to O
+conclusively O
+determine O
+what O
+STRONTIUM S-APT
+’s O
+ultimate O
+objectives O
+were O
+in O
+these O
+intrusions O
+. O
+
+Over O
+the O
+last O
+twelve O
+months O
+, O
+Microsoft S-IDTY
+has O
+delivered O
+nearly O
+1400 O
+nation-state O
+notifications O
+to O
+those O
+who O
+have O
+been O
+targeted O
+or O
+compromised O
+by O
+STRONTIUM S-APT
+. O
+
+One O
+in O
+five O
+notifications O
+of O
+STRONTIUM S-APT
+activity O
+were O
+tied O
+to O
+attacks O
+against O
+non-governmental O
+organizations O
+, O
+think O
+tanks O
+, O
+or O
+politically O
+affiliated O
+organizations O
+around O
+the O
+world O
+. O
+
+The O
+remaining O
+80% O
+of O
+STRONTIUM S-APT
+attacks O
+have O
+largely O
+targeted O
+organizations O
+in O
+the O
+following O
+sectors O
+: O
+government O
+, O
+IT O
+, O
+military O
+, O
+defense O
+, O
+medicine O
+, O
+education O
+, O
+and O
+engineering O
+. O
+
+We O
+have O
+also O
+observed O
+and O
+notified O
+STRONTIUM S-APT
+attacks O
+against O
+Olympic S-IDTY
+organizing O
+committees O
+, O
+anti-doping O
+agencies O
+, O
+and O
+the O
+hospitality O
+industry O
+. O
+
+The O
+“ O
+VPN B-MAL
+Filter E-MAL
+” O
+malware O
+has O
+also O
+been O
+attributed O
+to O
+STRONTIUM S-APT
+by O
+the O
+FBI S-IDTY
+. O
+
+Below O
+are O
+a O
+series O
+of O
+indicators O
+Microsoft O
+has O
+observed O
+as O
+active O
+during O
+the O
+STRONTIUM S-APT
+activity O
+discussed O
+in O
+this O
+article O
+. O
+
+
+BRONZE B-APT
+PRESIDENT E-APT
+Targets O
+NGOs S-IDTY
+. O
+
+The O
+activities O
+of O
+some O
+non-governmental B-IDTY
+organizations E-IDTY
+( O
+NGOs S-IDTY
+) O
+challenge O
+governments O
+on O
+politically O
+sensitive O
+issues O
+such O
+as O
+social O
+, O
+humanitarian O
+, O
+and O
+environmental O
+policies O
+. O
+
+As O
+a O
+result O
+, O
+these O
+organizations O
+are O
+often O
+exposed O
+to O
+increased O
+government-directed O
+threats O
+aimed O
+at O
+monitoring O
+their O
+activities O
+, O
+discrediting O
+their O
+work O
+, O
+or O
+stealing O
+their O
+intellectual O
+property O
+. O
+
+BRONZE B-APT
+PRESIDENT E-APT
+is O
+a O
+likely O
+People's B-IDTY
+Republic I-IDTY
+of I-IDTY
+China E-IDTY
+( O
+PRC S-IDTY
+)-based O
+targeted O
+cyberespionage O
+group O
+that O
+uses O
+both O
+proprietary O
+and O
+publicly O
+available O
+tools O
+to O
+target O
+NGO S-IDTY
+networks O
+. O
+
+Secureworks B-SECTEAM
+Counter I-SECTEAM
+Threat I-SECTEAM
+Unit E-SECTEAM
+( O
+CTU S-SECTEAM
+) O
+researchers O
+have O
+observed O
+BRONZE B-APT
+PRESIDENT E-APT
+activity O
+since O
+mid-2018 S-TIME
+but O
+identified O
+artifacts O
+suggesting O
+that O
+the O
+threat O
+actors O
+may O
+have O
+been O
+conducting O
+network O
+intrusions O
+as O
+far O
+back O
+as O
+2014 S-TIME
+. O
+
+The O
+BRONZE B-APT
+PRESIDENT E-APT
+cyberespionage O
+group O
+targets O
+NGOs O
+, O
+as O
+well O
+as O
+political O
+and O
+law O
+enforcement O
+organizations O
+in O
+countries O
+in O
+South B-LOC
+and I-LOC
+East I-LOC
+Asia E-LOC
+. O
+
+The O
+threat O
+group O
+appears O
+to O
+have O
+developed O
+its O
+own O
+remote O
+access O
+tools O
+that O
+it O
+uses O
+alongside O
+publicly O
+available O
+remote O
+access O
+and O
+post-compromise O
+toolsets O
+. O
+
+After O
+compromising O
+a O
+network O
+, O
+the O
+threat O
+actors O
+elevate O
+their O
+privileges O
+and O
+install O
+malware O
+on O
+a O
+large O
+proportion O
+of O
+systems O
+. O
+
+The O
+group O
+runs O
+custom O
+batch O
+scripts O
+to O
+collect O
+specific O
+file O
+types O
+and O
+takes O
+proactive O
+steps O
+to O
+minimize O
+detection O
+of O
+its O
+activities O
+. O
+
+Analysis O
+of O
+a O
+threat O
+group's O
+targeting O
+, O
+origin O
+, O
+and O
+competencies O
+can O
+determine O
+which O
+organizations O
+could O
+be O
+at O
+risk O
+. O
+
+This O
+information O
+can O
+help O
+organizations O
+make O
+strategic O
+defensive O
+decisions O
+in O
+relation O
+to O
+the O
+BRONZE B-APT
+PRESIDENT E-APT
+threat O
+group O
+. O
+
+CTU S-SECTEAM
+researchers O
+have O
+observed O
+BRONZE B-APT
+PRESIDENT E-APT
+targeting O
+multiple O
+NGOs S-IDTY
+. O
+
+The O
+threat O
+actors O
+steal O
+data O
+from O
+compromised O
+systems O
+over O
+a O
+long O
+period O
+of O
+time O
+, O
+which O
+likely O
+indicates O
+a O
+long-term O
+objective O
+of O
+monitoring O
+the O
+target's O
+network O
+. O
+
+BRONZE B-APT
+PRESIDENT E-APT
+uses O
+custom O
+batch O
+scripts O
+to O
+collect O
+either O
+specific O
+file O
+types O
+( O
+including O
+files O
+with O
+.pptx S-FILE
+, O
+.xlsx S-FILE
+, O
+.pdf S-FILE
+extensions O
+) O
+or O
+all O
+files O
+within O
+a O
+specific O
+location O
+. O
+
+CTU S-SECTEAM
+researchers O
+also O
+observed O
+evidence O
+that O
+the O
+threat O
+actors O
+collect O
+credentials O
+from O
+high-privilege O
+network O
+accounts O
+and O
+reputationally O
+sensitive O
+accounts O
+, O
+such O
+as O
+social O
+media O
+and O
+webmail O
+accounts O
+. O
+
+Additionally O
+, O
+CTU S-SECTEAM
+researchers O
+have O
+observed O
+evidence O
+of O
+BRONZE B-APT
+PRESIDENT E-APT
+targeting O
+political O
+and O
+law O
+enforcement O
+organizations O
+in O
+countries O
+adjacent O
+to O
+the O
+PRC S-IDTY
+, O
+including O
+Mongolia S-LOC
+and O
+India S-LOC
+. O
+
+Some O
+of O
+the O
+group's O
+phishing E-ACT
+lures O
+suggest O
+an O
+interest O
+in O
+national O
+security O
+, O
+humanitarian O
+, O
+and O
+law O
+enforcement O
+organizations O
+in O
+the O
+East B-LOC
+, I-LOC
+South I-LOC
+, I-LOC
+and I-LOC
+Southeast I-LOC
+Asia E-LOC
+( O
+see O
+Figure O
+1 O
+) O
+. O
+
+These O
+examples O
+reveal O
+BRONZE B-APT
+PRESIDENT E-APT
+'s O
+likely O
+intent O
+to O
+conduct O
+political O
+espionage O
+in O
+other O
+countries O
+in O
+addition O
+to O
+targeting O
+NGOs S-IDTY
+. O
+
+It O
+is O
+highly O
+likely O
+that O
+BRONZE B-APT
+PRESIDENT E-APT
+is O
+based O
+in O
+the O
+PRC S-IDTY
+due O
+to O
+the O
+following O
+observations O
+: O
+
+The O
+NGOs S-IDTY
+targeted O
+by O
+BRONZE B-APT
+PRESIDENT E-APT
+conduct O
+research O
+on O
+issues O
+relevant O
+to O
+the O
+PRC S-IDTY
+. O
+
+Strong O
+evidence O
+links O
+BRONZE B-APT
+PRESIDENT E-APT
+'s O
+infrastructure O
+to O
+entities O
+within O
+the O
+PRC S-IDTY
+. O
+
+There O
+are O
+connections O
+between O
+a O
+subset O
+of O
+the O
+group's O
+operational O
+infrastructure O
+and O
+PRC-based S-IDTY
+Internet O
+service O
+providers O
+. O
+
+Tools O
+such O
+as O
+PlugX S-MAL
+have O
+historically O
+been O
+leveraged O
+by O
+threat O
+groups O
+operating O
+in O
+the O
+PRC S-IDTY
+. O
+
+It O
+is O
+likely O
+that O
+BRONZE B-APT
+PRESIDENT E-APT
+is O
+sponsored O
+or O
+at O
+least O
+tolerated O
+by O
+the O
+PRC S-IDTY
+government O
+. O
+
+The O
+threat O
+group's O
+systemic O
+long-term O
+targeting O
+of O
+NGO S-IDTY
+and O
+political O
+networks O
+does O
+not O
+align O
+with O
+patriotic O
+or O
+criminal O
+threat O
+groups O
+. O
+
+BRONZE B-APT
+PRESIDENT E-APT
+has O
+deployed O
+a O
+variety O
+of O
+remote O
+access O
+tools O
+. O
+
+The O
+use O
+of O
+tools O
+not O
+previously O
+observed O
+by O
+CTU S-SECTEAM
+researchers O
+suggests O
+that O
+the O
+group O
+could O
+have O
+access O
+to O
+malware O
+development O
+capabilities O
+. O
+
+BRONZE B-APT
+PRESIDENT E-APT
+also O
+uses O
+widely O
+available O
+or O
+modified O
+open-source O
+tools O
+, O
+which O
+could O
+be O
+a O
+strategic O
+effort O
+to O
+reduce O
+the O
+risk O
+of O
+attribution O
+or O
+to O
+minimize O
+the O
+need O
+for O
+tool O
+development O
+resources O
+. O
+
+Following O
+a O
+network O
+compromise O
+, O
+the O
+threat O
+actors O
+typically O
+delete O
+their O
+tools O
+and O
+processes O
+. O
+
+However O
+, O
+the O
+group O
+is O
+content O
+leaving O
+some O
+malware O
+on O
+the O
+network O
+, O
+likely O
+to O
+provide O
+a O
+contingency O
+if O
+other O
+access O
+channels O
+are O
+removed O
+. O
+
+When O
+the O
+group's O
+activities O
+were O
+detected O
+in O
+one O
+incident O
+, O
+it O
+had O
+elevated O
+privileges O
+and O
+had O
+maintained O
+access O
+to O
+the O
+targeted O
+environment O
+for O
+several O
+months O
+. O
+
+This O
+finding O
+indicates O
+the O
+group's O
+effectiveness O
+at O
+maintaining O
+long-term O
+access O
+to O
+a O
+targeted O
+network O
+. O
+
+CTU S-SECTEAM
+researchers O
+and O
+Secureworks O
+incident O
+responders O
+have O
+observed O
+BRONZE B-APT
+PRESIDENT E-APT
+using O
+the O
+following O
+tools O
+, O
+along O
+with O
+several O
+custom O
+batch O
+scripts O
+for O
+locating O
+and O
+archiving O
+specific O
+file O
+types O
+: O
+
+Cobalt B-TOOL
+Strike E-TOOL
+— O
+This O
+popular O
+and O
+commercially O
+available O
+penetration O
+tool O
+gains O
+shell O
+access O
+to O
+an O
+infected O
+system O
+. O
+
+It O
+allows O
+threat O
+actors O
+to O
+execute O
+additional O
+tools O
+and O
+perform O
+post-intrusion O
+actions O
+on O
+compromised O
+systems O
+. O
+
+Cobalt B-TOOL
+Strike E-TOOL
+appears O
+to O
+be O
+one O
+of O
+BRONZE B-APT
+PRESIDENT E-APT
+'s O
+preferred O
+remote O
+access O
+tools O
+. O
+
+During O
+one O
+intrusion O
+, O
+the O
+threat O
+actors O
+installed O
+it O
+on O
+over O
+70% O
+of O
+accessible O
+hosts O
+. O
+
+The O
+group's O
+Cobalt B-TOOL
+Strike E-TOOL
+installation O
+typically O
+uses O
+a O
+payload O
+named O
+svchost.exe S-FILE
+in O
+an O
+attempt O
+to O
+disguise O
+Cobalt B-TOOL
+Strike E-TOOL
+activity O
+as O
+the O
+legitimate O
+Windows S-OS
+svchost.exe S-FILE
+executable O
+. O
+
+PlugX S-MAL
+— O
+This O
+remote O
+access O
+Trojan S-MAL
+( O
+RAT O
+) O
+is O
+popular O
+among O
+PRC-based S-IDTY
+targeted O
+threat O
+groups O
+. O
+
+Its O
+functionality O
+includes O
+uploading O
+and O
+downloading O
+files O
+, O
+and O
+it O
+has O
+configurable O
+network O
+protocols O
+. O
+
+BRONZE B-APT
+PRESIDENT E-APT
+installs O
+PlugX S-MAL
+using O
+DLL S-TOOL
+side-loading O
+. O
+
+In O
+June B-TIME
+and I-TIME
+August I-TIME
+2019 E-TIME
+, O
+BRONZE B-APT
+PRESIDENT E-APT
+delivered O
+PlugX S-MAL
+via O
+government O
+and O
+law O
+enforcement-themed O
+phishing E-ACT
+lures O
+. O
+
+ORat S-MAL
+— O
+CTU S-SECTEAM
+researchers O
+have O
+only O
+observed O
+this O
+basic O
+loader O
+tool O
+in O
+the O
+context O
+of O
+BRONZE B-APT
+PRESIDENT E-APT
+intrusions O
+. O
+
+ORat S-MAL
+is O
+the O
+name O
+assigned O
+by O
+the O
+malware O
+author O
+, O
+as O
+denoted O
+by O
+the O
+program O
+debug O
+database O
+string O
+in O
+the O
+analyzed O
+sample O
+: O
+D:\vswork\Plugin\ORat\build\Release\ORatServer\Loader.pdb O
+. O
+
+The O
+tool O
+uses O
+the O
+Windows S-OS
+Management B-TOOL
+Instrumentation E-TOOL
+( O
+WMI S-TOOL
+) O
+event O
+consumer O
+for O
+persistence O
+by O
+installing O
+a O
+script O
+to O
+the O
+system's O
+WMI S-TOOL
+registry O
+. O
+
+Messages O
+sent O
+from O
+ORat S-MAL
+to O
+its O
+command B-TOOL
+and I-TOOL
+control E-TOOL
+( O
+C2 S-TOOL
+) O
+server O
+start O
+with O
+the O
+string O
+"VIEWS0018x" O
+. O
+
+If O
+the O
+data O
+received O
+from O
+the O
+C2 S-TOOL
+server O
+starts O
+with O
+the O
+same O
+string O
+, O
+then O
+the O
+remainder O
+of O
+the O
+payload O
+is O
+decompressed O
+using O
+ORat S-MAL
+'s O
+"deflate" O
+algorithm O
+and O
+called O
+as O
+a O
+function O
+. O
+
+ORat S-MAL
+acts O
+as O
+a O
+flexible O
+loader O
+tool O
+rather O
+than O
+a O
+fully O
+featured O
+remote O
+access O
+tool O
+. O
+
+RCSession S-MAL
+— O
+This O
+basic O
+RAT O
+is O
+installed O
+via O
+DLL S-TOOL
+side-loading O
+, O
+and O
+CTU S-SECTEAM
+researchers O
+observed O
+BRONZE B-APT
+PRESIDENT E-APT
+installing O
+it O
+on O
+multiple O
+hosts O
+during O
+intrusions O
+. O
+
+RCSession S-MAL
+was O
+extracted O
+from O
+a O
+file O
+called O
+English.rtf S-FILE
+and O
+launched O
+via O
+a O
+hollowed O
+svchost.exe S-FILE
+process O
+. O
+
+RCSession S-MAL
+connects O
+to O
+its O
+C2 S-TOOL
+server O
+via O
+a O
+custom O
+protocol O
+, O
+can O
+remotely O
+execute O
+commands O
+, O
+and O
+can O
+launch O
+additional O
+tools O
+. O
+
+CTU S-SECTEAM
+researchers O
+have O
+no O
+evidence O
+of O
+other O
+threat O
+actors O
+using O
+RCSession S-MAL
+or O
+of O
+wide O
+proliferation O
+of O
+the O
+tool O
+, O
+suggesting O
+it O
+may O
+be O
+exclusively O
+used O
+by O
+BRONZE B-APT
+PRESIDENT E-APT
+. O
+
+Nbtscan S-TOOL
+— O
+This O
+publicly O
+available O
+command-line O
+tool O
+scans O
+systems O
+for O
+NetBIOS S-PROT
+name O
+information O
+( O
+see O
+Figure O
+2 O
+) O
+. O
+
+In O
+an O
+example O
+observed O
+by O
+CTU S-SECTEAM
+researchers O
+, O
+the O
+Nbtscan S-TOOL
+executable O
+was O
+named O
+Adobe.exe S-FILE
+and O
+was O
+installed O
+in O
+several O
+working O
+directories O
+on O
+compromised O
+hosts O
+, O
+including O
+: O
+C:\Recovery\ O
+. O
+
+Nmap S-TOOL
+— O
+BRONZE B-APT
+PRESIDENT E-APT
+used O
+this O
+freely O
+available O
+network O
+scanning O
+tool O
+from O
+the O
+C:\PerfLogs\ O
+folder O
+. O
+
+Wmiexec S-TOOL
+— O
+This O
+publicly O
+available O
+tool O
+uses O
+WMI S-TOOL
+to O
+create O
+SYSTEM-level O
+shells O
+on O
+remote O
+hosts O
+. O
+
+While O
+analyzing O
+hosts O
+compromised O
+by O
+BRONZE B-APT
+PRESIDENT E-APT
+, O
+CTU S-SECTEAM
+researchers O
+identified O
+other O
+malware O
+artifacts O
+. O
+
+Although O
+there O
+was O
+no O
+evidence O
+of O
+the O
+group O
+using O
+the O
+malware O
+, O
+the O
+threat O
+actors O
+may O
+have O
+leveraged O
+its O
+access O
+or O
+capabilities O
+during O
+earlier O
+phases O
+of O
+the O
+intrusions O
+. O
+
+The O
+BRONZE B-APT
+PRESIDENT E-APT
+intrusions O
+observed O
+by O
+CTU S-SECTEAM
+researchers O
+appear O
+to O
+have O
+taken O
+place O
+over O
+several O
+months O
+or O
+years O
+. O
+
+China S-LOC
+Chopper S-TOOL
+web O
+shell O
+files O
+named O
+error404.aspx S-FILE
+included O
+the O
+"eval O
+(Request.Item["|"] O
+,"unsafe" O
+) O
+; O
+" O
+string O
+. O
+
+To O
+successfully O
+interact O
+with O
+the O
+web O
+shell O
+, O
+a O
+threat O
+actor O
+sent O
+HTTP S-PROT
+requests O
+that O
+included O
+the O
+"|" O
+parameter O
+. O
+
+The O
+web O
+shell O
+files O
+appeared O
+to O
+be O
+installed O
+during O
+the O
+timeframe O
+that O
+BRONZE B-APT
+PRESIDENT E-APT
+was O
+active O
+on O
+the O
+system O
+. O
+
+CTU S-SECTEAM
+researchers O
+identified O
+a O
+variety O
+of O
+post-compromise O
+tools O
+stored O
+under O
+%AppData% O
+( O
+e.g. O
+, O
+\AppData\Roaming\Temp O
+) O
+on O
+several O
+compromised O
+systems O
+. O
+
+The O
+widespread O
+proliferation O
+and O
+use O
+of O
+the O
+following O
+tools O
+suggest O
+that O
+the O
+group O
+likely O
+has O
+the O
+knowledge O
+and O
+capability O
+to O
+use O
+them O
+as O
+part O
+of O
+its O
+operations O
+: O
+
+Powerview.ps1 S-FILE
+— O
+This O
+PowerShell-based S-TOOL
+module O
+for O
+network O
+reconnaissance O
+is O
+part O
+of O
+the O
+PowerSploit S-TOOL
+penetration O
+testing O
+framework O
+. O
+
+PVE B-TOOL
+Find I-TOOL
+AD I-TOOL
+User E-TOOL
+— O
+This O
+command-line O
+tool O
+identifies O
+login O
+locations O
+of O
+Active B-TOOL
+Directory E-TOOL
+( O
+AD S-TOOL
+) O
+users O
+. O
+
+AdFind S-TOOL
+— O
+This O
+command-line O
+tool O
+conducts O
+AD S-TOOL
+queries O
+. O
+
+NetSess S-TOOL
+— O
+This O
+publicly O
+available O
+tool O
+enumerates O
+NetBIOS S-TOOL
+sessions O
+. O
+
+Netview S-TOOL
+— O
+This O
+tool O
+enumerates O
+networks O
+. O
+
+TeamViewer S-TOOL
+— O
+This O
+remote O
+control O
+and O
+desktop-sharing O
+tool O
+has O
+applications O
+for O
+legitimate O
+and O
+malicious O
+system O
+users O
+. O
+
+Its O
+installation O
+in O
+a O
+temporary O
+directory O
+alongside O
+network O
+reconnaissance O
+and O
+enumeration O
+tools O
+likely O
+indicates O
+malicious O
+intent O
+. O
+
+At O
+the O
+time O
+of O
+detection O
+, O
+observed O
+BRONZE B-APT
+PRESIDENT E-APT
+incidents O
+had O
+likely O
+been O
+ongoing O
+for O
+several O
+months O
+or O
+even O
+years O
+. O
+
+As O
+a O
+result O
+, O
+CTU S-SECTEAM
+researchers O
+were O
+unable O
+to O
+ascertain O
+the O
+initial O
+access O
+vector O
+. O
+
+In O
+October B-TIME
+2019 E-TIME
+, O
+third-party O
+researchers O
+described O
+a O
+phishing E-ACT
+campaign O
+that O
+used O
+C2 S-TOOL
+infrastructure O
+that O
+CTU S-SECTEAM
+researchers O
+attribute O
+to O
+BRONZE B-APT
+PRESIDENT E-APT
+. O
+
+This O
+connection O
+suggests O
+that O
+the O
+group O
+uses O
+phishing E-ACT
+emails S-TOOL
+with O
+ZIP S-TOOL
+attachments O
+that O
+contain O
+LNK S-TOOL
+files O
+as O
+an O
+initial O
+access O
+vector O
+. O
+
+During O
+one O
+intrusion O
+, O
+the O
+threat O
+actors O
+gained O
+administrator O
+access O
+to O
+all O
+systems O
+within O
+a O
+targeted O
+business O
+unit O
+and O
+installed O
+their O
+remote O
+access O
+tools O
+on O
+80% O
+of O
+the O
+hosts O
+. O
+
+The O
+group O
+installed O
+multiple O
+tools O
+within O
+the O
+environment O
+, O
+including O
+three O
+different O
+tools O
+on O
+a O
+strategically O
+important O
+server O
+, O
+likely O
+to O
+provide O
+contingency O
+access O
+options O
+. O
+
+During O
+multiple O
+intrusions O
+, O
+the O
+threat O
+actors O
+employed O
+various O
+tools O
+and O
+techniques O
+to O
+understand O
+the O
+network O
+environments O
+. O
+
+For O
+example O
+, O
+they O
+used O
+Nmap S-TOOL
+to O
+scan O
+various O
+internal O
+IP O
+address O
+ranges O
+and O
+SMB S-PROT
+ports O
+. O
+
+They O
+also O
+relied O
+on O
+Nbtscan O
+, O
+net O
+user O
+, O
+and O
+ping O
+commands O
+to O
+obtain O
+insights O
+and O
+identify O
+opportunities O
+for O
+lateral O
+movement O
+. O
+
+BRONZE B-APT
+PRESIDENT E-APT
+regularly O
+leverages O
+Wmiexec S-TOOL
+to O
+move O
+laterally O
+. O
+
+During O
+one O
+intrusion O
+, O
+the O
+threat O
+actors O
+extensively O
+used O
+this O
+tool O
+to O
+execute O
+WMI S-TOOL
+commands O
+on O
+remote O
+hosts O
+in O
+the O
+environment O
+. O
+
+The O
+threat O
+actors O
+retrieved O
+the O
+NTDS.dit S-FILE
+file O
+from O
+the O
+volume O
+shadow O
+copy O
+. O
+
+NTDS.dit S-FILE
+contains O
+Active B-TOOL
+Directory E-TOOL
+data O
+, O
+including O
+password O
+hashes O
+for O
+all O
+users O
+on O
+a O
+domain O
+. O
+
+Extracting O
+hashes O
+from O
+the O
+NTDS.dit S-FILE
+file O
+requires O
+access O
+to O
+the O
+SYSTEM O
+file O
+in O
+the O
+system O
+registry O
+. O
+
+The O
+threat O
+actors O
+saved O
+both O
+the O
+SYSTEM O
+file O
+( O
+system.hive S-FILE
+) O
+and O
+NTDS.dit S-FILE
+in O
+the O
+compromised O
+host's O
+c:\windows\temp O
+directory O
+. O
+
+These O
+files O
+were O
+likely O
+exfiltrated O
+and O
+exploited O
+offline O
+to O
+retrieve O
+user O
+password O
+hashes O
+, O
+which O
+could O
+then O
+be O
+cracked O
+or O
+used O
+to O
+perform O
+pass-the-hash O
+attacks O
+. O
+
+BRONZE B-APT
+PRESIDENT E-APT
+'s O
+C2 S-TOOL
+techniques O
+are O
+dictated O
+by O
+its O
+remote O
+access O
+tools O
+. O
+
+The O
+group's O
+primary O
+and O
+likely O
+proprietary O
+RCSession S-MAL
+RAT O
+communicates O
+with O
+a O
+hard-coded O
+C2 S-TOOL
+server O
+using O
+a O
+custom O
+protocol O
+over O
+TCP S-PROT
+port O
+443 O
+. O
+
+After O
+connecting O
+to O
+its O
+C2 S-TOOL
+server O
+, O
+RCSession S-MAL
+checks O
+in O
+with O
+an O
+encrypted O
+beacon O
+and O
+then O
+awaits O
+instruction O
+. O
+
+The O
+ORat S-MAL
+tool O
+, O
+which O
+appears O
+to O
+be O
+used O
+less O
+frequently O
+by O
+the O
+group O
+, O
+communicates O
+over O
+TCP S-PROT
+port O
+80 O
+using O
+a O
+raw O
+socket O
+protocol O
+( O
+not O
+HTTP S-PROT
+) O
+. O
+
+The O
+Cobalt B-TOOL
+Strike E-TOOL
+tool O
+has O
+malleable O
+C2 S-TOOL
+profiles O
+. O
+
+During O
+one O
+intrusion O
+, O
+it O
+connected O
+to O
+multiple O
+C2 S-TOOL
+domains O
+on O
+TCP S-PROT
+port O
+80 O
+, O
+including O
+mail O
+. O
+svrchost O
+. O
+com O
+, O
+using O
+the O
+following O
+request O
+. O
+
+Subsequent O
+Cobalt B-TOOL
+Strike E-TOOL
+C2 S-TOOL
+servers O
+included O
+subdomains O
+of O
+svchosts O
+. O
+com O
+, O
+svrchost O
+. O
+com O
+, O
+and O
+strust O
+. O
+club O
+. O
+
+Some O
+BRONZE B-APT
+PRESIDENT E-APT
+C2 S-TOOL
+domains O
+analyzed O
+by O
+CTU S-SECTEAM
+researchers O
+were O
+hosted O
+on O
+infrastructure O
+owned O
+by O
+Dutch O
+VPS S-TOOL
+provider O
+Host O
+Sailor O
+, O
+Hong O
+Kong-based O
+New O
+World O
+Telecoms O
+, O
+and O
+Malaysia-based O
+Shinjiru O
+Technology O
+( O
+see O
+Figure O
+7 O
+) O
+. O
+
+The O
+threat O
+actors O
+have O
+used O
+discrete O
+infrastructure O
+clusters O
+that O
+share O
+matching O
+hosting O
+and O
+registration O
+characteristics O
+. O
+
+The O
+pattern O
+of O
+infrastructure O
+hosting O
+suggests O
+that O
+the O
+group O
+parks O
+its O
+domains O
+when O
+not O
+in O
+use O
+, O
+an O
+operational O
+security O
+technique O
+that O
+limits O
+exposure O
+of O
+the O
+group's O
+overall O
+hosting O
+infrastructure O
+. O
+
+Some O
+of O
+BRONZE B-APT
+PRESIDENT E-APT
+'s O
+malware O
+has O
+persistence O
+capabilities O
+. O
+
+For O
+example O
+, O
+ORat S-MAL
+uses O
+a O
+WMI S-TOOL
+event O
+consumer O
+to O
+maintain O
+its O
+presence O
+on O
+a O
+compromised O
+host O
+. O
+
+The O
+group O
+also O
+creates O
+and O
+maintains O
+scheduled O
+tasks O
+to O
+achieve O
+this O
+purpose O
+. O
+
+Figure O
+8 O
+shows O
+a O
+Sysdriver O
+scheduled O
+task O
+that O
+periodically O
+executes O
+a O
+Cobalt B-TOOL
+Strike E-TOOL
+payload O
+. O
+
+The O
+threat O
+actors O
+tend O
+to O
+install O
+malware O
+on O
+a O
+large O
+proportion O
+of O
+hosts O
+during O
+their O
+intrusions O
+. O
+
+However O
+, O
+the O
+group O
+exercises O
+restraint O
+and O
+defensive O
+evasion O
+tactics O
+to O
+minimize O
+opportunities O
+for O
+network O
+defenders O
+to O
+detect O
+or O
+investigate O
+its O
+activities O
+. O
+
+For O
+example O
+, O
+the O
+threat O
+actors O
+deleted O
+volume O
+shadow O
+copies O
+after O
+using O
+them O
+for O
+NTDS.dit S-FILE
+retrieval O
+. O
+
+BRONZE B-APT
+PRESIDENT E-APT
+targets O
+specific O
+data O
+types O
+. O
+
+The O
+threat O
+actors O
+use O
+custom O
+batch O
+scripts O
+to O
+create O
+a O
+list O
+of O
+files O
+with O
+predefined O
+criteria O
+and O
+collate O
+the O
+identified O
+files O
+into O
+a O
+.rar S-FILE
+archive O
+( O
+see O
+Figure O
+9 O
+) O
+. O
+
+CTU S-SECTEAM
+researchers O
+have O
+observed O
+BRONZE B-APT
+PRESIDENT E-APT
+batch O
+scripts O
+named O
+doc.bat S-FILE
+, O
+xls.bat S-FILE
+, O
+xlsx.bat S-FILE
+, O
+ppt.bat S-FILE
+, O
+pptx.bat S-FILE
+, O
+pdf.bat S-FILE
+, O
+and O
+txt.bat S-FILE
+. O
+
+The O
+group O
+also O
+uses O
+the O
+all.bat S-FILE
+batch O
+script O
+to O
+collect O
+all O
+files O
+stored O
+on O
+a O
+specific O
+user's O
+desktop O
+. O
+
+CTU S-SECTEAM
+researchers O
+observed O
+RCSession S-MAL
+and O
+Cobalt B-TOOL
+Strike E-TOOL
+on O
+systems O
+that O
+BRONZE B-APT
+PRESIDENT E-APT
+targeted O
+for O
+data O
+theft O
+. O
+
+Either O
+of O
+these O
+tools O
+could O
+have O
+been O
+used O
+to O
+exfiltrate O
+the O
+archived O
+data O
+. O
+
+BRONZE B-APT
+PRESIDENT E-APT
+has O
+demonstrated O
+intent O
+to O
+steal O
+data O
+from O
+organizations O
+using O
+tools O
+such O
+as O
+Cobalt B-TOOL
+Strike E-TOOL
+, O
+PlugX S-MAL
+, O
+ORat S-MAL
+, O
+and O
+RCSession S-MAL
+. O
+
+The O
+concurrent O
+use O
+of O
+so O
+many O
+tools O
+during O
+a O
+single O
+intrusion O
+suggests O
+that O
+the O
+group O
+could O
+include O
+threat O
+actors O
+with O
+distinct O
+tactics O
+, O
+roles O
+, O
+and O
+tool O
+preferences O
+. O
+
+It O
+is O
+likely O
+that O
+BRONZE B-APT
+PRESIDENT E-APT
+has O
+additional O
+unobserved O
+operational O
+tools O
+and O
+capabilities O
+. O
+
+CTU S-SECTEAM
+researchers O
+recommend O
+that O
+organizations O
+apply O
+controls O
+to O
+mitigate O
+common O
+intrusion O
+techniques O
+and O
+behaviors O
+along O
+with O
+controls O
+that O
+address O
+the O
+tools O
+and O
+techniques O
+discussed O
+in O
+this O
+analysis O
+. O
+
+PlugX S-MAL
+C2 S-TOOL
+server O
+: O
+ipsoftwarelabs.com S-DOM
+. O
+
+RCSession S-MAL
+C2 S-TOOL
+server O
+: O
+toshibadrive.com S-DOM
+. O
+
+ORat S-MAL
+and O
+Cobalt B-TOOL
+Strike E-TOOL
+C2 S-TOOL
+server O
+: O
+strust.club S-DOM
+. O
+
+Cobalt B-TOOL
+Strike E-TOOL
+C2 S-TOOL
+server O
+: O
+svchosts.com S-DOM
+, O
+svrhosts.com S-DOM
+. O
+
+Cobalt B-TOOL
+Strike E-TOOL
+download O
+location O
+: O
+116.93.154.250 S-IP
+. O
+
+ORat S-MAL
+malware O
+sample O
+: O
+a0758535cf8eb689782b95d3791d23d5 S-MD5
+, O
+774a9c3ff01a3e734b7bec0c312120126295fad9 S-SHA1
+, O
+2e8762c984468ee309dad30a6c5f6d3308676ac721357da442a8a5b9d9d65d82 S-SHA2
+. O
+
+Cobalt B-TOOL
+Strike E-TOOL
+payload O
+: O
+7101fff478290d4db8a1c11a8d3b40cb S-MD5
+, O
+4c81777551a772218519fb6dd1a6672aade4a936 S-SHA1
+, O
+bdf1452b55b9974f3e9a4aea4439769a02fd931660ed655df92519a2a4df1261 S-SHA2
+. O
+
+Modified O
+DLL S-TOOL
+file O
+( O
+goopdate.dll S-FILE
+) O
+used O
+by O
+BRONZE B-APT
+PRESIDENT E-APT
+to O
+install O
+RCSession S-MAL
+: O
+0617cad9e5d559356c43d4037c86227f S-MD5
+, O
+f14eaf5d648aebb2ed7b00b2cf4349263b30fb1c S-SHA1
+, O
+2ea9ccf653f63bcc3549a313ec9d0bada341556cc32dd2ca4b73e0c034492740 S-SHA2
+. O
+
+
+Operation O
+AppleJeus S-ACT
+Sequel O
+, O
+Lazarus S-APT
+continues O
+to O
+attack O
+the O
+cryptocurrency O
+business O
+with O
+enhanced O
+capabilities O
+. O
+
+The O
+Lazarus S-APT
+group O
+is O
+currently O
+one O
+of O
+the O
+most O
+active O
+and O
+prolific O
+APT O
+actors O
+. O
+
+In O
+2018 S-TIME
+, O
+Kaspersky O
+published O
+a O
+report O
+on O
+one O
+of O
+their O
+campaigns O
+, O
+named O
+Operation O
+AppleJeus S-ACT
+. O
+
+Notably O
+, O
+this O
+operation O
+marked O
+the O
+first O
+time O
+Lazarus S-APT
+had O
+targeted O
+macOS S-OS
+users O
+, O
+with O
+the O
+group O
+inventing O
+a O
+fake O
+company O
+in O
+order O
+to O
+deliver O
+their O
+manipulated O
+application O
+and O
+exploit O
+the O
+high O
+level O
+of O
+trust O
+among O
+potential O
+victims O
+. O
+
+As O
+a O
+result O
+of O
+our O
+ongoing O
+efforts O
+, O
+we O
+identified O
+significant O
+changes O
+to O
+the O
+group O
+’s O
+attack O
+methodology O
+. O
+
+To O
+attack O
+macOS S-OS
+users O
+, O
+the O
+Lazarus S-APT
+group O
+has O
+developed O
+homemade O
+macOS S-OS
+malware O
+, O
+and O
+added O
+an O
+authentication O
+mechanism O
+to O
+deliver O
+the O
+next O
+stage O
+payload O
+very O
+carefully O
+, O
+as O
+well O
+as O
+loading O
+the O
+next-stage O
+payload O
+without O
+touching O
+the O
+disk O
+. O
+
+In O
+addition O
+, O
+to O
+attack O
+Windows S-OS
+users O
+, O
+they O
+have O
+elaborated O
+a O
+multi-stage O
+infection O
+procedure O
+, O
+and O
+significantly O
+changed O
+the O
+final O
+payload O
+. O
+
+We O
+assess O
+that O
+the O
+Lazarus S-APT
+group O
+has O
+been O
+more O
+careful O
+in O
+its O
+attacks O
+following O
+the O
+release O
+of O
+Operation O
+AppleJeus S-ACT
+and O
+they O
+have O
+employed O
+a O
+number O
+of O
+methods O
+to O
+avoid O
+being O
+detected O
+. O
+
+After O
+releasing O
+Operation O
+AppleJeus S-ACT
+, O
+the O
+Lazarus S-APT
+group O
+continued O
+to O
+use O
+a O
+similar O
+modus O
+operandi O
+in O
+order O
+to O
+compromise O
+cryptocurrency O
+businesses O
+. O
+
+We O
+found O
+more O
+macOS S-OS
+malware O
+similar O
+to O
+that O
+used O
+in O
+the O
+original O
+Operation O
+AppleJeus S-ACT
+case O
+. O
+
+This O
+macOS S-OS
+malware O
+used O
+public O
+source O
+code O
+in O
+order O
+to O
+build O
+crafted O
+macOS S-OS
+installers O
+. O
+
+The O
+malware O
+authors O
+used O
+QtBitcoinTrader S-TOOL
+developed O
+by O
+Centrabit S-IDTY
+. O
+
+These O
+three O
+macOS S-OS
+installers O
+use O
+a O
+similar O
+post O
+installer O
+script O
+in O
+order O
+to O
+implant O
+a O
+mach-o S-TOOL
+payload O
+, O
+as O
+well O
+as O
+using O
+the O
+same O
+command-line O
+argument O
+when O
+executing O
+the O
+fetched O
+second-stage O
+payload O
+. O
+
+However O
+, O
+they O
+have O
+started O
+changing O
+their O
+macOS S-OS
+malware O
+. O
+
+We O
+recognized O
+a O
+different O
+type O
+of O
+macOS S-OS
+malware O
+, O
+MarkMakingBot.dmg S-FILE
+( O
+be37637d8f6c1fbe7f3ffc702afdfe1d S-MD5
+) O
+, O
+created O
+on O
+2019-03-12 S-TIME
+. O
+
+It O
+doesn’t O
+have O
+an O
+encryption/decryption O
+routine O
+for O
+network O
+communication O
+. O
+
+We O
+speculate O
+that O
+this O
+is O
+an O
+intermediate O
+stage O
+in O
+significant O
+changes O
+to O
+their O
+macOS S-OS
+malware O
+. O
+
+During O
+our O
+ongoing O
+tracking O
+of O
+this O
+campaign O
+, O
+we O
+found O
+that O
+one O
+victim O
+was O
+compromised O
+by O
+Windows S-OS
+AppleJeus S-ACT
+malware O
+in O
+March B-TIME
+2019 E-TIME
+. O
+
+Unfortunately O
+, O
+we O
+couldn’t O
+identify O
+the O
+initial O
+installer O
+, O
+but O
+we O
+established O
+that O
+the O
+infection O
+started O
+from O
+a O
+malicious O
+file O
+named O
+WFCUpdater.exe S-FILE
+. O
+
+At O
+that O
+time O
+, O
+the O
+actor O
+used O
+a O
+fake O
+website O
+: O
+wfcwallet.com S-DOM
+. O
+
+The O
+actor O
+used O
+a O
+multi-stage O
+infection O
+like O
+before O
+, O
+but O
+the O
+method O
+was O
+different O
+. O
+
+The O
+infection O
+started O
+from O
+.NET S-ACT
+malware O
+, O
+disguised O
+as O
+a O
+WFC S-IDTY
+wallet O
+updater O
+( O
+a9e960948fdac81579d3b752e49aceda S-MD5
+) O
+. O
+
+Upon O
+execution O
+, O
+this O
+.NET S-FILE
+executable O
+checks O
+whether O
+the O
+command O
+line O
+argument O
+is O
+“ O
+/Embedding O
+” O
+or O
+not O
+. O
+
+This O
+malware O
+is O
+responsible O
+for O
+decrypting O
+the O
+WFC.cfg S-FILE
+file O
+in O
+the O
+same O
+folder O
+with O
+a O
+hardcoded O
+20-byte O
+XOR S-ENCR
+key O
+. O
+
+This O
+mimics O
+the O
+wallet O
+updater O
+connected O
+to O
+the O
+C2 S-TOOL
+addresses O
+: O
+wfcwallet.com S-DOM
+( O
+resolved O
+ip O
+: O
+108.174.195.134 S-IP
+) O
+, O
+www.chainfun365.com S-DOM
+( O
+resolved O
+ip O
+: O
+23.254.217.53 S-IP
+) O
+. O
+
+After O
+that O
+, O
+it O
+carries O
+out O
+the O
+malware O
+operator O
+’s O
+commands O
+in O
+order O
+to O
+install O
+the O
+next O
+stage O
+permanent O
+payload O
+. O
+
+The O
+actor O
+delivered O
+two O
+more O
+files O
+into O
+the O
+victim O
+’s O
+system O
+folder O
+: O
+rasext.dll S-FILE
+and O
+msctfp.dat S-FILE
+. O
+
+They O
+used O
+the O
+RasMan S-TOOL
+( O
+Remote B-TOOL
+Access I-TOOL
+Connection I-TOOL
+Manager E-TOOL
+) O
+Windows S-OS
+service O
+to O
+register O
+the O
+next O
+payload O
+with O
+a O
+persistence O
+mechanism O
+. O
+
+After O
+fundamental O
+reconnaissance O
+, O
+the O
+malware O
+operator O
+implanted O
+the O
+delivered O
+payload O
+by O
+manually O
+using O
+the O
+following O
+commands O
+: O
+
+cmd.exe S-FILE
+/c O
+dir O
+rasext.dll S-FILE
+, O
+cmd.exe S-FILE
+/c O
+dir O
+msctfp.dat S-FILE
+, O
+cmd.exe S-FILE
+/c O
+tasklist O
+/svc O
+| O
+findstr O
+RasMan S-TOOL
+, O
+cmd.exe S-FILE
+/c O
+reg O
+add O
+HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\ThirdParty O
+/v O
+DllName O
+/d O
+rasext.dll S-FILE
+/f O
+. O
+
+In O
+order O
+to O
+establish O
+remote O
+tunneling O
+, O
+the O
+actor O
+delivered O
+more O
+tools O
+, O
+executing O
+with O
+command-line O
+parameters O
+. O
+
+Unfortunately O
+, O
+we O
+have O
+had O
+no O
+chance O
+to O
+obtain O
+this O
+file O
+, O
+but O
+we O
+speculate O
+that O
+Device.exe S-FILE
+is O
+responsible O
+for O
+opening O
+port O
+6378 O
+, O
+and O
+the O
+CenterUpdater.exe S-FILE
+tool O
+was O
+used O
+for O
+creating O
+tunneling O
+to O
+a O
+remote O
+host O
+. O
+
+Note O
+that O
+the O
+104.168.167.16 S-IP
+server O
+is O
+used O
+as O
+a O
+C2 S-TOOL
+server O
+. O
+
+The O
+fake O
+website O
+hosting O
+server O
+for O
+the O
+UnionCryptoTrader S-TOOL
+case O
+will O
+be O
+described O
+next O
+. O
+
+We O
+also O
+found O
+a O
+Windows S-OS
+version O
+of O
+the O
+UnionCryptoTrader S-TOOL
+( O
+0f03ec3487578cef2398b5b732631fec S-MD5
+) O
+. O
+
+It O
+was O
+executed O
+from O
+the O
+Telegram S-TOOL
+messenger O
+download O
+folder O
+: O
+
+C:\Users\[user O
+name]\Downloads\Telegram O
+Desktop\UnionCryptoTraderSetup.exe S-FILE
+. O
+
+We O
+also O
+found O
+the O
+actor O
+’s O
+Telegram S-TOOL
+group O
+on O
+their O
+fake O
+website O
+. O
+
+Based O
+on O
+these O
+, O
+we O
+assess O
+with O
+high O
+confidence O
+that O
+the O
+actor O
+delivered O
+the O
+manipulated O
+installer O
+using O
+the O
+Telegram S-TOOL
+messenger O
+. O
+
+Unfortunately O
+, O
+we O
+can’t O
+get O
+all O
+the O
+related O
+files O
+as O
+some O
+payloads O
+were O
+only O
+executed O
+in O
+memory O
+. O
+
+However O
+, O
+we O
+can O
+reassemble O
+the O
+whole O
+infection O
+procedure O
+based O
+on O
+our O
+telemetry O
+. O
+
+The O
+overall O
+infection O
+procedure O
+was O
+very O
+similar O
+to O
+the O
+WFCWallet S-TOOL
+case O
+, O
+but O
+with O
+an O
+added O
+injection O
+procedure O
+, O
+and O
+they O
+only O
+used O
+the O
+final O
+backdoor O
+payload O
+instead O
+of O
+using O
+a O
+tunneling O
+tool O
+. O
+
+The O
+UnionCryptoTrader S-TOOL
+Windows S-OS
+version O
+has O
+the O
+following O
+window S-OS
+showing O
+a O
+price O
+chart O
+for O
+several O
+cryptocurrency O
+exchanges O
+. O
+
+The O
+Windows S-OS
+version O
+of O
+UnionCryptoTrader S-TOOL
+updater O
+( O
+629b9de3e4b84b4a0aa605a3e9471b31 S-MD5
+) O
+has O
+similar O
+functionality O
+to O
+the O
+macOS S-OS
+version O
+. O
+
+According O
+to O
+the O
+build O
+path O
+( O
+Z:\Loader\x64\Release\WinloaderExe.pdb O
+) O
+, O
+the O
+malware O
+author O
+called O
+this O
+malware O
+a O
+loader O
+. O
+
+Upon O
+launch O
+, O
+the O
+malware O
+retrieves O
+the O
+victim O
+’s O
+basic O
+system O
+information O
+, O
+sending O
+it O
+in O
+the O
+following O
+HTTP S-PROT
+POST O
+format O
+, O
+as O
+is O
+the O
+case O
+with O
+the O
+macOS S-OS
+malware O
+. O
+
+If O
+the O
+response O
+code O
+from O
+the O
+C2 S-TOOL
+server O
+is O
+200 O
+, O
+the O
+malware O
+decrypts O
+the O
+payload O
+and O
+loads O
+it O
+in O
+memory O
+. O
+
+Finally O
+, O
+the O
+malware O
+sends O
+the O
+act=done O
+value O
+and O
+return O
+code O
+. O
+
+The O
+next O
+stage O
+payload O
+( O
+e1953fa319cc11c2f003ad0542bca822 S-MD5
+) O
+, O
+downloaded O
+from O
+this O
+loader O
+, O
+is O
+similar O
+to O
+the O
+.NET S-TOOL
+downloader O
+in O
+the O
+WFCWallet S-TOOL
+case O
+. O
+
+This O
+malware O
+is O
+responsible O
+for O
+decrypting O
+the O
+Adobe.icx S-FILE
+file O
+in O
+the O
+same O
+folder O
+. O
+
+It O
+injects O
+the O
+next O
+payload O
+into O
+the O
+Internet O
+Explorer O
+process O
+, O
+and O
+the O
+tainted O
+iexplore.exe S-FILE
+process O
+carries O
+out O
+the O
+attacker O
+’s O
+commands O
+. O
+
+The O
+final O
+payload O
+( O
+dd03c6eb62c9bf9adaf831f1d7adcbab S-MD5
+) O
+is O
+implanted O
+manually O
+as O
+in O
+the O
+WFCWallet S-TOOL
+case O
+. O
+
+This O
+final O
+payload O
+was O
+designed O
+to O
+run O
+only O
+on O
+certain O
+systems O
+. O
+
+It O
+seems O
+that O
+the O
+malware O
+authors O
+produced O
+and O
+delivered O
+malware O
+that O
+only O
+works O
+on O
+specific O
+systems O
+based O
+on O
+previously O
+collected O
+information O
+. O
+
+The O
+malware O
+checks O
+the O
+infected O
+system O
+’s O
+information O
+and O
+compares O
+it O
+to O
+a O
+given O
+value O
+. O
+
+It O
+seems O
+the O
+actor O
+wants O
+to O
+execute O
+the O
+final O
+payload O
+very O
+carefully O
+, O
+and O
+wants O
+to O
+evade O
+detection O
+by O
+behavior-based O
+detection O
+solutions O
+. O
+
+This O
+Windows S-OS
+malware O
+loads O
+the O
+encrypted O
+msctfp.dat S-FILE
+file O
+in O
+a O
+system O
+folder O
+, O
+and O
+loads O
+each O
+configuration O
+value O
+. O
+
+Then O
+it O
+executes O
+an O
+additional O
+command O
+based O
+on O
+the O
+contents O
+of O
+this O
+file O
+. O
+
+When O
+the O
+malware O
+communicates O
+with O
+the O
+C2 S-TOOL
+server O
+, O
+it O
+uses O
+a O
+POST O
+request O
+with O
+several O
+predefined O
+headers O
+. O
+
+Finally O
+, O
+the O
+malware O
+downloads O
+the O
+next O
+stage O
+payload O
+, O
+decrypting O
+it O
+and O
+possibly O
+executing O
+it O
+with O
+the O
+Print O
+parameter O
+. O
+
+We O
+speculate O
+that O
+the O
+DLL S-TOOL
+type O
+payload O
+will O
+be O
+downloaded O
+and O
+call O
+its O
+Print O
+export O
+function O
+for O
+further O
+infection O
+. O
+
+We O
+can’t O
+get O
+hold O
+of O
+the O
+final O
+payload O
+that O
+’s O
+executed O
+in O
+memory O
+, O
+but O
+we O
+believe O
+its O
+backdoor-type O
+malware O
+is O
+ultimately O
+used O
+to O
+control O
+the O
+infected O
+victim O
+. O
+
+We O
+were O
+able O
+to O
+identify O
+several O
+victims O
+in O
+this O
+Operation O
+AppleJeus S-ACT
+sequel O
+. O
+
+Victims O
+were O
+recorded O
+in O
+the O
+UK S-LOC
+, O
+Poland S-LOC
+, O
+Russia S-LOC
+and O
+China S-LOC
+. O
+
+Moreover O
+, O
+we O
+were O
+able O
+to O
+confirm O
+that O
+several O
+of O
+the O
+victims O
+are O
+linked O
+to O
+cryptocurrency O
+business O
+entities O
+. O
+
+The O
+actor O
+altered O
+their O
+macOS S-OS
+and O
+Windows S-OS
+malware O
+considerably O
+, O
+adding O
+an O
+authentication O
+mechanism O
+in O
+the O
+macOS S-OS
+downloader O
+and O
+changing O
+the O
+macOS S-OS
+development O
+framework O
+. O
+
+The O
+binary O
+infection O
+procedure O
+in O
+the O
+Windows S-OS
+system O
+differed O
+from O
+the O
+previous O
+case O
+. O
+
+They O
+also O
+changed O
+the O
+final O
+Windows S-OS
+payload O
+significantly O
+from O
+the O
+well-known O
+Fallchill S-MAL
+malware O
+used O
+in O
+the O
+previous O
+attack O
+. O
+
+We O
+believe O
+the O
+Lazarus S-APT
+group O
+’s O
+continuous O
+attacks O
+for O
+financial O
+gain O
+are O
+unlikely O
+to O
+stop O
+anytime O
+soon O
+. O
+
+Since O
+the O
+initial O
+appearance O
+of O
+Operation O
+AppleJeus S-ACT
+, O
+we O
+can O
+see O
+that O
+over O
+time O
+the O
+authors O
+have O
+changed O
+their O
+modus O
+operandi O
+considerably O
+. O
+
+
+NEW O
+CYBER B-ACT
+ESPIONAGE E-ACT
+CAMPAIGNS O
+TARGETING O
+PALESTINIANS O
+Over O
+the O
+last O
+several O
+months O
+, O
+the O
+Cybereason B-SECTEAM
+Nocturnus E-SECTEAM
+team O
+has O
+been O
+tracking O
+recent O
+espionage O
+campaigns O
+targeting O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+These O
+campaigns O
+are O
+specifically O
+directed O
+at O
+entities O
+and O
+individuals O
+in O
+the O
+Palestinian O
+territories O
+. O
+
+This O
+investigation O
+shows O
+multiple O
+similarities O
+to O
+previous O
+attacks O
+attributed O
+to O
+a O
+group O
+called O
+MoleRATs S-APT
+( O
+aka O
+The O
+Gaza B-APT
+Cybergang E-APT
+) O
+, O
+an O
+Arabic-speaking O
+, O
+politically O
+motivated O
+group O
+that O
+has O
+operated O
+in O
+the O
+Middle B-LOC
+East E-LOC
+since O
+2012 S-TIME
+. O
+
+In O
+our O
+analysis O
+, O
+we O
+distinguish O
+between O
+two O
+separate O
+campaigns O
+happening O
+simultaneously O
+. O
+
+These O
+campaigns O
+differ O
+in O
+tools O
+, O
+server O
+infrastructure O
+, O
+and O
+nuances O
+in O
+decoy O
+content O
+and O
+intended O
+targets O
+. O
+
+The O
+Spark S-MAL
+Campaign O
+: O
+This O
+campaign O
+uses O
+social O
+engineering O
+to O
+infect O
+victims O
+, O
+mainly O
+from O
+the O
+Palestinian O
+territories O
+, O
+with O
+the O
+Spark B-MAL
+backdoor E-MAL
+. O
+
+This O
+backdoor O
+first O
+emerged O
+in O
+January B-TIME
+2019 E-TIME
+and O
+has O
+been O
+continuously O
+active O
+since O
+then O
+. O
+
+The O
+campaign O
+’s O
+lure O
+content O
+revolves O
+around O
+recent O
+geopolitical O
+events O
+, O
+espeically O
+the O
+Israeli-Palestinian O
+conflict O
+, O
+the O
+assassination O
+of O
+Qasem O
+Soleimani O
+, O
+and O
+the O
+ongoing O
+conflict O
+between O
+Hamas O
+and O
+Fatah O
+Palestinian O
+movements O
+. O
+
+The O
+Pierogi S-MAL
+Campaign O
+: O
+This O
+campaign O
+uses O
+social O
+engineering O
+attacks O
+to O
+infect O
+victims O
+with O
+a O
+new O
+, O
+undocumented O
+backdoor O
+dubbed O
+Pierogi S-MAL
+. O
+
+This O
+backdoor O
+first O
+emerged O
+in O
+December B-TIME
+2019 E-TIME
+, O
+and O
+was O
+discovered O
+by O
+Cybereason S-SECTEAM
+. O
+
+In O
+this O
+campaign O
+, O
+the O
+attackers O
+use O
+different O
+TTPs O
+and O
+decoy O
+documents O
+reminiscent O
+of O
+previous O
+campaigns O
+by O
+MoleRATs S-APT
+involving O
+the O
+Micropsia S-MAL
+and O
+Kaperagent S-MAL
+malware O
+. O
+
+In O
+part O
+one O
+of O
+this O
+research O
+, O
+we O
+analyze O
+the O
+Spark S-MAL
+campaign O
+. O
+
+This O
+campaign O
+is O
+named O
+after O
+a O
+rare O
+backdoor O
+used O
+by O
+the O
+MoleRATs S-APT
+Group O
+, O
+dubbed O
+Spark S-MAL
+by O
+Cybereason S-SECTEAM
+and O
+previously O
+reported O
+by O
+360 S-SECTEAM
+’s O
+blog O
+. O
+
+The O
+creators O
+of O
+the O
+Spark B-MAL
+backdoor E-MAL
+use O
+several O
+techniques O
+to O
+evade O
+detection O
+and O
+stay O
+under O
+the O
+radar O
+. O
+
+They O
+pack O
+the O
+malware O
+with O
+a O
+powerful O
+commercial O
+tool O
+called O
+Enigma B-TOOL
+Packer E-TOOL
+and O
+implement O
+language O
+checks O
+to O
+ensure O
+the O
+victims O
+are O
+Arabic O
+speaking O
+. O
+
+This O
+minimizes O
+the O
+risk O
+of O
+detection O
+and O
+infection O
+of O
+unwanted O
+victims O
+. O
+
+Cyber B-ACT
+Espionage E-ACT
+in O
+the O
+Middle B-LOC
+East E-LOC
+: O
+The O
+Cybereason B-SECTEAM
+Nocturnus E-SECTEAM
+team O
+has O
+discovered O
+several O
+recent O
+, O
+targeted O
+attacks O
+in O
+the O
+Middle B-TOOL
+East E-TOOL
+. O
+
+These O
+attacks O
+deliver O
+the O
+Spark S-MAL
+and O
+Pierogi B-MAL
+backdoors E-MAL
+for O
+politically-driven O
+cyber B-ACT
+espionage E-ACT
+operations O
+. O
+
+Targeting O
+Palestinians O
+: O
+The O
+campaigns O
+seems O
+to O
+target O
+Palestinian O
+individuals O
+and O
+entities O
+, O
+likely O
+related O
+to O
+the O
+Palestinian O
+government O
+. O
+
+Politically-motivated O
+APT O
+: O
+Cybereason S-SECTEAM
+suspects O
+that O
+the O
+objective O
+of O
+the O
+threat O
+actor O
+is O
+to O
+obtain O
+sensitive O
+information O
+from O
+the O
+victims O
+and O
+leverage O
+it O
+for O
+political O
+purposes O
+. O
+
+Lured O
+Into O
+Deploying O
+a O
+Backdoor O
+: O
+The O
+attackers O
+use O
+specially O
+crafted O
+lure O
+content O
+to O
+trick O
+targets O
+into O
+opening O
+malicious O
+files O
+that O
+infect O
+the O
+victim O
+’s O
+machine O
+with O
+a O
+backdoor O
+. O
+
+The O
+lure O
+content O
+in O
+the O
+malicious O
+files O
+relates O
+to O
+political O
+affairs O
+in O
+the O
+Middle B-LOC
+East E-LOC
+, O
+with O
+specific O
+references O
+to O
+the O
+Israeli-Palestinian O
+conflict O
+, O
+tension O
+between O
+Hamas S-IDTY
+and O
+Fatah S-IDTY
+, O
+and O
+other O
+political O
+entities O
+in O
+the O
+region O
+. O
+
+Perpetrated O
+by O
+an O
+Arabic-Speaking O
+APT O
+Group O
+: O
+The O
+modus-operandi O
+of O
+the O
+attackers O
+in O
+conjunction O
+with O
+the O
+social O
+engineering O
+tactics O
+and O
+decoy O
+content O
+seem O
+aligned O
+with O
+previous O
+attacks O
+carried O
+out O
+by O
+the O
+Arabic-speaking O
+APT O
+group O
+MoleRATs S-APT
+( O
+aka O
+Gaza B-APT
+Cybergang E-APT
+) O
+. O
+
+This O
+group O
+has O
+been O
+operating O
+in O
+the O
+Middle B-LOC
+East E-LOC
+since O
+2012 S-TIME
+. O
+
+These O
+attacks O
+show O
+significant O
+similarities O
+to O
+previously O
+documented O
+attacks O
+attributed O
+to O
+the O
+Arabic-speaking O
+threat O
+actor O
+, O
+commonly O
+referred O
+to O
+as O
+the O
+MoleRATs S-APT
+group O
+( O
+aka O
+, O
+The O
+Gaza B-APT
+Cybergang E-APT
+, O
+Moonlight S-APT
+, O
+DustySky S-APT
+, O
+Gaza B-APT
+Hacker I-APT
+Team E-APT
+) O
+. O
+
+This O
+group O
+, O
+which O
+has O
+been O
+attributed O
+by O
+various O
+security O
+teams O
+, O
+is O
+believed O
+to O
+be O
+comprised O
+of O
+three O
+subgroups O
+: O
+
+Gaza B-APT
+Cybergang E-APT
+Group O
+1 O
+, O
+also O
+dubbed O
+MoleRATs S-APT
+: O
+MoleRATs S-APT
+has O
+been O
+active O
+since O
+at O
+least O
+2012 S-TIME
+. O
+
+This O
+Arabic-speaking O
+group O
+uses O
+spear B-ACT
+phishing E-ACT
+attacks O
+to O
+infect O
+target O
+machines O
+in O
+the O
+Middle B-LOC
+East E-LOC
+and O
+North B-LOC
+Africa E-LOC
+with O
+various O
+Remote B-TOOL
+Access I-TOOL
+Trojans E-TOOL
+( O
+RATs S-TOOL
+) O
+. O
+
+As O
+MoleRATs S-APT
+most O
+prominently O
+targets O
+Palestinian O
+territories O
+, O
+its O
+spear B-ACT
+phishing E-ACT
+attacks O
+often O
+use O
+attached O
+malicious O
+documents O
+on O
+topical O
+Palestinian O
+Authority-related O
+issues O
+to O
+lure O
+their O
+victims O
+. O
+
+The O
+group O
+uses O
+a O
+mix O
+of O
+tools O
+and O
+malware O
+, O
+some O
+developed O
+by O
+the O
+group O
+and O
+others O
+that O
+are O
+more O
+generic O
+tools O
+. O
+
+Gaza B-APT
+Cybergang E-APT
+Group O
+2 O
+, O
+also O
+dubbed O
+Desert B-APT
+Falcons E-APT
+, O
+APT-C-23 S-APT
+, O
+Arid B-APT
+Viper E-APT
+. O
+
+This O
+second O
+group O
+is O
+an O
+Arabic-speaking O
+group O
+that O
+mainly O
+targets O
+the O
+Middle B-LOC
+East E-LOC
+and O
+North B-LOC
+Africa E-LOC
+, O
+with O
+a O
+few O
+targets O
+in O
+European O
+and O
+Asian O
+countries O
+as O
+well O
+. O
+
+The O
+group O
+is O
+known O
+for O
+their O
+advanced O
+attacks O
+that O
+leverage O
+custom-built O
+Windows S-OS
+malware O
+( O
+Kasperagent S-MAL
+, O
+Micropsia S-MAL
+) O
+as O
+well O
+as O
+Android S-OS
+malware O
+( O
+Vamp S-MAL
+, O
+GnatSpy S-MAL
+) O
+. O
+
+Gaza B-APT
+Cybergang E-APT
+Group O
+3: O
+This O
+group O
+is O
+believed O
+to O
+be O
+behind O
+Operation O
+Parliament O
+. O
+
+It O
+is O
+considered O
+to O
+be O
+the O
+most O
+advanced O
+group O
+of O
+the O
+three O
+, O
+and O
+is O
+focused O
+on O
+high-profile O
+targets O
+in O
+the O
+Middle B-LOC
+East E-LOC
+, O
+North B-LOC
+America E-LOC
+, O
+Europe S-LOC
+and O
+Asia S-LOC
+. O
+
+The O
+group O
+is O
+reported O
+to O
+have O
+previously O
+attacked O
+government O
+institutions O
+, O
+parliaments O
+, O
+senates O
+, O
+diplomatic O
+functions O
+, O
+and O
+even O
+Olympic O
+and O
+other O
+sports O
+bodies O
+. O
+
+It O
+is O
+important O
+to O
+remember O
+there O
+are O
+many O
+threat O
+actors O
+operating O
+in O
+the O
+Middle B-LOC
+East E-LOC
+, O
+and O
+often O
+there O
+are O
+overlaps O
+in O
+TTPs O
+, O
+tools O
+, O
+motivation O
+, O
+and O
+victimology O
+. O
+
+There O
+have O
+been O
+cases O
+in O
+the O
+past O
+where O
+a O
+threat O
+actor O
+attempted O
+to O
+mimic O
+another O
+to O
+thwart O
+attribution O
+efforts O
+, O
+and O
+as O
+such O
+, O
+attribution O
+should O
+rarely O
+be O
+taken O
+as O
+is O
+, O
+but O
+instead O
+with O
+a O
+grain O
+of O
+salt O
+and O
+critical O
+thinking O
+. O
+
+In O
+this O
+attack O
+, O
+the O
+targets O
+are O
+lured O
+to O
+open O
+a O
+document O
+or O
+a O
+link O
+attached O
+to O
+an O
+email S-TOOL
+. O
+
+There O
+have O
+been O
+cases O
+in O
+the O
+past O
+where O
+victims O
+also O
+downloaded O
+malicious O
+content O
+from O
+fake O
+news O
+websites O
+. O
+
+The O
+names O
+of O
+the O
+files O
+and O
+their O
+content O
+play O
+a O
+major O
+part O
+in O
+luring O
+victims O
+to O
+open O
+them O
+, O
+as O
+they O
+usually O
+relate O
+to O
+current O
+topics O
+pertaining O
+to O
+Hamas S-IDTY
+, O
+the O
+Palestinian O
+National O
+Authority O
+, O
+or O
+other O
+recent O
+events O
+in O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+The O
+lure O
+documents O
+analyzed O
+by O
+Cybereason S-SECTEAM
+in O
+this O
+attack O
+concentrate O
+on O
+the O
+following O
+themes O
+: O
+
+The O
+Conflict O
+between O
+Hamas S-IDTY
+and O
+Fatah S-IDTY
+: O
+The O
+historical O
+rivalry O
+between O
+the O
+Hamas S-IDTY
+and O
+Fatah S-IDTY
+has O
+resulted O
+in O
+many O
+open O
+battles O
+between O
+the O
+two O
+entities O
+. O
+
+Since O
+2006 S-TIME
+, O
+Hamas S-IDTY
+has O
+controlled O
+the O
+Gaza S-APT
+strip O
+and O
+Fatah S-IDTY
+has O
+controlled O
+the O
+West O
+Bank O
+. O
+
+Matters O
+pertaining O
+to O
+the O
+Israeli-Palestinian O
+Conflict O
+: O
+Some O
+of O
+the O
+documents O
+in O
+this O
+campaign O
+reference O
+different O
+aspects O
+of O
+the O
+Israeli-Palestinian O
+conflict O
+, O
+and O
+the O
+efforts O
+for O
+ceasefire O
+and O
+peace O
+processes O
+between O
+the O
+Israelis O
+and O
+the O
+Palestinians O
+, O
+including O
+the O
+latest O
+peace O
+plan O
+made O
+by O
+President O
+Donald O
+Trump O
+and O
+Senior O
+Advisor O
+to O
+the O
+President O
+of O
+the O
+United B-LOC
+States E-LOC
+Jared O
+Kushner O
+. O
+
+Vigilance O
+Following O
+Soleimani O
+’s O
+Assassination O
+: O
+One O
+of O
+the O
+lure O
+documents O
+mentions O
+sources O
+in O
+Lebanon S-LOC
+that O
+report O
+a O
+state O
+of O
+alert O
+and O
+vigilance O
+amongst O
+Iranian O
+, O
+Syrian O
+, O
+and O
+Lebasense O
+militias O
+following O
+Soleimani O
+’s O
+assassination O
+. O
+
+Tensions O
+Between O
+Hamas S-IDTY
+and O
+the O
+Egyptian O
+Government O
+: O
+Egypt S-LOC
+plays O
+a O
+major O
+role O
+as O
+a O
+mediator O
+in O
+the O
+Israeli-Palestinian O
+confict O
+and O
+has O
+brokered O
+several O
+ceasefire O
+deals O
+and O
+other O
+negotiations O
+in O
+the O
+past O
+. O
+
+Changes O
+to O
+Egypt S-LOC
+’s O
+internal O
+political O
+climate O
+are O
+known O
+to O
+have O
+affected O
+Egyptian O
+government O
+relations O
+with O
+Hamas S-IDTY
+over O
+the O
+years O
+. O
+
+It O
+was O
+recently O
+reported O
+that O
+Ismail O
+Haniyeh O
+, O
+the O
+head O
+of O
+Hamas S-IDTY
+’ O
+political O
+Bureau O
+, O
+had O
+a O
+falling-out O
+with O
+the O
+Egyptian O
+government O
+over O
+his O
+visit O
+to O
+Tehran S-LOC
+to O
+participate O
+in O
+General O
+Qasem O
+Soleimani O
+’s O
+funeral O
+, O
+following O
+Soleimani O
+’s O
+assassination O
+. O
+
+In O
+the O
+Spark S-MAL
+campaign O
+, O
+the O
+lure O
+documents O
+and O
+links O
+point O
+to O
+one O
+of O
+two O
+file O
+sharing O
+websites O
+, O
+Egnyte S-TOOL
+or O
+Dropbox S-TOOL
+. O
+
+The O
+target O
+is O
+encouraged O
+to O
+download O
+an O
+archive O
+file O
+in O
+a O
+rar S-TOOL
+or O
+zip S-TOOL
+format O
+that O
+contains O
+an O
+executable O
+file O
+masquerading O
+as O
+a O
+Microsoft S-IDTY
+Word S-TOOL
+document O
+. O
+
+One O
+example O
+of O
+a O
+lure O
+document O
+used O
+in O
+the O
+Spark S-MAL
+campaign O
+is O
+a O
+PDF S-TOOL
+file O
+that O
+is O
+used O
+to O
+deliver O
+the O
+Spark B-MAL
+backdoor E-MAL
+to O
+the O
+victim O
+. O
+
+The O
+document O
+includes O
+a O
+special O
+report O
+allegedly O
+quoted O
+from O
+the O
+Egyptian O
+newspaper O
+Al-Ahram S-IDTY
+. O
+
+This O
+document O
+reports O
+that O
+Ismail O
+Hanieyh O
+, O
+the O
+political O
+leader O
+of O
+Hamas S-LOC
+, O
+had O
+notified O
+the O
+Egyptian O
+government O
+that O
+he O
+will O
+remain O
+abroad O
+after O
+his O
+visit O
+to O
+Tehran S-LOC
+to O
+take O
+part O
+in O
+Soleimani O
+’s O
+funeral O
+, O
+which O
+sparked O
+tension O
+with O
+the O
+Egyptian O
+authorities O
+. O
+
+Haniyeh_will_remain_abroad_and_Hamas_rises_in_Gaza.pdf S-FILE
+: O
+5b476e05aacea9edc14f7e4bab1b724ef54915f30c39ac87503ed395feae611e S-SHA2
+. O
+
+The O
+target O
+is O
+encouraged O
+to O
+click O
+on O
+the O
+link O
+to O
+read O
+the O
+entire O
+article O
+. O
+
+However O
+, O
+the O
+document O
+does O
+not O
+link O
+to O
+the O
+Egyptian O
+Newspaper O
+website O
+, O
+but O
+instead O
+to O
+a O
+file O
+sharing O
+website O
+called O
+Egnyte S-TOOL
+. O
+
+It O
+prompts O
+the O
+user O
+to O
+download O
+a O
+file O
+that O
+supposedly O
+contains O
+the O
+full O
+article O
+. O
+
+Link O
+embedded O
+in O
+the O
+PDF S-TOOL
+document O
+: O
+https://csaasd.egnyte.com/dd/h5s7YHzOy5 S-URL
+. O
+
+The O
+downloaded O
+file O
+is O
+an O
+archive O
+file O
+( O
+.r23 S-FILE
+) O
+, O
+that O
+contains O
+a O
+Windows S-OS
+executable O
+file O
+with O
+the O
+same O
+name O
+as O
+the O
+PDF S-TOOL
+and O
+with O
+a O
+fake O
+Microsoft S-IDTY
+Word S-TOOL
+icon O
+. O
+
+Hanieh_will_remain_abroad_and_Hamas_steps_up_in_Gaza.r23 S-FILE
+: O
+
+e8d73a94d8ff18c7791bf4547bc4ee2d3f62082c594d3c3cf7d640f7bbd15614 S-SHA2
+. O
+
+Hanieh_will_remain_abroad_and_Hamas_steps_up_in_Gaza.exe S-FILE
+: O
+
+7bb719f1c64d627ecb1f13c97dc050a7bb1441497f26578f7b2a9302adbbb128 S-SHA2
+. O
+
+When O
+the O
+victim O
+double O
+clicks O
+on O
+the O
+executable O
+file O
+, O
+it O
+unpacks O
+and O
+installs O
+the O
+Spark B-MAL
+backdoor E-MAL
+, O
+as O
+shown O
+in O
+the O
+attack O
+tree O
+screenshot O
+below O
+. O
+
+The O
+extracted O
+executable O
+file O
+contains O
+a O
+compiled O
+Autoit S-TOOL
+script O
+, O
+which O
+can O
+be O
+seen O
+in O
+the O
+RT_RCDATA O
+section O
+of O
+the O
+file O
+. O
+
+The O
+decompiled O
+code O
+shows O
+the O
+decryption O
+routine O
+that O
+unpacks O
+the O
+embedded O
+Spark B-MAL
+backdoor E-MAL
+. O
+
+Once O
+the O
+file O
+is O
+unpacked O
+, O
+the O
+backdoor O
+is O
+dropped O
+in O
+two O
+different O
+locations O
+on O
+the O
+infected O
+operating O
+system O
+: O
+
+C:\Users\user\AppData\Roaming\Microsoft\Windows\Start B-FILE
+Menu\Programs\Startup\runawy.exe E-FILE
+. O
+
+C:\Users\user\runawy.exe S-FILE
+. O
+
+In O
+addition O
+, O
+the O
+Autoit O
+code O
+also O
+creates O
+the O
+following O
+scheduled O
+task O
+for O
+persistence O
+: O
+
+SCHTASKS O
+/Create O
+/f O
+/SC O
+minute O
+/TN O
+runawy O
+/mo O
+5 O
+/tr O
+C:\Users\<USER>\runawy.exe S-FILE
+. O
+
+Urgent_Information_Report.exe S-FILE
+: O
+
+6e896099a3ceb563f43f49a255672cfd14d88799f29617aa362ecd2128446a47 S-SHA2
+. O
+
+The O
+executable O
+has O
+a O
+Microsoft S-IDTY
+Word S-TOOL
+icon O
+to O
+trick O
+victims O
+into O
+believing O
+they O
+are O
+opening O
+a O
+Word S-TOOL
+document O
+. O
+
+Once O
+the O
+user O
+double-clicks O
+on O
+the O
+executable O
+file O
+, O
+the O
+dropper O
+drops O
+a O
+Word S-TOOL
+document O
+in O
+%AppData% O
+and O
+displays O
+the O
+following O
+decoy O
+document O
+to O
+the O
+victim O
+, O
+while O
+the O
+dropper O
+runs O
+in O
+the O
+background O
+and O
+installs O
+the O
+backdoor O
+. O
+%appdata%\info.docx S-FILE
+: O
+
+2c50eedc260c82dc176447aa4116ad37112864f4e1e3e95c4817499d9f18a90d S-SHA2
+. O
+
+The O
+dropper O
+drops O
+the O
+Spark B-MAL
+backdoor E-MAL
+binary O
+and O
+a O
+shortcut O
+file O
+used O
+to O
+initiate O
+persistence O
+in O
+the O
+following O
+locations O
+. O
+
+C:\Users\user\AppData\Roaming\Microsoft\Windows\Start B-FILE
+Menu\Programs\Startup\Blaster.lnk E-FILE
+: O
+
+4254dc8c368cbc36c8a11035dcd0f4b05d587807fa9194d58f0ba411bfd65842 S-SHA2
+. O
+
+C:\Users\user\AppData\Roaming\Blaster.exe S-FILE
+: O
+
+cf32479ed30ae959c4ec8a286bb039425d174062b26054c80572b4625646c551 S-SHA2
+. O
+
+The O
+Spark S-MAL
+payload O
+is O
+a O
+custom O
+backdoor O
+likely O
+developed O
+by O
+the O
+MoleRATs S-APT
+group O
+. O
+
+In O
+addition O
+to O
+known O
+generic O
+malware O
+( O
+such O
+as O
+: O
+njRAT S-MAL
+, O
+Poison B-MAL
+Ivy E-MAL
+, O
+XtremeRAT S-MAL
+) O
+, O
+the O
+MoleRATs S-APT
+group O
+has O
+been O
+known O
+to O
+develop O
+its O
+own O
+custom O
+tools O
+such O
+as O
+DustySky S-MAL
+, O
+the O
+MoleRAT S-MAL
+Loader O
+and O
+Scote S-MAL
+. O
+
+We O
+believe O
+this O
+backdoor O
+is O
+relatively O
+new O
+and O
+seems O
+to O
+have O
+appeared O
+starting O
+in O
+the O
+beginning O
+of O
+2019 S-TIME
+. O
+
+The O
+name O
+Spark S-MAL
+is O
+derived O
+from O
+the O
+PDB S-TOOL
+path O
+left O
+in O
+a O
+few O
+of O
+the O
+backdoor O
+binaries O
+: O
+
+W:\Visual B-FILE
+Studio I-FILE
+2017\Spark4.2\Release\Spark4.2.pdb E-FILE
+. O
+
+The O
+Spark B-MAL
+backdoor E-MAL
+allows O
+the O
+attackers O
+to O
+: O
+
+Collect O
+information O
+about O
+the O
+infected O
+machine O
+. O
+
+Encrypt O
+the O
+collected O
+data O
+and O
+send O
+it O
+to O
+the O
+attackers O
+over O
+the O
+HTTP S-PROT
+protocol O
+. O
+
+Download O
+additional O
+payloads O
+. O
+
+Log O
+keystrokes O
+. O
+
+Record O
+audio O
+using O
+the O
+computer O
+’s O
+microphone O
+. O
+
+Execute O
+commands O
+on O
+the O
+infected O
+machine O
+. O
+
+The O
+creators O
+of O
+the O
+Spark B-MAL
+backdoor E-MAL
+use O
+a O
+few O
+techniques O
+that O
+are O
+intended O
+to O
+keep O
+the O
+backdoor O
+under-the-radar O
+, O
+including O
+: O
+
+Packing O
+the O
+payloads O
+with O
+the O
+Enigma S-TOOL
+packer O
+. O
+
+Checking O
+for O
+antivirus O
+and O
+other O
+security O
+products O
+using O
+WMI S-TOOL
+. O
+
+Validating O
+Arabic O
+keyboard O
+and O
+language O
+settings O
+on O
+the O
+infected O
+machine O
+. O
+
+All O
+the O
+the O
+payloads O
+observed O
+by O
+Cybereason S-SECTEAM
+in O
+this O
+campaign O
+were O
+packed O
+by O
+a O
+powerful O
+yet O
+commercial O
+packer O
+called O
+Enigma S-TOOL
+Packer O
+. O
+
+The O
+MoleRATs S-APT
+group O
+have O
+been O
+known O
+to O
+use O
+this O
+packer O
+in O
+previous O
+attacks O
+. O
+
+Enigma S-TOOL
+packer O
+artifacts O
+in O
+file O
+metadata O
+( O
+SHA-256: O
+b08b8fddb9dd940a8ab91c9cb29db9bb611a5c533c9489fb99e36c43b4df1eca S-SHA2
+) O
+. O
+
+One O
+common O
+evasive O
+mechanism O
+used O
+by O
+the O
+Spark B-MAL
+backdoor E-MAL
+is O
+its O
+ability O
+to O
+check O
+for O
+installed O
+security O
+products O
+using O
+WMI S-TOOL
+queries O
+( O
+WQL O
+) O
+. O
+
+If O
+certain O
+security O
+products O
+are O
+installed O
+, O
+the O
+backdoor O
+does O
+not O
+carry O
+out O
+its O
+malicious O
+activity O
+. O
+
+Another O
+evasive O
+mechanism O
+used O
+by O
+the O
+backdoor O
+is O
+how O
+it O
+checks O
+whether O
+an O
+Arabic O
+keyboard O
+and O
+Arabic O
+language O
+settings O
+are O
+used O
+on O
+the O
+infected O
+machine O
+. O
+
+If O
+Arabic O
+keyboard O
+and O
+language O
+settings O
+are O
+not O
+found O
+on O
+the O
+machine O
+, O
+the O
+backdoor O
+will O
+not O
+carry O
+out O
+its O
+malicious O
+activity O
+. O
+
+This O
+check O
+serves O
+two O
+purposes O
+: O
+
+It O
+minimizes O
+the O
+risk O
+of O
+overexposure O
+by O
+specifically O
+targeting O
+Arabic O
+speakers O
+. O
+
+It O
+can O
+thwart O
+detection O
+by O
+automated O
+analysis O
+engines O
+and O
+sandbox O
+solutions O
+. O
+
+After O
+unpacking O
+itself O
+, O
+the O
+Spark B-MAL
+backdoor E-MAL
+creates O
+a O
+hidden O
+window S-OS
+where O
+most O
+of O
+the O
+malicious O
+activity O
+is O
+handled O
+. O
+
+This O
+behavior O
+can O
+be O
+detected O
+using O
+a O
+tool O
+called O
+WinLister S-TOOL
+, O
+which O
+enumerates O
+hidden O
+windows S-OS
+. O
+
+The O
+name O
+of O
+the O
+window O
+is O
+Spark4.2 S-MAL
+. O
+
+The O
+Spark B-MAL
+backdoor E-MAL
+communicates O
+with O
+the O
+C2 S-TOOL
+servers O
+over O
+the O
+HTTP S-PROT
+protocol O
+. O
+
+The O
+data O
+is O
+first O
+encrypted O
+and O
+then O
+encoded O
+with O
+Base64 S-ENCR
+. O
+
+In O
+this O
+instance O
+, O
+the O
+backdoor O
+posts O
+the O
+data O
+to O
+the O
+domain O
+Nysura.com S-DOM
+( O
+For O
+more O
+domains O
+, O
+please O
+see O
+the O
+IOC O
+section O
+of O
+this O
+research O
+) O
+. O
+
+It O
+is O
+interesting O
+to O
+see O
+that O
+the O
+HTTP S-PROT
+POST O
+host O
+header O
+refers O
+to O
+a O
+legitimate O
+domain O
+cnet.com S-DOM
+, O
+however O
+, O
+in O
+acutality O
+, O
+the O
+data O
+is O
+sent O
+to O
+nysura.com S-DOM
+, O
+as O
+can O
+be O
+seen O
+in O
+the O
+traffic O
+screenshot O
+below O
+. O
+
+The O
+data O
+sent O
+to O
+the O
+C2 S-TOOL
+follows O
+a O
+structured O
+pattern O
+that O
+uses O
+a O
+predefined O
+keywords O
+array O
+, O
+where O
+each O
+keyword O
+is O
+mapped O
+to O
+a O
+certain O
+subroutine O
+. O
+
+The O
+keywords O
+are O
+comprised O
+of O
+the O
+names O
+of O
+individuals O
+. O
+
+They O
+are O
+mostly O
+Western O
+names O
+, O
+but O
+there O
+were O
+some O
+Arabic O
+names O
+in O
+a O
+few O
+of O
+the O
+samples O
+. O
+
+Prior O
+to O
+sending O
+the O
+data O
+to O
+the O
+server O
+, O
+the O
+data O
+is O
+encrypted O
+and O
+staged O
+in O
+an O
+array O
+like O
+this O
+: O
+
+[27089,28618,9833,4170,25722,19977,2369,21426,3435,7442,30146,21719,16140,16280,16688,22550,19867,194,3298] O
+. O
+
+The O
+data O
+is O
+then O
+encoded O
+with O
+Base64 S-ENCR
+: O
+
+" O
+WzI3MDg5LDI4NjE4LDk4MzMsNDE3MCwyNTcyMiwxOTk3NywyMzY5LDIxNDI2LDM0MzUsNzQ0MiwzMDE0NiwyMTcxOSwxNjE0MCwxNjI4MCwxNjY4OCwyMjU1MCwxOTg2NywxOTQsMzI5OF0= O
+" O
+. O
+
+The O
+Base64-encoded S-ENCR
+data O
+is O
+inserted O
+into O
+the O
+following O
+json O
+object O
+, O
+which O
+contains O
+the O
+individual O
+names O
+. O
+
+Lastly O
+, O
+the O
+entire O
+json O
+object O
+is O
+encoded O
+with O
+Base64 S-ENCR
+and O
+undergoes O
+another O
+stage O
+of O
+encryption O
+, O
+and O
+then O
+sent O
+to O
+the O
+server O
+: O
+
+" O
+ZjRTc1dTTU9nVW5FaXM3bGgvbU90MTlVMHFkb1c5SFFuRXhhSVR5YytIQkZremk3bk5wY21BUEZRYitJenA1cnlJY1lxREJJZ1RrL0N4UzZWcVVQM0pTUWFISlhKWG8wN1BxWE1hYThHSUdEVnBFakYrNlp1bXBvdUZMRFNYQVhxYk9tSElWYTFOTlpJK0hFVVBmTG9CQUV3VCtqQ2FCVUE1aHQ2SzllSHREMUpOdkdBUXZ3TWgyLzhtVHpha2I0TE81ZlpURTQyUmVjdFY1M0ZpemlRR1FLL1gzNE9mcU0zR0JqQ1ZnN1hCSmFGaC94RHBDMkNBRmZaSTVoVlhsaTBtQW5SR3N5QzVRY2lMNkpZVFJuRTQrUzBjdjU4SjY4ejRCL2FNbW9IakRheHdQd1RPUElkOHNDbDRVbmp2ZDM0ZVZlZTB1QVA0UHo0YllyVHRMZVRnPT0= O
+" O
+. O
+
+Using O
+names O
+as O
+keywords O
+is O
+an O
+identical O
+technique O
+to O
+that O
+of O
+the O
+data O
+structure O
+logic O
+previously O
+documented O
+by O
+360 S-SECTEAM
+’s O
+blog O
+post O
+. O
+
+This O
+post O
+discusses O
+an O
+earlier O
+variant O
+of O
+the O
+backdoor O
+attributed O
+to O
+the O
+MoleRATs S-APT
+group O
+. O
+
+Using O
+other O
+individuals O
+names O
+for O
+C2 S-TOOL
+communication O
+has O
+also O
+been O
+done O
+by O
+the O
+two O
+other O
+Gaza O
+Cybergang O
+groups O
+: O
+
+Gaza B-APT
+Cybergang E-APT
+Group O
+2 O
+with O
+the O
+Micropsia B-MAL
+backdoor E-MAL
+: O
+
+In O
+this O
+instance O
+, O
+the O
+C2 S-TOOL
+communication O
+implemented O
+by O
+the O
+Micropsia B-MAL
+backdoor E-MAL
+also O
+used O
+specific O
+names O
+for O
+different O
+C2 S-TOOL
+commands O
+. O
+
+Gaza B-APT
+Cybergang E-APT
+Group O
+3 O
+in O
+Operation O
+Parliament O
+: O
+In O
+this O
+instance O
+, O
+the O
+malware O
+also O
+used O
+people O
+’s O
+names O
+for O
+C2 S-TOOL
+communication O
+to O
+send O
+and O
+receive O
+commands O
+from O
+the O
+server O
+. O
+
+Based O
+on O
+the O
+similarity O
+of O
+the O
+naming O
+convention O
+and O
+data O
+format O
+, O
+we O
+believe O
+the O
+Spark B-MAL
+backdoor E-MAL
+could O
+be O
+an O
+evolution O
+of O
+the O
+backdoor O
+mentioned O
+in O
+Operation O
+Parliament O
+, O
+or O
+at O
+least O
+inspired O
+by O
+the O
+malware O
+. O
+
+The O
+Spark S-MAL
+campaign O
+detailed O
+in O
+this O
+blog O
+demonstrates O
+how O
+the O
+tense O
+geopolitical O
+climate O
+in O
+the O
+Middle B-LOC
+East E-LOC
+is O
+used O
+by O
+threat O
+actors O
+to O
+lure O
+victims O
+and O
+infect O
+them O
+with O
+the O
+Spark B-MAL
+backdoor E-MAL
+for O
+cyber O
+espionage O
+purposes O
+. O
+
+The O
+names O
+of O
+the O
+files O
+and O
+decoy O
+content O
+seem O
+to O
+be O
+carefully O
+crafted O
+, O
+often O
+referencing O
+controversial O
+and O
+topical O
+political O
+issues O
+. O
+
+Cybereason S-SECTEAM
+estimates O
+that O
+the O
+files O
+are O
+specifically O
+meant O
+to O
+lure O
+and O
+appeal O
+to O
+victims O
+from O
+the O
+Middle B-MAL
+East E-MAL
+, O
+especially O
+towards O
+individuals O
+and O
+entities O
+in O
+the O
+Palestinian O
+territories O
+likely O
+related O
+to O
+the O
+Palestinian O
+government O
+or O
+the O
+Fatah S-LOC
+movement O
+. O
+
+The O
+techniques O
+, O
+tools O
+, O
+and O
+procedures O
+used O
+in O
+this O
+campaign O
+bear O
+great O
+resemblance O
+to O
+previous O
+attacks O
+attributed O
+to O
+the O
+MoleRATs S-APT
+Group O
+( O
+aka O
+Gaza B-APT
+Cybergang E-APT
+Group O
+) O
+, O
+an O
+Arabic-speaking O
+, O
+politically O
+motivated O
+group O
+that O
+has O
+operated O
+in O
+the O
+Middle B-LOC
+East E-LOC
+since O
+2012 S-TIME
+. O
+
+Our O
+research O
+demonstrates O
+the O
+efforts O
+used O
+by O
+attackers O
+to O
+reduce O
+the O
+risk O
+of O
+detection O
+of O
+the O
+Spark B-MAL
+backdoor E-MAL
+by O
+various O
+security O
+products O
+. O
+
+The O
+backdoor O
+checks O
+for O
+the O
+existence O
+of O
+antivirus O
+and O
+firewall O
+products O
+before O
+it O
+initiates O
+its O
+malicious O
+activity O
+. O
+
+Importantly O
+, O
+the O
+backdoor O
+simply O
+will O
+not O
+reveal O
+its O
+malicious O
+nature O
+unless O
+Arabic O
+language O
+keyboard O
+and O
+settings O
+are O
+found O
+on O
+the O
+infected O
+machine O
+. O
+
+This O
+shows O
+how O
+the O
+attackers O
+use O
+this O
+backdoor O
+in O
+a O
+surgical O
+way O
+to O
+exclusively O
+attack O
+specific O
+targets O
+. O
+
+In O
+addition O
+, O
+analysis O
+of O
+these O
+backdoor O
+delivery O
+methods O
+also O
+highlights O
+a O
+trend O
+by O
+many O
+threat O
+actors O
+where O
+they O
+use O
+legitimate O
+storage O
+platforms O
+to O
+deliver O
+the O
+initial O
+stages O
+of O
+the O
+attack O
+. O
+
+
+Reviving O
+MuddyC3 S-TOOL
+Used O
+by O
+MuddyWater S-APT
+( O
+IRAN S-APT
+) O
+APT O
+. O
+
+MuddyWater S-APT
+is O
+a O
+well-known O
+threat O
+actor O
+group O
+founded O
+by O
+Iran S-LOC
+. O
+“ O
+that O
+has O
+been O
+active O
+since O
+2017 S-TIME
+. O
+
+They O
+target O
+groups O
+across O
+Middle B-LOC
+East E-LOC
+and O
+Central O
+Asia S-LOC
+, O
+primarily O
+using O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+with O
+malicious O
+attachments O
+. O
+
+Most O
+recently O
+they O
+were O
+connected O
+to O
+a O
+campaign O
+in O
+March S-TIME
+that O
+targeted O
+” O
+organizations O
+in O
+Turkey S-LOC
+, O
+Pakistan S-LOC
+, O
+and O
+Tajikistan S-LOC
+. O
+
+MuddyWater S-APT
+attacks O
+are O
+characterized O
+by O
+the O
+use O
+of O
+a O
+slowly O
+evolving O
+PowerShell-based S-TOOL
+first O
+stage O
+backdoor O
+we O
+call O
+“ O
+POWERSTATS S-MAL
+” O
+. O
+
+Despite O
+broad O
+scrutiny O
+and O
+reports O
+on O
+MuddyWater S-APT
+attacks O
+, O
+the O
+activity O
+continues O
+with O
+only O
+incremental O
+changes O
+to O
+the O
+tools O
+and O
+techniques O
+. O
+
+In O
+June B-TIME
+26 I-TIME
+2019 E-TIME
+a O
+group O
+called O
+“ O
+Green B-APT
+Leakers E-APT
+” O
+on O
+telegram O
+published O
+screenshots O
+of O
+the O
+C2 S-TOOL
+admin O
+panel O
+as O
+you O
+can O
+see O
+below O
+along O
+with O
+screenshot O
+of O
+the O
+muddyc3 S-TOOL
+c2 S-TOOL
+source O
+code O
+. O
+they O
+announced O
+that O
+they O
+are O
+selling O
+all O
+the O
+leaked O
+tools O
+for O
+0.5BTC O
+. O
+
+At O
+that O
+time O
+i O
+got O
+the O
+source O
+code O
+from O
+github S-TOOL
+, O
+so O
+i O
+tried O
+the O
+code O
+to O
+find O
+that O
+the O
+core O
+of O
+the O
+c2 S-TOOL
+which O
+is O
+powershell S-TOOL
+payload O
+is O
+messing O
+( O
+the O
+leaker O
+didn’t O
+include O
+the O
+payload O
+in O
+order O
+to O
+by O
+all O
+the O
+tools O
+) O
+. O
+so O
+i O
+didn’t O
+have O
+time O
+to O
+reverse O
+engineer O
+the O
+source O
+code O
+and O
+i O
+left O
+it O
+. O
+last O
+week O
+i O
+got O
+3 O
+days O
+off O
+from O
+my O
+work O
+( O
+working O
+in O
+SOC S-TOOL
+will O
+keep O
+you O
+for O
+ever O
+busy O
+) O
+so O
+i O
+started O
+analyzing O
+the O
+code O
+which O
+will O
+be O
+discussed O
+below O
+and O
+i O
+was O
+able O
+to O
+understand O
+how O
+it O
+works O
+in O
+order O
+to O
+create O
+the O
+messing O
+powershell S-TOOL
+payload O
+and O
+make O
+the O
+c2 S-TOOL
+come O
+to O
+life O
+. O
+
+I O
+didn’t O
+just O
+revive O
+the O
+C2 S-TOOL
+but O
+also O
+added O
+more O
+advanced O
+functionality O
+which O
+will O
+be O
+released O
+as O
+separate O
+tool O
+soon O
+. O
+
+Lets O
+start O
+by O
+giving O
+a O
+summary O
+about O
+the O
+muddyc3 S-TOOL
+tool O
+: O
+
+Coded O
+with O
+python2.7 S-TOOL
+. O
+works O
+as O
+C2 S-TOOL
+server O
+that O
+serve O
+a O
+powershell S-TOOL
+agent O
+script O
+when O
+requested O
+. O
+i O
+didn’t O
+find O
+any O
+function O
+to O
+encrypt O
+the O
+traffic O
+between O
+the O
+the O
+agent O
+and O
+the O
+C2 S-TOOL
+but O
+there O
+are O
+variables O
+with O
+name O
+private_key O
+, O
+public_key O
+so O
+i O
+suspect O
+the O
+functions O
+removed O
+. O
+its O
+make O
+use O
+of O
+HTA S-TOOL
+and O
+bas64 S-ENCR
+encoded O
+powershell S-TOOL
+code O
+to O
+bypass O
+the O
+AV S-TOOL
+( O
+right O
+now O
+AV S-TOOL
+can O
+catch O
+HTA S-TOOL
+) O
+. O
+
+It O
+use O
+threading O
+so O
+many O
+agent O
+can O
+connect O
+and O
+controlled O
+at O
+the O
+same O
+time O
+. O
+the O
+agent O
+must O
+collect O
+information O
+about O
+the O
+system O
+when O
+it O
+first O
+start O
+then O
+report O
+it O
+to O
+the O
+C2 S-TOOL
+. O
+there O
+is O
+template O
+for O
+agent O
+which O
+will O
+be O
+filled O
+with O
+ip O
+and O
+port O
+when O
+the O
+C2 S-TOOL
+run O
+. O
+include O
+functions O
+but O
+not O
+all O
+implemented O
+in O
+the O
+initial O
+POC S-TOOL
+: O
+
+upload O
+, O
+download O
+, O
+load O
+modules O
+, O
+get O
+screenshot O
+. O
+
+The O
+initial O
+powershell S-TOOL
+agent O
+POC S-TOOL
+i O
+created O
+can O
+bypass O
+the O
+AV S-TOOL
+including O
+Kaspersky S-TOOL
+, O
+Trendmicro S-TOOL
+. O
+
+Now O
+we O
+dig O
+deep O
+in O
+the O
+C2 S-TOOL
+to O
+explain O
+how O
+it O
+work O
+and O
+how O
+i O
+created O
+the O
+agent O
+based O
+on O
+the O
+function O
+available O
+in O
+the O
+C2 S-TOOL
+. O
+
+C2 S-TOOL
+interface O
+
+: O
+
+simple O
+CLI S-TOOL
+interface O
+that O
+ask O
+when O
+started O
+for O
+IP O
+,Port O
+and O
+proxy O
+configuration O
+to O
+generate O
+the O
+initial O
+payloads O
+. O
+
+
+The O
+Nitro S-APT
+Attacks O
+. O
+
+This O
+document O
+discusses O
+a O
+recent O
+targeted O
+attack O
+campaign O
+directed O
+primarily O
+at O
+private O
+companies O
+involved O
+in O
+the O
+research O
+, O
+development O
+, O
+and O
+manufacture O
+of O
+chemicals O
+and O
+advanced O
+materials O
+. O
+
+The O
+goal O
+of O
+the O
+attackers O
+appears O
+to O
+be O
+to O
+collect O
+intellectual O
+property O
+such O
+as O
+design O
+documents O
+, O
+formulas O
+, O
+and O
+manufacturing O
+processes O
+. O
+
+In O
+addition O
+, O
+the O
+same O
+attackers O
+appear O
+to O
+have O
+a O
+lengthy O
+operation O
+history O
+including O
+attacks O
+on O
+other O
+industries O
+and O
+organizations O
+. O
+
+Attacks O
+on O
+the O
+chemical O
+industry O
+are O
+merely O
+their O
+latest O
+attack O
+wave O
+. O
+
+As O
+part O
+of O
+our O
+investigations O
+, O
+we O
+were O
+also O
+able O
+to O
+identify O
+and O
+contact O
+one O
+of O
+the O
+attackers O
+to O
+try O
+and O
+gain O
+insights O
+into O
+the O
+motivations O
+behind O
+these O
+attacks O
+. O
+
+As O
+the O
+pattern O
+of O
+chemical O
+industry O
+targets O
+emerged O
+, O
+we O
+internally O
+code-named O
+the O
+attack O
+campaign O
+Nitro S-APT
+. O
+
+The O
+attack O
+wave O
+started O
+in O
+late B-TIME
+July I-TIME
+2011 E-TIME
+and O
+continued O
+into O
+midSeptember B-TIME
+2011 E-TIME
+. O
+
+However O
+, O
+artifacts O
+of O
+the O
+attack O
+wave O
+such O
+as O
+Command B-TOOL
+and I-TOOL
+Control E-TOOL
+( O
+C&C S-TOOL
+) O
+servers O
+are O
+also O
+used O
+as O
+early O
+as O
+April B-TIME
+2011 E-TIME
+and O
+against O
+targets O
+outside O
+the O
+chemical O
+industry O
+. O
+
+The O
+purpose O
+of O
+the O
+attacks O
+appears O
+to O
+be O
+industrial O
+espionage S-ACT
+, O
+collecting O
+intellectual O
+property O
+for O
+competitive O
+advantage O
+. O
+
+The O
+attackers O
+first O
+researched O
+desired O
+targets O
+and O
+then O
+sent O
+an O
+email S-TOOL
+specifically O
+to O
+the O
+target O
+. O
+
+Each O
+organization O
+typically O
+only O
+saw O
+a O
+handful O
+of O
+employees O
+at O
+the O
+receiving O
+end O
+of O
+these O
+emails S-TOOL
+. O
+
+However O
+, O
+in O
+one O
+organization O
+almost O
+500 O
+recipients O
+received O
+a O
+mail O
+, O
+while O
+in O
+two O
+other O
+organizations O
+, O
+more O
+than O
+100 O
+were O
+selected O
+. O
+
+While O
+the O
+attackers O
+used O
+different O
+pretexts O
+when O
+sending O
+these O
+malicious O
+emails S-TOOL
+, O
+two O
+methodologies O
+stood O
+out O
+. O
+
+First O
+, O
+when O
+a O
+specific O
+recipient O
+was O
+targeted O
+, O
+the O
+mails O
+often O
+purported O
+to O
+be O
+meeting O
+invitations O
+from O
+established O
+business O
+partners O
+. O
+
+Secondly O
+, O
+when O
+the O
+emails S-TOOL
+were O
+being O
+sent O
+to O
+a O
+broad O
+set O
+of O
+recipients O
+, O
+the O
+mails O
+purported O
+to O
+be O
+a O
+necessary O
+security O
+update O
+. O
+
+The O
+emails S-TOOL
+then O
+contained O
+an O
+attachment O
+that O
+was O
+either O
+an O
+executable O
+that O
+appeared O
+to O
+be O
+a O
+text O
+file O
+based O
+on O
+the O
+file O
+name O
+and O
+icon O
+, O
+or O
+a O
+password-protected O
+archive O
+containing O
+an O
+executable O
+file O
+with O
+the O
+password O
+provided O
+in O
+the O
+email S-TOOL
+. O
+
+In O
+both O
+cases O
+, O
+the O
+executable O
+file O
+was O
+a O
+self-extracting O
+executable O
+containing O
+PoisonIvy S-MAL
+, O
+a O
+common O
+backdoor O
+Trojan S-MAL
+developed O
+by O
+a O
+Chinese O
+speaker O
+. O
+
+When O
+the O
+recipient O
+attempted O
+to O
+open O
+the O
+attachment O
+, O
+they O
+would O
+inadvertently O
+execute O
+the O
+file O
+, O
+causing O
+PoisonIvy S-MAL
+to O
+be O
+installed O
+. O
+
+Once O
+PoisonIvy S-MAL
+was O
+installed O
+, O
+it O
+contacted O
+a O
+C&C S-TOOL
+server O
+on O
+TCP S-PROT
+port O
+80 O
+using O
+an O
+encrypted O
+communication O
+protocol O
+. O
+
+Using O
+the O
+C&C S-TOOL
+server O
+, O
+the O
+attackers O
+then O
+instructed O
+the O
+compromised O
+computer O
+to O
+provide O
+the O
+infected O
+computer O
+’s O
+IP O
+address O
+, O
+the O
+names O
+of O
+all O
+other O
+computers O
+in O
+the O
+workgroup O
+or O
+domain O
+, O
+and O
+dumps O
+of O
+Windows S-OS
+cached O
+password O
+hashes O
+. O
+
+By O
+using O
+access O
+to O
+additional O
+computers O
+through O
+the O
+currently O
+logged O
+on O
+user O
+or O
+cracked O
+passwords O
+through O
+dumped O
+hashes O
+, O
+the O
+attackers O
+then O
+began O
+traversing O
+the O
+network O
+infecting O
+additional O
+computers O
+. O
+
+Typically O
+, O
+their O
+primary O
+goal O
+is O
+to O
+obtain O
+domain O
+administrator O
+credentials O
+and/or O
+gain O
+access O
+to O
+a O
+system O
+storing O
+intellectual O
+property O
+. O
+
+Domain O
+administrator O
+credentials O
+make O
+it O
+easier O
+for O
+the O
+attacker O
+to O
+find O
+servers O
+hosting O
+the O
+desired O
+intellectual O
+property O
+and O
+gain O
+access O
+to O
+the O
+sensitive O
+materials O
+. O
+
+The O
+attackers O
+may O
+have O
+also O
+downloaded O
+and O
+installed O
+additional O
+tools O
+to O
+penetrate O
+the O
+network O
+further O
+. O
+
+While O
+the O
+behavior O
+of O
+the O
+attackers O
+differs O
+slightly O
+in O
+each O
+compromise O
+, O
+generally O
+once O
+the O
+attackers O
+have O
+identified O
+the O
+desired O
+intellectual O
+property O
+, O
+they O
+copy O
+the O
+content O
+to O
+archives O
+on O
+internal O
+systems O
+they O
+use O
+as O
+internal O
+staging O
+servers O
+. O
+
+This O
+content O
+is O
+then O
+uploaded O
+to O
+a O
+remote O
+site O
+outside O
+of O
+the O
+compromised O
+organization O
+completing O
+the O
+attack O
+. O
+
+The O
+majority O
+of O
+infected O
+machines O
+are O
+located O
+in O
+the O
+US S-LOC
+, O
+Bangladesh S-LOC
+and O
+the O
+UK S-LOC
+; O
+
+however O
+, O
+overall O
+there O
+is O
+wide O
+geographical O
+spread O
+of O
+infections O
+. O
+
+As O
+mentioned O
+above O
+, O
+the O
+threat O
+used O
+to O
+compromise O
+the O
+targeted O
+networks O
+is O
+Poison B-MAL
+Ivy E-MAL
+, O
+a O
+Remote O
+Access O
+Tool O
+( O
+RAT O
+) O
+. O
+
+This O
+application O
+is O
+freely O
+available O
+from O
+poisonivy-rat.com S-DOM
+. O
+
+It O
+comes O
+fully O
+loaded O
+with O
+a O
+number O
+of O
+plug-ins O
+to O
+give O
+an O
+attacker O
+complete O
+control O
+of O
+the O
+compromised O
+computer O
+. O
+
+The O
+method O
+of O
+delivery O
+has O
+changed O
+over O
+time O
+as O
+the O
+attackers O
+have O
+changed O
+targets O
+. O
+
+Older O
+attacks O
+involved O
+a O
+self-extracting O
+archive O
+with O
+a O
+suggestive O
+name O
+, O
+for O
+example O
+: O
+“ O
+Human O
+right O
+report O
+of O
+north O
+Africa O
+under O
+the O
+war O
+. O
+scr O
+” O
+. O
+
+The O
+most O
+recent O
+attacks O
+focusing O
+on O
+the O
+chemical O
+industry O
+are O
+using O
+password-protected O
+7zip S-TOOL
+files O
+which O
+, O
+when O
+extracted O
+, O
+contain O
+a O
+self-extracting O
+executable O
+. O
+
+The O
+password O
+to O
+extract O
+the O
+7zip S-TOOL
+file O
+is O
+included O
+in O
+the O
+email S-TOOL
+. O
+
+This O
+extra O
+stage O
+is O
+used O
+to O
+prevent O
+automated O
+systems O
+from O
+extracting O
+the O
+self-extracting O
+archive O
+. O
+
+Some O
+example O
+file O
+names O
+using O
+this O
+technique O
+include O
+: O
+AntiVirus_update_package.7z S-FILE
+, O
+acquisition.7z S-FILE
+, O
+offer.7z S-FILE
+, O
+update_flashplayer10ax.7z S-FILE
+. O
+
+When O
+the O
+self-extracting O
+archive O
+file O
+is O
+executed O
+, O
+it O
+will O
+drop O
+two O
+files O
+. O
+
+Examples O
+of O
+file O
+names O
+that O
+are O
+used O
+include O
+: O
+%Temp%\happiness.txt S-FILE
+, O
+%Temp%\xxxx.exe S-FILE
+. O
+
+The O
+executable O
+file O
+, O
+xxxx.exe S-FILE
+in O
+this O
+case O
+, O
+is O
+then O
+executed O
+. O
+
+The O
+second O
+file O
+, O
+happiness.txt S-FILE
+, O
+contains O
+custom O
+code O
+in O
+binary O
+format O
+that O
+is O
+encrypted O
+and O
+used O
+by O
+xxxx.exe S-FILE
+. O
+
+The O
+xxxx.exe S-FILE
+file O
+copies O
+happiness.txt S-FILE
+to O
+C:\PROGRAM B-FILE
+FILES\common I-FILE
+files\ODBC\ODUBC.DLL E-FILE
+and O
+to O
+C:\WINDOWS\system32\jql.sys S-FILE
+. O
+
+It O
+then O
+loads O
+the O
+contents O
+of O
+the O
+encrypted O
+file O
+and O
+injects O
+it O
+into O
+the O
+explorer.exe S-FILE
+and O
+iexplore.exe S-FILE
+processes O
+. O
+
+The O
+injected O
+code O
+copies O
+xxxx.exe S-FILE
+to O
+%System%\winsys.exe S-FILE
+and O
+connects O
+to O
+the O
+Command B-TOOL
+and I-TOOL
+Control E-TOOL
+( O
+C&C S-TOOL
+) O
+server O
+on O
+TCP S-PROT
+port O
+80 O
+. O
+
+The O
+communication O
+with O
+the O
+server O
+is O
+a O
+handshake O
+using O
+an O
+encryption O
+algorithm O
+( O
+Camellia S-ENCR
+) O
+. O
+
+Once O
+the O
+Trojan S-MAL
+establishes O
+the O
+server O
+’s O
+authenticity O
+, O
+it O
+expects O
+a O
+variable-size O
+block O
+of O
+binary O
+code O
+that O
+is O
+read O
+from O
+the O
+server O
+straight O
+into O
+the O
+virtual O
+space O
+for O
+iexplore.exe S-FILE
+and O
+then O
+executed O
+. O
+
+When O
+executed O
+, O
+the O
+Poison B-MAL
+Ivy E-MAL
+threat O
+, O
+or O
+Backdoor.Odivy S-FILE
+, O
+connects O
+to O
+a O
+command B-TOOL
+and I-TOOL
+control E-TOOL
+( O
+C&C S-TOOL
+) O
+server O
+over O
+TCP S-PROT
+port O
+80 O
+. O
+
+A O
+number O
+of O
+different O
+C&C S-TOOL
+domains O
+and O
+IP O
+addresses O
+were O
+identified O
+. O
+
+The O
+majority O
+of O
+samples O
+connect O
+to O
+a O
+domain O
+; O
+however O
+one O
+subset O
+of O
+samples O
+connected O
+directly O
+to O
+the O
+IP O
+address O
+204.74.215.58 S-IP
+, O
+which O
+belonged O
+to O
+the O
+Chinese O
+QQ S-TOOL
+user O
+mentioned O
+previously O
+and O
+was O
+also O
+associated O
+with O
+antivirus-groups.com S-DOM
+. O
+pr[REMOVED].noIP
+. O
+
+org S-DOM
+: O
+173.252.207.71 S-IP
+, O
+173.252.205.36 S-IP
+, O
+173.252.205.37 S-IP
+, O
+173.252.205.64 S-IP
+. O
+antivirus-groups.com S-DOM
+: O
+74.82.166.205 S-IP
+, O
+204.74.215.58 S-IP
+. O
+domain.rm6.org S-DOM
+: O
+216.131.95.22 S-IP
+, O
+222.255.28.27 S-IP
+. O
+anti-virus.sytes.net S-DOM
+: O
+173.252.205.36 S-IP
+, O
+173.252.205.37 S-IP
+, O
+173.252.205.64 S-IP
+. O
+
+Several O
+other O
+hacker O
+groups O
+have O
+also O
+begun O
+targeting O
+some O
+of O
+the O
+same O
+chemical O
+companies O
+in O
+this O
+time O
+period O
+. O
+
+Attackers O
+are O
+sending O
+malicious O
+PDF S-TOOL
+and O
+DOC S-TOOL
+files O
+, O
+which O
+use O
+exploits O
+to O
+drop O
+variants O
+of O
+Backdoor.Sogu S-FILE
+. O
+
+This O
+particular O
+threat O
+was O
+also O
+used O
+by O
+hackers O
+to O
+compromise O
+a O
+Korean O
+social O
+network O
+site O
+to O
+steal O
+records O
+of O
+35 O
+million O
+users O
+. O
+
+Determining O
+if O
+the O
+two O
+groups O
+are O
+related O
+is O
+difficult O
+, O
+but O
+any O
+relationship O
+appears O
+unlikely O
+. O
+
+The O
+attackers O
+described O
+in O
+this O
+document O
+use O
+a O
+very O
+basic O
+delivery O
+platform O
+; O
+compressed O
+self-extracting O
+archives O
+sometimes O
+sent O
+to O
+a O
+large O
+number O
+of O
+recipients O
+. O
+
+The O
+Sogu S-IDTY
+gang O
+, O
+in O
+contrast O
+, O
+use O
+PDF S-TOOL
+and O
+DOC S-TOOL
+files O
+in O
+very O
+tailored O
+, O
+targeted O
+emails S-TOOL
+. O
+
+The O
+Sogu S-IDTY
+gang O
+use O
+a O
+custom O
+developed O
+threat O
+– O
+Backdoor.Sogu S-FILE
+, O
+whereas O
+the O
+group O
+described O
+in O
+this O
+document O
+use O
+an O
+off O
+the O
+shelf O
+threat O
+– O
+Poison B-MAL
+Ivy E-MAL
+. O
+
+While O
+the O
+number O
+of O
+Sogu S-IDTY
+targets O
+is O
+currently O
+small O
+relative O
+to O
+the O
+Poison B-MAL
+Ivy E-MAL
+attacks O
+, O
+we O
+continue O
+to O
+monitor O
+their O
+activities O
+. O
+
+Numerous O
+targeted O
+attack O
+campaigns O
+are O
+occurring O
+every O
+week O
+. O
+
+However O
+, O
+relative O
+to O
+the O
+total O
+number O
+of O
+attacks O
+, O
+few O
+are O
+fully O
+disclosed O
+. O
+
+These O
+attacks O
+are O
+primarily O
+targeting O
+private O
+industry O
+in O
+search O
+of O
+key O
+intellectual O
+property O
+for O
+competitive O
+advantage O
+, O
+military O
+institutions O
+, O
+and O
+governmental O
+organizations O
+often O
+in O
+search O
+of O
+documents O
+related O
+to O
+current O
+political O
+events O
+and O
+human O
+rights O
+organizations O
+. O
+
+This O
+attack O
+campaign O
+focused O
+on O
+the O
+chemical O
+sector O
+with O
+the O
+goal O
+of O
+obtaining O
+sensitive O
+documents O
+such O
+as O
+proprietary O
+designs O
+, O
+formulas O
+, O
+and O
+manufacturing O
+processes O
+. O
+
+
+Outlaw S-APT
+Updates O
+Kit O
+to O
+Kill O
+Older O
+Miner O
+Versions O
+, O
+Targets O
+More O
+Systems O
+. O
+
+As O
+we O
+’ve O
+observed O
+with O
+cybercriminal O
+groups O
+that O
+aim O
+to O
+maximize O
+profits O
+for O
+every O
+campaign O
+, O
+silence O
+doesn’t O
+necessarily O
+mean O
+inactivity O
+. O
+
+It O
+appears O
+hacking O
+group O
+Outlaw S-APT
+, O
+which O
+has O
+been O
+silent O
+for O
+the O
+past O
+few O
+months O
+, O
+was O
+simply O
+developing O
+their O
+toolkit O
+for O
+illicit O
+income O
+sources O
+. O
+
+While O
+they O
+have O
+been O
+quiet O
+since O
+our O
+June S-TIME
+analysis O
+, O
+we O
+observed O
+an O
+increase O
+in O
+the O
+group O
+’s O
+activities O
+in O
+December S-TIME
+, O
+with O
+updates O
+on O
+the O
+kits O
+’ O
+capabilities O
+reminiscent O
+of O
+their O
+previous O
+attacks O
+. O
+
+The O
+updates O
+expanded O
+scanner O
+parameters O
+and O
+targets O
+, O
+looped O
+execution O
+of O
+files O
+via O
+error O
+messages O
+, O
+improved O
+evasion O
+techniques O
+for O
+scanning O
+activities O
+, O
+and O
+improved O
+mining O
+profits O
+by O
+killing O
+off O
+both O
+the O
+competition O
+and O
+their O
+own O
+previous O
+miners O
+. O
+
+We O
+analyzed O
+the O
+kits O
+, O
+which O
+were O
+designed O
+to O
+steal O
+information O
+from O
+the O
+automotive O
+and O
+finance O
+industries O
+, O
+launch O
+subsequent O
+attacks O
+on O
+already O
+compromised O
+systems O
+, O
+and O
+( O
+possibly O
+) O
+sell O
+stolen O
+information O
+. O
+
+Comparing O
+this O
+development O
+to O
+their O
+previous O
+attacks O
+, O
+we O
+think O
+Outlaw S-APT
+may O
+be O
+aiming O
+to O
+go O
+after O
+enterprises O
+that O
+have O
+yet O
+to O
+update O
+their O
+systems O
+, O
+assessing O
+security O
+and O
+changes O
+with O
+their O
+previously O
+infected O
+hosts O
+, O
+finding O
+new O
+and O
+old O
+targets O
+, O
+and O
+possibly O
+testing O
+their O
+updates O
+in O
+the O
+wild O
+. O
+
+We O
+will O
+continue O
+to O
+observe O
+the O
+group O
+’s O
+activities O
+as O
+they O
+target O
+industries O
+from O
+the O
+United B-LOC
+States E-LOC
+and O
+Europe S-LOC
+. O
+
+Based O
+on O
+the O
+samples O
+we O
+collected O
+and O
+traced O
+to O
+456 O
+distinct O
+IPs O
+, O
+we O
+expect O
+the O
+group O
+to O
+be O
+more O
+active O
+in O
+the O
+coming O
+months O
+as O
+we O
+observed O
+changes O
+on O
+the O
+versions O
+we O
+acquired O
+. O
+
+These O
+new O
+samples O
+targeted O
+Linux- S-OS
+and O
+Unix-based S-OS
+operating O
+systems O
+, O
+vulnerable O
+servers O
+, O
+and O
+internet O
+of O
+things O
+( O
+IoT O
+) O
+devices O
+by O
+exploiting O
+known O
+vulnerabilities O
+with O
+available O
+exploits O
+. O
+
+This O
+time O
+, O
+the O
+group O
+explored O
+unpatched O
+systems O
+vulnerable O
+to O
+CVE-2016-8655 S-VULID
+and O
+Dirty B-VULNAME
+COW E-VULNAME
+exploit O
+( O
+CVE-2016-5195 S-VULID
+) O
+as O
+attack O
+vectors O
+. O
+
+Files O
+using O
+simple O
+PHP-based S-TOOL
+web O
+shells O
+were O
+also O
+used O
+to O
+attack O
+systems O
+with O
+weak O
+SSH S-PROT
+and O
+Telnet S-PROT
+credentials O
+. O
+
+While O
+no O
+phishing- O
+or O
+social O
+engineering-initiated O
+routines O
+were O
+observed O
+in O
+this O
+campaign O
+, O
+we O
+found O
+multiple O
+attacks O
+over O
+the O
+network O
+that O
+are O
+considered O
+“ O
+loud. O
+” O
+These O
+involved O
+large-scale O
+scanning O
+operations O
+of O
+IP O
+ranges O
+intentionally O
+launched O
+from O
+the O
+command B-TOOL
+and I-TOOL
+control E-TOOL
+( O
+C&C S-TOOL
+) O
+server O
+. O
+
+The O
+honeynet O
+graphs O
+, O
+which O
+show O
+activity O
+peaks O
+associated O
+with O
+specific O
+actions O
+, O
+also O
+suggest O
+that O
+the O
+scans O
+were O
+timed O
+. O
+
+From O
+the O
+sample O
+we O
+analyzed O
+, O
+attacks O
+started O
+from O
+one O
+virtual B-TOOL
+private I-TOOL
+server E-TOOL
+( O
+VPS S-TOOL
+) O
+that O
+searches O
+for O
+a O
+vulnerable O
+machine O
+to O
+compromise O
+( O
+previous O
+techniques O
+used O
+malicious O
+URLs O
+or O
+infecting O
+legitimate O
+websites O
+for O
+bot O
+propagation O
+) O
+. O
+
+Once O
+infected O
+, O
+the O
+C&C S-TOOL
+commands O
+for O
+the O
+infected O
+system O
+launches O
+a O
+loud O
+scanning O
+activity O
+and O
+spreads O
+the O
+botnet O
+by O
+sending O
+a O
+“ O
+whole O
+kit O
+” O
+of O
+binary O
+files O
+at O
+once O
+with O
+naming O
+conventions O
+same O
+as O
+the O
+ones O
+already O
+in O
+the O
+targeted O
+host O
+, O
+likely O
+banking O
+on O
+breaking O
+through O
+via O
+“ O
+security O
+through O
+obscurity. O
+” O
+They O
+attempted O
+to O
+evade O
+traffic O
+inspection O
+by O
+encoding O
+the O
+code O
+for O
+the O
+scanner O
+with O
+base-64 S-ENCR
+. O
+
+The O
+zombie O
+host O
+initiates O
+the O
+scan O
+— O
+another O
+routine O
+from O
+previous O
+campaigns O
+— O
+but O
+updated O
+with O
+a O
+larger O
+set O
+of O
+parameters O
+and O
+programmed O
+to O
+run O
+in O
+the O
+background O
+. O
+
+The O
+kit O
+we O
+found O
+is O
+in O
+tgz S-TOOL
+format O
+, O
+though O
+we O
+have O
+observed O
+some O
+samples O
+disguised O
+as O
+png S-TOOL
+or O
+jpg S-TOOL
+. O
+
+While O
+previous O
+routines O
+took O
+advantage O
+of O
+competing O
+miners O
+’ O
+activities O
+and O
+unrelated O
+components O
+to O
+hijack O
+the O
+profit O
+, O
+the O
+latest O
+version O
+of O
+the O
+code O
+attempts O
+to O
+remove O
+all O
+related O
+files O
+and O
+codes O
+from O
+previous O
+infections O
+( O
+including O
+their O
+own O
+to O
+make O
+sure O
+the O
+running O
+components O
+are O
+updated O
+, O
+as O
+well O
+as O
+those O
+from O
+other O
+cybercriminals O
+to O
+maximize O
+the O
+resources O
+of O
+the O
+zombie O
+host O
+) O
+and O
+creates O
+a O
+new O
+working O
+directory O
+/tmp/.X19-unix O
+to O
+move O
+the O
+kit O
+and O
+extract O
+the O
+files O
+. O
+
+The O
+tsm O
+binary O
+then O
+runs O
+in O
+the O
+background O
+, O
+forwarding O
+a O
+series O
+of O
+error O
+messages O
+to O
+/dev/null O
+to O
+keep O
+the O
+code O
+running O
+, O
+ensuring O
+the O
+continuous O
+execution O
+of O
+the O
+code O
+referenced O
+with O
+a O
+set O
+of O
+parameters O
+/tmp/up.txt S-FILE
+. O
+
+The O
+script O
+then O
+waits O
+20 O
+minutes O
+before O
+it O
+runs O
+the O
+wrapper O
+script O
+initall O
+: O
+
+2e2c9d08c7c955f6ce5e27e70b0ec78a888c276d71a72daa0ef9e3e40f019a1a S-SHA2
+
+initall O
+. O
+
+Another O
+variant O
+executes O
+a O
+set O
+of O
+commands O
+once O
+a O
+system O
+is O
+successfully O
+compromised O
+. O
+
+Most O
+of O
+these O
+commands O
+are O
+related O
+to O
+gathering O
+information O
+from O
+the O
+infected O
+machine O
+( O
+number O
+of O
+CPU S-TOOL
+cores O
+, O
+users O
+, O
+scheduled O
+tasks O
+, O
+running O
+processes O
+, O
+OS O
+installed O
+, O
+and O
+CPU S-TOOL
+and O
+memory O
+information O
+) O
+via O
+the O
+dota3 S-TOOL
+payload O
+, O
+as O
+well O
+as O
+changing O
+the O
+password O
+to O
+a O
+random O
+string O
+also O
+stored O
+in O
+/tmp/up.txt S-FILE
+. O
+
+In O
+a O
+previous O
+execution O
+( O
+published O
+in O
+June B-TIME
+2019 E-TIME
+) O
+, O
+we O
+observed O
+that O
+dota2 S-TOOL
+had O
+its O
+own O
+folder O
+but O
+it O
+was O
+hardly O
+executed O
+. O
+
+Running O
+the O
+script O
+removes O
+the O
+remaining O
+files O
+and O
+scripts O
+from O
+previous O
+attacks O
+, O
+keeping O
+a O
+low O
+profile O
+to O
+evade O
+detection O
+. O
+
+If O
+the O
+system O
+has O
+been O
+previously O
+infected O
+with O
+a O
+cryptominer O
+, O
+it O
+also O
+attempts O
+to O
+kill O
+the O
+running O
+miner O
+and O
+all O
+its O
+related O
+activities O
+. O
+
+Based O
+on O
+a O
+bashtemp O
+directory O
+of O
+the O
+latest O
+sample O
+we O
+found O
+, O
+there O
+are O
+other O
+compiled O
+ELF S-TOOL
+scripts O
+, O
+named O
+init O
+and O
+init2 O
+, O
+that O
+loops O
+the O
+kit O
+to O
+keep O
+running O
+: O
+
+0c458dfe0a2a01ab300c857fdc3373b75fbb8ccfa23d16eff0d6ab888a1a28f6 S-SHA2
+
+init O
+. O
+93ce211a71867017723cd78969aa4cac9d21c3d8f72c96ee3e1b2712c0eea494 S-SHA2
+
+init2 O
+. O
+
+Both O
+init O
+and O
+init2 O
+scripts O
+make O
+sure O
+all O
+other O
+running O
+mining O
+services O
+are O
+killed O
+, O
+and O
+that O
+all O
+the O
+files O
+in O
+the O
+working O
+directory O
+are O
+executed O
+by O
+giving O
+777 O
+permissions O
+. O
+
+We O
+also O
+found O
+the O
+init0 O
+script O
+running O
+; O
+the O
+script O
+cleans O
+out O
+all O
+miners O
+regardless O
+of O
+its O
+origin O
+. O
+
+It O
+then O
+resets O
+cron O
+and O
+removes O
+possible O
+cache O
+files O
+from O
+other O
+programs O
+, O
+starts O
+scripts O
+and O
+binaries O
+a O
+, O
+init0 O
+, O
+and O
+start O
+, O
+and O
+sets O
+the O
+persistence O
+by O
+modifying O
+the O
+crontab O
+. O
+
+The O
+a O
+binary O
+is O
+a O
+script O
+wrapper O
+to O
+start O
+run O
+, O
+a O
+Perl-obfuscated S-TOOL
+script O
+for O
+installation O
+of O
+a O
+Shellbot S-MAL
+to O
+gain O
+control O
+of O
+the O
+infected O
+system O
+. O
+
+The O
+Shellbot S-MAL
+disguises O
+itself O
+as O
+a O
+process O
+named O
+rsync O
+, O
+commonly O
+the O
+binary O
+seen O
+on O
+many O
+Unix- S-OS
+and O
+Linux-based S-OS
+systems O
+to O
+automatically O
+run O
+for O
+backup O
+and O
+synchronization O
+. O
+
+This O
+allows O
+the O
+malicious O
+activity O
+to O
+evade O
+detection O
+. O
+
+The O
+Shellbot S-MAL
+script O
+is O
+added O
+to O
+run O
+after O
+the O
+victim O
+’s O
+system O
+reboots O
+, O
+and O
+scripts O
+/a/upd O
+, O
+/b/sync/ O
+, O
+and O
+/c/aptitude/ O
+are O
+added O
+to O
+the O
+crontab O
+. O
+
+However O
+, O
+while O
+we O
+observed O
+the O
+presence O
+of O
+the O
+codes O
+, O
+the O
+functions O
+of O
+upd O
+, O
+sync O
+and O
+aptitude O
+were O
+disabled O
+in O
+the O
+kits O
+’ O
+latest O
+version O
+. O
+
+It O
+remains O
+unclear O
+whether O
+these O
+are O
+leftover O
+code O
+from O
+the O
+previous O
+versions O
+or O
+their O
+particular O
+purposes O
+were O
+served O
+. O
+
+Shellbot S-MAL
+is O
+also O
+used O
+to O
+control O
+the O
+botnet O
+, O
+with O
+a O
+command O
+that O
+is O
+sent O
+and O
+run O
+from O
+the O
+C&C S-TOOL
+to O
+determine O
+if O
+there O
+is O
+a O
+code O
+execution O
+in O
+the O
+shell O
+, O
+the O
+hostname O
+, O
+and O
+its O
+architecture O
+. O
+
+All O
+results O
+and O
+system O
+information O
+collected O
+from O
+the O
+infected O
+system O
+are O
+stored O
+locally O
+in O
+the O
+device O
+for O
+a O
+period O
+before O
+Outlaw S-APT
+retrieves O
+them O
+via O
+the O
+C&C S-TOOL
+. O
+
+Since O
+discovering O
+the O
+operations O
+of O
+this O
+group O
+in O
+2018 S-TIME
+, O
+Outlaw S-APT
+continues O
+to O
+use O
+scripts O
+, O
+codes O
+, O
+and O
+commands O
+that O
+have O
+been O
+previously O
+used O
+and O
+deployed O
+. O
+
+These O
+routines O
+are O
+indicative O
+of O
+the O
+group O
+’s O
+aim O
+to O
+get O
+quantitative O
+returns O
+through O
+varied O
+cybercriminal O
+profit O
+streams O
+. O
+
+This O
+was O
+also O
+reinforced O
+by O
+their O
+naming O
+conventions O
+, O
+wherein O
+different O
+versions O
+are O
+simply O
+named O
+after O
+the O
+code O
+iterations O
+, O
+following O
+a O
+specific O
+format O
+regardless O
+of O
+the O
+actual O
+function O
+of O
+the O
+code O
+. O
+
+Trojan.SH.MALXMR.UWEJP S-MAL
+: O
+1800de5f0fb7c5ef3c0d9787260ed61bc324d861bc92d9673d4737d1421972aa S-SHA2
+. O
+
+Backdoor.SH.SHELLBOT.AA S-MAL
+: O
+b68bd3a54622792200b931ee5eebf860acf8b24f4b338b5080193573a81c747d S-SHA2
+. O
+
+Trojan.Linux.SSHBRUTE.B S-MAL
+: O
+620635aa9685249c87ead1bb0ad25b096714a0073cfd38a615c5eb63c3761976 S-SHA2
+. O
+
+Coinminer.Linux.MALXMR.SMDSL32 S-MAL
+: O
+fc57bd66c27066104cd6f8962cd463a5dfc05fa59b76b6958cddd3542dfe6a9a S-SHA2
+. O
+
+Coinminer.Linux.MALXMR.SMDSL64 S-MAL
+: O
+649280bd4c5168009c1cff30e5e1628bcf300122b49d339e3ea3f3b6ff8f9a79 S-SHA2
+. O
+
+
+Actors O
+Still O
+Exploiting O
+SharePoint S-TOOL
+Vulnerability O
+to O
+Attack O
+Middle B-LOC
+East E-LOC
+Government O
+Organizations O
+. O
+
+On O
+September B-TIME
+10 I-TIME
+, I-TIME
+2019 E-TIME
+, O
+we O
+observed O
+unknown S-APT
+threat O
+actors O
+exploiting O
+a O
+vulnerability O
+in O
+SharePoint S-TOOL
+described O
+in O
+CVE-2019-0604 S-VULID
+to O
+install O
+several O
+webshells O
+on O
+the O
+website O
+of O
+a O
+Middle B-LOC
+East E-LOC
+government O
+organization O
+. O
+
+One O
+of O
+these O
+webshells O
+is O
+the O
+open O
+source O
+AntSword S-TOOL
+webshell O
+freely O
+available O
+on O
+Github S-TOOL
+, O
+which O
+is O
+remarkably O
+similar O
+to O
+the O
+infamous O
+China S-LOC
+Chopper S-TOOL
+webshell O
+. O
+
+On O
+January B-TIME
+10 I-TIME
+, I-TIME
+2020 E-TIME
+, O
+we O
+used O
+Shodan S-TOOL
+to O
+search O
+for O
+Internet O
+accessible O
+servers O
+running O
+versions O
+of O
+SharePoint S-TOOL
+vulnerable O
+to O
+CVE-2019-0604 S-VULID
+. O
+
+While O
+admittedly O
+the O
+version O
+numbers O
+provided O
+by O
+SharePoint S-TOOL
+within O
+HTTP S-PROT
+responses O
+do O
+not O
+always O
+provide O
+the O
+precise O
+SharePoint S-TOOL
+version O
+number O
+, O
+we O
+decided O
+to O
+use O
+it O
+to O
+check O
+if O
+it O
+was O
+less O
+than O
+the O
+version O
+numbers O
+of O
+the O
+patched O
+SharePoint S-TOOL
+versions O
+from O
+the O
+Microsoft S-IDTY
+advisory O
+. O
+
+We O
+performed O
+this O
+comparison O
+and O
+found O
+28,881 O
+servers O
+that O
+advertised O
+a O
+vulnerable O
+version O
+of O
+SharePoint S-TOOL
+. O
+
+We O
+did O
+not O
+actively O
+check O
+each O
+server O
+to O
+verify O
+if O
+they O
+were O
+indeed O
+vulnerable O
+, O
+so O
+it O
+is O
+possible O
+that O
+many O
+of O
+these O
+public-facing O
+SharePoint S-TOOL
+servers O
+were O
+not O
+vulnerable O
+or O
+since O
+patched O
+. O
+
+Regardless O
+, O
+the O
+sheer O
+number O
+of O
+servers O
+and O
+publicly O
+available O
+exploit O
+code O
+suggests O
+that O
+CVE-2019-0604 S-VULID
+is O
+still O
+a O
+major O
+attack O
+vector O
+. O
+
+Using O
+this O
+collection O
+of O
+webshells O
+, O
+the O
+actors O
+moved O
+laterally O
+to O
+other O
+systems O
+on O
+the O
+network O
+by O
+dumping O
+credentials O
+with O
+a O
+variant O
+of O
+the O
+notorious O
+Mimikatz S-TOOL
+tool O
+and O
+using O
+Impacket S-TOOL
+’s O
+atexec O
+tool O
+to O
+use O
+dumped O
+credentials O
+to O
+run O
+commands O
+on O
+other O
+systems O
+. O
+
+On O
+September B-TIME
+19 I-TIME
+, I-TIME
+2019 E-TIME
+, O
+we O
+observed O
+the O
+same O
+exact O
+Mimikatz S-TOOL
+variant O
+uploaded O
+to O
+a O
+webshell O
+hosted O
+at O
+another O
+government O
+organization O
+in O
+a O
+second O
+country O
+in O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+The O
+Mimikatz S-TOOL
+variant O
+uploaded O
+to O
+these O
+two O
+organizations O
+is O
+unique O
+, O
+as O
+it O
+involves O
+a O
+seemingly O
+custom O
+loader O
+application O
+written O
+in O
+.NET S-TOOL
+. O
+
+Therefore O
+, O
+we O
+believe O
+that O
+the O
+same O
+threat O
+group O
+is O
+behind O
+both O
+intrusions O
+. O
+
+Back O
+in O
+April B-TIME
+2019 E-TIME
+, O
+we O
+first O
+observed O
+the O
+Emissary B-APT
+Panda E-APT
+threat O
+group O
+exploiting O
+CVE-2019-0604 S-VULID
+to O
+install O
+webshells O
+on O
+SharePoint S-TOOL
+servers O
+at O
+government O
+organizations O
+in O
+two O
+Middle B-LOC
+Eastern E-LOC
+countries O
+. O
+
+Fast O
+forward O
+five O
+months O
+to O
+the O
+current O
+attacks O
+and O
+we O
+see O
+exploitation O
+of O
+the O
+same O
+vulnerability O
+at O
+government O
+organizations O
+in O
+two O
+different O
+countries O
+compared O
+to O
+the O
+April S-ACT
+attacks O
+. O
+
+We O
+do O
+not O
+have O
+any O
+strong O
+ties O
+to O
+connect O
+the O
+current O
+attacks O
+exploiting O
+this O
+vulnerability O
+in O
+SharePoint S-TOOL
+with O
+the O
+Emissary B-APT
+Panda E-APT
+attacks O
+carried O
+out O
+in O
+April S-ACT
+. O
+
+The O
+overlaps O
+between O
+these O
+two O
+sets O
+of O
+attacks O
+include O
+exploitation O
+of O
+a O
+common O
+vulnerability O
+, O
+similar O
+toolset O
+and O
+a O
+shared O
+government O
+victimology O
+, O
+but O
+no O
+strong O
+pivot O
+points O
+to O
+connect O
+these O
+attack O
+campaigns O
+together O
+. O
+
+The O
+exploitation O
+of O
+this O
+vulnerability O
+is O
+not O
+unique O
+to O
+Emissary B-APT
+Panda E-APT
+, O
+as O
+multiple O
+threat O
+groups O
+are O
+using O
+this O
+vulnerability O
+to O
+exploit O
+SharePoint S-TOOL
+servers O
+to O
+gain O
+initial O
+access O
+to O
+targeted O
+networks O
+. O
+
+We O
+would O
+like O
+to O
+acknowledge O
+the O
+possibility O
+of O
+an O
+overlap O
+in O
+the O
+AntSword S-TOOL
+webshell O
+, O
+as O
+we O
+stated O
+that O
+Emissary B-APT
+Panda E-APT
+used O
+China S-LOC
+Chopper S-TOOL
+in O
+the O
+April S-ACT
+attacks O
+and O
+AntSword S-TOOL
+and O
+China S-LOC
+Chopper S-TOOL
+webshells O
+are O
+incredibly O
+similar O
+. O
+
+However O
+, O
+at O
+this O
+time O
+we O
+do O
+not O
+believe O
+the O
+April S-ACT
+attacks O
+used O
+AntSword O
+based O
+on O
+artifacts O
+analyzed O
+on O
+the O
+SharePoint S-TOOL
+server O
+, O
+specifically O
+none O
+of O
+the O
+IIS S-TOOL
+logs O
+in O
+the O
+April S-ACT
+attacks O
+used O
+the O
+AntSword S-TOOL
+User-Agent S-TOOL
+in O
+requests O
+to O
+the O
+webshell O
+that O
+were O
+observed O
+in O
+the O
+current O
+attacks O
+. O
+
+Palo B-TOOL
+Alto I-TOOL
+Networks E-TOOL
+customers O
+are O
+protected O
+from O
+the O
+threat O
+described O
+in O
+this O
+blog O
+through O
+Threat O
+Prevention O
+signatures O
+for O
+the O
+exploits O
+and O
+C2 S-TOOL
+traffic O
+as O
+well O
+as O
+through O
+WildFire S-TOOL
+. O
+
+More O
+details O
+on O
+this O
+protection O
+is O
+available O
+in O
+the O
+conclusion O
+of O
+the O
+report O
+. O
+
+On O
+September B-TIME
+10 I-TIME
+, I-TIME
+2019 E-TIME
+, O
+we O
+observed O
+an O
+HTTP S-PROT
+POST O
+request O
+to O
+the O
+following O
+URL O
+that O
+we O
+believe O
+was O
+the O
+exploitation O
+of O
+CVE-2019-0604 S-VULID
+in O
+a O
+publicly O
+facing O
+SharePoint S-TOOL
+server O
+( O
+T1190 O
+) O
+: O
+/_layouts/15/picker.aspx S-FILE
+. O
+
+The O
+command O
+uses O
+the O
+echo O
+command O
+to O
+write O
+a O
+large O
+chunk O
+of O
+base64 S-ENCR
+encoded O
+data O
+to O
+a O
+text O
+file O
+named O
+cmd.txt S-FILE
+. O
+
+The O
+command O
+then O
+uses O
+the O
+certutil O
+application O
+to O
+convert O
+the O
+base64 S-ENCR
+encoded O
+data O
+( O
+T1132 O
+) O
+in O
+the O
+cmd.txt S-FILE
+file O
+to O
+c.aspx S-FILE
+in O
+three O
+different O
+SharePoint S-TOOL
+related O
+folders O
+. O
+
+The O
+result O
+of O
+this O
+entire O
+command O
+saves O
+a O
+variant O
+of O
+the O
+Awen S-TOOL
+asp.net S-FILE
+webshell O
+( O
+T1100 O
+) O
+to O
+the O
+SharePoint S-TOOL
+server O
+to O
+further O
+interact O
+with O
+the O
+compromise O
+server O
+. O
+
+The O
+Awen S-TOOL
+webshell O
+deployed O
+in O
+the O
+exploitation O
+of O
+this O
+SharePoint S-TOOL
+vulnerability O
+had O
+a O
+SHA256 S-ENCR
+hash O
+of O
+5d4628d4dd89f31236f8c56686925cbb1a9b4832f81c95a4300e64948afede21 S-SHA2
+. O
+
+Just O
+40 O
+seconds O
+after O
+the O
+suspected O
+exploitation O
+of O
+CVE-2019-0604 S-VULID
+, O
+we O
+observed O
+the O
+first O
+HTTP S-PROT
+GET O
+request O
+to O
+a O
+webshell O
+at O
+c.aspx S-FILE
+, O
+which O
+is O
+a O
+modified O
+version O
+of O
+the O
+freely O
+available O
+awen S-TOOL
+asp.net S-FILE
+webshell O
+. O
+
+We O
+believe O
+this O
+HTTP S-PROT
+GET O
+request O
+was O
+the O
+actor O
+visiting O
+the O
+webshell O
+after O
+exploitation O
+and O
+prior O
+to O
+executing O
+commands O
+. O
+
+The O
+actor O
+uses O
+the O
+Awen S-TOOL
+webshell O
+to O
+run O
+various O
+commands O
+to O
+do O
+an O
+initial O
+discovery O
+on O
+the O
+system O
+and O
+network O
+, O
+including O
+user O
+accounts O
+( O
+T1033 O
+and O
+T1087 O
+) O
+, O
+files O
+and O
+folders O
+( O
+T1083 O
+) O
+, O
+privileged O
+groups O
+( O
+T1069 O
+) O
+, O
+remote O
+systems O
+( O
+T1018 O
+) O
+and O
+network O
+configuration O
+( O
+T1016 O
+) O
+. O
+
+Table O
+1 O
+not O
+only O
+shows O
+the O
+commands O
+used O
+for O
+discovery O
+, O
+but O
+also O
+the O
+commands O
+used O
+to O
+deploy O
+another O
+webshell O
+to O
+the O
+server O
+using O
+the O
+echo O
+command O
+to O
+write O
+base64 S-ENCR
+encoded O
+data O
+to O
+a.txt S-FILE
+and O
+using O
+the O
+certutil O
+application O
+to O
+decode O
+and O
+save O
+to O
+bitreeview.aspx S-FILE
+. O
+
+The O
+webshell O
+named O
+bitreeview.aspx S-FILE
+was O
+saved O
+to O
+a O
+folder O
+within O
+the O
+SharePoint S-TOOL
+server O
+’s O
+install O
+path O
+. O
+
+The O
+bitreeview.aspx S-FILE
+file O
+is O
+a O
+variant O
+of O
+the O
+AntSword S-TOOL
+webshell O
+that O
+has O
+undeniably O
+similar O
+traits O
+as O
+the O
+infamous O
+China S-LOC
+Chopper S-TOOL
+webshell O
+. O
+
+After O
+installing O
+this O
+AntSword S-TOOL
+webshell O
+, O
+the O
+actor O
+no O
+longer O
+uses O
+the O
+Awen S-TOOL
+webshell O
+and O
+issues O
+the O
+first O
+command O
+to O
+AntSword S-TOOL
+35 O
+seconds O
+after O
+the O
+last O
+command O
+issued O
+to O
+the O
+Awen S-TOOL
+webshell O
+. O
+
+AntSword S-TOOL
+is O
+a O
+modular O
+webshell O
+that O
+involves O
+a O
+very O
+simple O
+webshell O
+that O
+the O
+actor O
+would O
+deploy O
+to O
+the O
+compromised O
+server O
+and O
+a O
+client O
+application O
+referred O
+to O
+as O
+the O
+AntSword S-TOOL
+Shell B-TOOL
+Manager E-TOOL
+. O
+
+The O
+use O
+of O
+the O
+client O
+application O
+differs O
+from O
+many O
+other O
+webshells O
+that O
+the O
+actor O
+would O
+interact O
+with O
+in O
+a O
+browser O
+window O
+. O
+
+The O
+actor O
+would O
+use O
+the O
+AntSword S-TOOL
+Shell B-TOOL
+Manager E-TOOL
+to O
+interact O
+with O
+the O
+AntSword S-TOOL
+webshell O
+on O
+the O
+compromised O
+server O
+, O
+as O
+the O
+Shell B-TOOL
+Manager E-TOOL
+sends O
+the O
+appropriate O
+script O
+to O
+the O
+webshell O
+that O
+will O
+execute O
+to O
+carry O
+out O
+the O
+desired O
+action O
+. O
+
+To O
+provide O
+a O
+sense O
+of O
+the O
+limited O
+functionality O
+within O
+the O
+webshell O
+itself O
+, O
+the O
+bitreeview.aspx S-FILE
+AntSword S-TOOL
+webshell O
+deployed O
+in O
+this O
+attack O
+( O
+SHA256: O
+15ecb6ac6c637b58b2114e6b21b5b18b0c9f5341ee74b428b70e17e64b7da55e S-SHA2
+) O
+was O
+only O
+162 O
+bytes O
+. O
+
+AntSword S-TOOL
+webshell O
+has O
+no O
+functionality O
+other O
+than O
+running O
+a O
+script O
+provided O
+by O
+the O
+AntSword S-TOOL
+Shell B-TOOL
+Manager E-TOOL
+, O
+specifically O
+within O
+a O
+field O
+named O
+Darr1R1ng O
+of O
+an O
+HTTP S-PROT
+POST O
+request O
+. O
+
+The O
+code O
+above O
+also O
+tells O
+us O
+the O
+actors O
+had O
+created O
+their O
+own O
+custom O
+“ O
+encoder O
+” O
+within O
+the O
+AntSword S-TOOL
+Shell B-TOOL
+Manager E-TOOL
+to O
+be O
+able O
+to O
+interact O
+with O
+the O
+code O
+above O
+, O
+which O
+we O
+will O
+discuss O
+in O
+detail O
+in O
+the O
+next O
+section O
+. O
+
+In O
+addition O
+to O
+the O
+Mimikatz S-TOOL
+tool O
+, O
+the O
+actor O
+uploaded O
+other O
+tools O
+to O
+the O
+webshell O
+hosted O
+at O
+this O
+second O
+organization O
+. O
+es.exe S-FILE
+: O
+Mimikatz S-TOOL
+with O
+custom O
+loader O
+, O
+da53dcaeede03413ba02802c4be10883c4c28d3d28dee11734f048b90eb3d304 S-SHA2
+. O
+
+Rar.exe S-FILE
+: O
+Legitimate O
+WinRAR S-TOOL
+, O
+26d9212ec8dbca45383eb95ec53c05357851bd7529fa0761d649f62e90c4e9fd S-SHA2
+. O
+atec.exe S-FILE
+: O
+Compiled O
+Impacket S-TOOL
+atexec O
+tool O
+, O
+a4aca75bcc8f18b8a2316fd67a7e545c59b871d32de0b325f56d22584038fa10 S-SHA2
+. O
+dmp.exe S-FILE	
+: O
+Dumpert S-TOOL
+tool O
+, O
+e4e05c9a216c2f2b3925293503b5d5a892c33db2f6ea58753f032b80608c3f2e S-SHA2
+. O
+
+One O
+of O
+the O
+tools O
+seen O
+above O
+that O
+caught O
+our O
+interest O
+was O
+the O
+Dumpert S-TOOL
+tool O
+, O
+which O
+is O
+freely O
+available O
+on O
+Outflanknl S-TOOL
+’s O
+GitHub S-TOOL
+repository O
+. O
+
+The O
+author O
+of O
+Dumpert S-TOOL
+describes O
+the O
+tool O
+as O
+an O
+LSASS S-TOOL
+dumping O
+tool O
+that O
+uses O
+direct O
+system O
+calls O
+and O
+API O
+unhooking O
+to O
+evade O
+antivirus O
+and O
+EDR S-TOOL
+solutions O
+. O
+
+Dumpert S-TOOL
+is O
+a O
+relatively O
+new O
+tool O
+with O
+its O
+initial O
+commit O
+to O
+GitHub S-TOOL
+occurring O
+on O
+June B-TIME
+17 I-TIME
+, I-TIME
+2019 E-TIME
+. O
+
+While O
+the O
+Dumpert S-TOOL
+tool O
+is O
+meant O
+to O
+help O
+red O
+teams O
+emulate O
+an O
+adversary O
+, O
+we O
+had O
+not O
+seen O
+this O
+tool O
+used O
+by O
+threat O
+actors O
+until O
+it O
+was O
+uploaded O
+to O
+this O
+related O
+webshell O
+on O
+September B-TIME
+23 I-TIME
+, I-TIME
+2019 E-TIME
+. O
+
+Threat O
+actors O
+continue O
+to O
+exploit O
+the O
+CVE-2019-0604 S-VULID
+vulnerability O
+to O
+compromise O
+SharePoint S-TOOL
+servers O
+, O
+which O
+is O
+a O
+vulnerability O
+that O
+Microsoft S-IDTY
+released O
+a O
+patch O
+for O
+in O
+March B-TIME
+2019 E-TIME
+. O
+
+We O
+observed O
+actors O
+installing O
+webshells O
+to O
+the O
+SharePoint S-TOOL
+server O
+that O
+they O
+use O
+to O
+run O
+commands O
+and O
+upload O
+additional O
+tools O
+to O
+in O
+order O
+to O
+dump O
+credentials O
+and O
+move O
+laterally O
+to O
+other O
+systems O
+on O
+the O
+network O
+. O
+
+We O
+were O
+also O
+able O
+to O
+find O
+a O
+related O
+webshell O
+based O
+on O
+the O
+threat O
+group O
+’s O
+tool O
+reuse O
+, O
+specifically O
+a O
+custom O
+Mimikatz S-TOOL
+sample O
+. O
+
+Thanks O
+to O
+this O
+tool O
+reuse O
+, O
+we O
+found O
+the O
+threat O
+group O
+uploading O
+a O
+credential O
+dumping O
+tool O
+called O
+Dumpert S-TOOL
+that O
+we O
+had O
+not O
+seen O
+used O
+in O
+prior O
+incidents O
+involving O
+the O
+exploitation O
+of O
+CVE-2019-0604 S-VULID
+. O
+
+Digital O
+Attack O
+on O
+German O
+Parliament: O
+Investigative O
+Report O
+on O
+the O
+Hack O
+of O
+the O
+Left O
+Party O
+Infrastructure O
+in O
+Bundestag S-IDTY
+. O
+
+Two O
+suspicious O
+artifacts O
+have O
+been O
+retrieved O
+from O
+two O
+separate O
+servers O
+within O
+the O
+Die O
+Linke O
+infrastructure O
+. O
+
+One O
+is O
+an O
+open O
+source O
+utility O
+used O
+to O
+remotely O
+issue O
+commands O
+on O
+a O
+Windows S-OS
+host O
+from O
+a O
+Linux S-OS
+host O
+. O
+
+The O
+other O
+is O
+a O
+custom O
+utility O
+which O
+, O
+despite O
+its O
+large O
+size O
+, O
+has O
+limited O
+functionality O
+and O
+acts O
+as O
+a O
+tunnel O
+, O
+possibly O
+used O
+by O
+the O
+attackers O
+to O
+maintain O
+persistence O
+within O
+the O
+compromised O
+network O
+. O
+
+Attributes O
+of O
+one O
+of O
+the O
+artifacts O
+and O
+intelligence O
+gathered O
+on O
+the O
+infrastructure O
+operated O
+by O
+the O
+attackers O
+suggest O
+that O
+the O
+attack O
+was O
+perpetrated O
+by O
+a O
+state-sponsored O
+group O
+known O
+as O
+Sofacy S-APT
+( O
+or O
+APT28 S-APT
+) O
+. O
+
+Previous O
+work O
+published O
+by O
+security O
+vendor O
+FireEye S-SECTEAM
+in O
+October B-TIME
+2014 E-TIME
+suggests O
+the O
+group O
+might O
+be O
+of O
+Russian O
+origin O
+. O
+
+The O
+first O
+artifact O
+– O
+identified O
+across O
+this O
+report O
+as O
+Artifact O
+#1 O
+– O
+has O
+the O
+following O
+attributes O
+: O
+
+Name O
+winexesvc.exe S-FILE
+Size O
+23552 O
+MD5 S-ENCR
+77e7fb6b56c3ece4ef4e93b6dc608be0 S-MD5
+SHA1 S-ENCR
+f46f84e53263a33e266aae520cb2c1bd0a73354e S-SHA1
+SHA256 S-ENCR
+5130f600cd9a9cdc82d4bad938b20cbd2f699aadb76e7f3f1a93602330d9997d S-SHA2
+. O
+
+The O
+second O
+artifact O
+– O
+identified O
+across O
+this O
+report O
+as O
+Artifact O
+#2 O
+– O
+-has O
+the O
+following O
+attributes O
+: O
+
+Name O
+svchost.exe S-FILE
+Size O
+1062912 O
+MD5 S-ENCR
+5e70a5c47c6b59dae7faf0f2d62b28b3 S-MD5
+SHA1 S-ENCR
+cdeea936331fcdd8158c876e9d23539f8976c305 S-SHA1
+SHA256 S-ENCR
+730a0e3daf0b54f065bdd2ca427fbe10e8d4e28646a5dc40cbcfb15e1702ed9a S-SHA2
+Compile O
+Time O
+2015-04-22 B-TIME
+10:49:54 E-TIME
+. O
+
+Artifact O
+#1 O
+was O
+retrieved O
+from O
+a O
+File B-TOOL
+Server E-TOOL
+operated O
+by O
+Die O
+Linke O
+. O
+
+The O
+file O
+is O
+a O
+64bit-compatible O
+compiled O
+binary O
+of O
+the O
+open O
+source O
+utility O
+Winexe S-TOOL
+. O
+
+Winexe S-TOOL
+is O
+software O
+similar O
+to O
+the O
+more O
+popular O
+PSExec S-TOOL
+and O
+is O
+designed O
+to O
+allow O
+system O
+administrators O
+to O
+execute O
+commands O
+on O
+remote O
+servers O
+. O
+
+While O
+commercial O
+solutions O
+like O
+Symantec S-SECTEAM
+pcAnywhere O
+provide O
+a O
+larger O
+feature-set O
+, O
+Winexe S-TOOL
+is O
+lightweight O
+, O
+and O
+doesn’t O
+require O
+any O
+installation O
+or O
+configuration O
+. O
+
+One O
+of O
+the O
+reasons O
+Winexe S-TOOL
+is O
+preferred O
+over O
+PSExec S-TOOL
+, O
+is O
+that O
+it O
+provides O
+a O
+Linux S-OS
+client O
+, O
+while O
+PSExec S-TOOL
+doesn’t O
+. O
+
+Attackers O
+are O
+making O
+growing O
+use O
+of O
+utilities O
+like O
+Winexe S-TOOL
+and O
+PSExec S-TOOL
+to O
+perform O
+lateral O
+movement O
+across O
+compromised O
+networks O
+. O
+
+Besides O
+providing O
+the O
+ability O
+to O
+execute O
+arbitrary O
+commands O
+on O
+the O
+target O
+system O
+, O
+these O
+utilities O
+normally O
+don’t O
+raise O
+suspicion O
+as O
+they O
+are O
+commonly O
+whitelisted O
+by O
+Antivirus O
+and O
+other O
+commercial O
+security O
+software O
+. O
+
+Winexe S-TOOL
+acts O
+as O
+a O
+Windows S-OS
+service O
+that O
+can O
+be O
+configured O
+to O
+automatically O
+start O
+at O
+boot O
+and O
+silently O
+wait O
+for O
+incoming O
+commands O
+over O
+a O
+named O
+pipe O
+. O
+
+Named O
+pipes O
+are O
+a O
+Windows S-OS
+inter-process O
+communication O
+method O
+. O
+
+Through O
+named O
+pipes O
+, O
+processes O
+are O
+able O
+to O
+communicate O
+and O
+exchange O
+data O
+even O
+over O
+a O
+network O
+. O
+
+In O
+the O
+case O
+of O
+Artifact O
+#1 O
+, O
+the O
+name O
+of O
+the O
+pipe O
+is O
+ahexec O
+, O
+computers O
+over O
+the O
+network O
+could O
+access O
+the O
+pipe O
+server O
+by O
+simply O
+opening O
+a O
+file O
+handle O
+on O
+\ServerNamepipeahexec O
+. O
+
+Once O
+connected O
+to O
+the O
+pipe O
+, O
+a O
+user O
+or O
+a O
+program O
+can O
+easily O
+provide O
+information O
+required O
+to O
+execute O
+command O
+( O
+just O
+as O
+they O
+would O
+normally O
+through O
+a O
+command-line O
+) O
+. O
+
+The O
+provided O
+information O
+is O
+then O
+passed O
+to O
+a O
+CreateProcessAsUserA O
+call O
+and O
+the O
+specified O
+command O
+is O
+executed O
+. O
+
+Once O
+inside O
+the O
+network O
+, O
+Artifact O
+#1 O
+can O
+be O
+enough O
+for O
+the O
+attacker O
+to O
+download O
+or O
+create O
+additional O
+scripts O
+, O
+execute O
+commands O
+and O
+exfiltrate O
+data O
+( O
+for O
+example O
+, O
+simply O
+through O
+ftp S-PROT
+) O
+. O
+
+It O
+is O
+plausible O
+that O
+Artifact O
+#1 O
+could O
+be O
+present O
+on O
+other O
+servers O
+under O
+different O
+names O
+, O
+although O
+it O
+is O
+also O
+likely O
+that O
+the O
+attacker O
+only O
+left O
+it O
+on O
+servers O
+to O
+which O
+they O
+required O
+maintainenance O
+of O
+persistent O
+access O
+. O
+
+Artifact O
+#2 O
+was O
+recovered O
+from O
+the O
+Admin B-TOOL
+Controller E-TOOL
+operated O
+by O
+Die O
+Linke O
+. O
+
+This O
+is O
+custom O
+malware O
+, O
+which O
+despite O
+large O
+file O
+size O
+( O
+1,1 O
+MB O
+) O
+, O
+provides O
+limited O
+functionality O
+. O
+
+Artifact O
+#2 O
+operates O
+as O
+a O
+backchannel O
+for O
+the O
+attacker O
+to O
+maintain O
+a O
+foothold O
+inside O
+the O
+compromised O
+network O
+. O
+
+The O
+properties O
+of O
+the O
+artifact O
+show O
+that O
+the O
+same O
+authors O
+of O
+the O
+malware O
+seem O
+to O
+have O
+called O
+it O
+Xtunnel S-MAL
+. O
+
+As O
+the O
+same O
+name O
+suggests O
+, O
+the O
+artifact O
+appears O
+in O
+fact O
+to O
+act O
+as O
+a O
+tunnel O
+for O
+the O
+attacker O
+to O
+remotely O
+access O
+the O
+internal O
+network O
+and O
+maintain O
+persistence O
+. O
+
+After O
+initialization O
+, O
+the O
+artifact O
+will O
+attempt O
+to O
+establish O
+a O
+connection O
+by O
+creating O
+a O
+socket O
+. O
+
+In O
+case O
+of O
+failure O
+, O
+it O
+will O
+sleep O
+for O
+three O
+seconds O
+and O
+try O
+again O
+. O
+
+The O
+authors O
+of O
+the O
+malware O
+didn’t O
+appear O
+to O
+have O
+spent O
+any O
+effort O
+in O
+concealing O
+indicators O
+or O
+obfuscating O
+code O
+– O
+the O
+IP O
+address O
+with O
+which O
+it O
+tries O
+to O
+communicate O
+is O
+hardcoded O
+in O
+clear-text O
+inside O
+the O
+binary O
+. O
+
+We O
+can O
+observe O
+below O
+, O
+the O
+procedure O
+through O
+which O
+the O
+artifact O
+attempts O
+to O
+establish O
+a O
+connection O
+with O
+the O
+IP O
+address O
+176.31.112.10 S-IP
+. O
+
+This O
+specific O
+IP O
+address O
+is O
+a O
+critical O
+piece O
+of O
+information O
+that O
+enables O
+us O
+to O
+connect O
+this O
+attack O
+to O
+a O
+spree O
+of O
+previous O
+targeted O
+campaigns O
+. O
+
+The O
+details O
+of O
+this O
+attribution O
+is O
+explained O
+in O
+a O
+dedicated O
+section O
+below O
+. O
+
+We O
+will O
+refer O
+to O
+this O
+IP O
+address O
+as O
+Command B-TOOL
+& I-TOOL
+Control E-TOOL
+( O
+or O
+C&C S-TOOL
+) O
+. O
+
+If O
+the O
+argument O
+-SSL S-PROT
+is O
+given O
+through O
+command-line O
+to O
+the O
+artifact O
+, O
+these O
+beacons O
+will O
+be O
+encapsulated O
+in O
+an O
+SSL S-PROT
+connection O
+and O
+a O
+proper O
+TLS S-PROT
+handshake O
+will O
+be O
+initiated O
+with O
+the O
+C&C S-TOOL
+. O
+
+Interestingly O
+, O
+the O
+artifact O
+bundles O
+a O
+copy O
+of O
+OpenSSL S-TOOL
+1.0.1e O
+, O
+from O
+February B-TIME
+2013 E-TIME
+, O
+which O
+causes O
+the O
+unusually O
+large O
+size O
+of O
+the O
+binary O
+. O
+
+More O
+importantly O
+, O
+the O
+Command B-TOOL
+& I-TOOL
+Control E-TOOL
+server O
+( O
+176.31.112.10 S-IP
+) O
+also O
+appears O
+to O
+be O
+using O
+an O
+outdated O
+version O
+of O
+OpenSSL S-TOOL
+and O
+be O
+vulnerable O
+to O
+Heartbleed S-VULNAME
+attacks O
+. O
+
+While O
+unlikely O
+, O
+it O
+is O
+worth O
+considering O
+that O
+the O
+same O
+C&C S-TOOL
+server O
+might O
+have O
+been O
+the O
+subject O
+of O
+3rd-party O
+attacks O
+due O
+to O
+this O
+vulnerability O
+. O
+
+If O
+connections O
+to O
+the O
+C&C S-TOOL
+are O
+blocked O
+or O
+terminated O
+through O
+a O
+firewall O
+, O
+the O
+artifact O
+will O
+be O
+inhibited O
+, O
+as O
+it O
+doesn’t O
+seem O
+to O
+have O
+any O
+fallback O
+protocol O
+. O
+
+Additionally O
+, O
+since O
+it O
+does O
+not O
+execute O
+any O
+other O
+functionality O
+autonomously O
+, O
+it O
+would O
+no O
+longer O
+be O
+a O
+direct O
+threat O
+. O
+
+While O
+attribution O
+of O
+malware O
+attacks O
+is O
+rarely O
+simple O
+or O
+conclusive O
+, O
+during O
+the O
+course O
+of O
+this O
+investigation O
+I O
+uncovered O
+evidence O
+that O
+suggests O
+the O
+attacker O
+might O
+be O
+affiliated O
+with O
+the O
+state-sponsored O
+group O
+known O
+as O
+Sofacy S-APT
+Group O
+( O
+also O
+known O
+as O
+APT28 S-APT
+or O
+Operation B-APT
+Pawn I-APT
+Storm E-APT
+) O
+. O
+
+Although O
+we O
+are O
+unable O
+to O
+provide O
+details O
+in O
+support O
+of O
+such O
+attribution O
+, O
+previous O
+work O
+by O
+security O
+vendor O
+FireEye S-SECTEAM
+suggests O
+the O
+group O
+might O
+be O
+of O
+Russian O
+origin O
+, O
+however O
+no O
+evidence O
+allows O
+to O
+tie O
+the O
+attacks O
+to O
+governments O
+of O
+any O
+particular O
+country O
+. O
+
+Sofacy S-APT
+is O
+a O
+group O
+dedicated O
+to O
+the O
+compromise O
+of O
+high-profile O
+targets O
+and O
+the O
+theft O
+of O
+confidential O
+information O
+. O
+
+They O
+appear O
+to O
+have O
+been O
+active O
+since O
+2006 S-TIME
+. O
+
+They O
+are O
+believed O
+to O
+have O
+successfully O
+attacked O
+the O
+Ministries B-IDTY
+of I-IDTY
+Internal E-IDTY
+and O
+Foreign B-IDTY
+Affairs E-IDTY
+of O
+several O
+ex-Soviet O
+countries O
+, O
+as O
+well O
+as O
+Eastern O
+European O
+governments O
+and O
+military O
+institutions O
+, O
+and O
+NATO S-IDTY
+and O
+the O
+White B-IDTY
+House E-IDTY
+. O
+
+Sofacy S-APT
+is O
+known O
+for O
+making O
+extensive O
+use O
+of O
+phishing E-ACT
+attacks O
+to O
+lure O
+targets O
+into O
+revealing O
+their O
+credentials O
+via O
+realistic O
+reconstruction O
+of O
+internal O
+systems O
+, O
+such O
+as O
+webmails O
+, O
+as O
+employed O
+against O
+the O
+Georgian B-IDTY
+Ministry I-IDTY
+of I-IDTY
+Internal I-IDTY
+Affairs E-IDTY
+in O
+the O
+infamous O
+attacks O
+that O
+preceded O
+the O
+Georgian S-LOC
+invasion O
+of O
+2008 S-TIME
+. O
+
+While O
+Sofacy S-APT
+is O
+also O
+known O
+to O
+use O
+of O
+custom O
+exploit O
+frameworks O
+and O
+spear-phishing S-ACT
+attacks O
+, O
+it O
+is O
+possible O
+in O
+this O
+case O
+that O
+they O
+managed O
+to O
+obtain O
+privileged O
+credentials O
+of O
+network O
+administrators O
+within O
+the O
+Bundestag S-IDTY
+through O
+the O
+use O
+of O
+a O
+phishing E-ACT
+attack O
+, O
+which O
+then O
+allowed O
+them O
+to O
+navigate O
+through O
+the O
+network O
+and O
+gain O
+access O
+to O
+more O
+data O
+. O
+
+It O
+is O
+worth O
+noting O
+that O
+shortly O
+before O
+the O
+attack O
+, O
+security O
+vendors O
+reported O
+the O
+use O
+of O
+0-day S-VULNAME
+exploits O
+in O
+Flash B-TOOL
+Player E-TOOL
+and O
+Microsoft S-IDTY
+Windows S-OS
+by O
+the O
+same O
+threat O
+actor O
+. O
+
+During O
+investigation O
+of O
+the O
+Command B-TOOL
+& I-TOOL
+Control E-TOOL
+server O
+( O
+with O
+IP O
+176.31.112.10 S-IP
+hardcoded O
+in O
+Artifact O
+#2 O
+) O
+, O
+we O
+managed O
+to O
+identify O
+some O
+operational O
+mistakes O
+made O
+by O
+the O
+attackers O
+, O
+allowing O
+us O
+to O
+connect O
+the O
+incident O
+with O
+attacks O
+previously O
+associated O
+with O
+the O
+Sofacy S-APT
+Group O
+. O
+
+The O
+address O
+, O
+176.31.112.10 S-IP
+, O
+is O
+a O
+dedicated O
+server O
+provided O
+by O
+the O
+French O
+OVH S-TOOL
+hosting O
+company O
+, O
+but O
+is O
+apparently O
+operated O
+by O
+an O
+offshore O
+secure O
+hosting O
+company O
+called O
+CrookServers.com S-IDTY
+. O
+
+By O
+researching O
+historical O
+data O
+relevant O
+to O
+C&C S-TOOL
+176.31.112.10 S-IP
+, O
+we O
+discovered O
+that O
+on O
+February B-TIME
+16th I-TIME
+2015 E-TIME
+, O
+the O
+server O
+was O
+sharing O
+an O
+SSL S-PROT
+certificate O
+with O
+another O
+IP O
+address O
+allocated O
+to O
+CrookServers S-IDTY
+and O
+also O
+hosted O
+at O
+OVH S-TOOL
+: O
+213.251.187.145 S-IP
+. O
+
+The O
+recovered O
+shared O
+SSL S-PROT
+certificate O
+, O
+obtained O
+by O
+a O
+public O
+internet-wide O
+scanning O
+initiative O
+, O
+at O
+the O
+time O
+had O
+the O
+following O
+attributes O
+: O
+
+MD5 S-ENCR
+b84b66bcdecd4b4529014619ed649d76 S-MD5
+SHA1 S-ENCR
+fef1725ad72e4ef0432f8cb0cb73bf7ead339a7c S-SHA1
+Algorithm O
+sha1 S-ENCR
+With O
+RSA S-ENCR
+Encryption O
+. O
+
+As O
+shown O
+, O
+the O
+certificate O
+uses O
+mail.mfa.gov.ua S-DOM
+as O
+a O
+Common O
+Name O
+. O
+
+This O
+suggests O
+that O
+this O
+certificate O
+might O
+have O
+been O
+previously O
+used O
+for O
+a O
+similar O
+attack O
+against O
+the O
+Ukrainian B-IDTY
+Ministry I-IDTY
+of I-IDTY
+Foreign I-IDTY
+Affairs E-IDTY
+, O
+or O
+associated O
+targets O
+, O
+although O
+there O
+is O
+no O
+documentation O
+of O
+such O
+attack O
+available O
+to O
+the O
+public O
+. O
+
+More O
+importantly O
+, O
+the O
+IP O
+address O
+this O
+certificate O
+was O
+shared O
+with O
+213.251.187.145 S-IP
+was O
+previously O
+identified O
+as O
+used O
+by O
+Sofacy S-APT
+Group O
+for O
+phishing E-ACT
+attacks O
+against O
+Albanian O
+government O
+institutions O
+by O
+registering O
+the O
+domain O
+qov.al S-DOM
+and O
+creating O
+realistic O
+subdomains O
+to O
+lure O
+victims O
+into O
+visiting O
+. O
+
+The O
+domain O
+was O
+active O
+on O
+the O
+IP O
+213.251.187.145 S-IP
+from O
+July B-TIME
+2014 E-TIME
+up O
+until O
+March B-TIME
+2015 E-TIME
+. O
+
+These O
+attacks O
+against O
+Albanian O
+government O
+institutions O
+by O
+the O
+Sofacy S-APT
+Group O
+were O
+documented O
+and O
+reported O
+by O
+consultancy O
+corporate O
+PwC S-IDTY
+in O
+December B-TIME
+2014 E-TIME
+. O
+
+It O
+is O
+worth O
+noting O
+that O
+this O
+server O
+also O
+seems O
+to O
+be O
+operated O
+by O
+CrookServers S-IDTY
+, O
+since O
+among O
+other O
+domains O
+, O
+454-reverse.crookservers.net S-DOM
+resolved O
+to O
+the O
+same O
+IP O
+address O
+. O
+
+While O
+the O
+evidence O
+presented O
+strongly O
+suggests O
+a O
+connection O
+with O
+the O
+Sofacy S-APT
+Group O
+, O
+the O
+artifacts O
+( O
+in O
+particular O
+Artifact O
+#2 O
+) O
+are O
+not O
+publicly O
+recognized O
+to O
+be O
+part O
+of O
+the O
+more O
+traditional O
+arsenal O
+of O
+these O
+attackers O
+. O
+
+Nevertheless O
+, O
+on O
+May B-TIME
+12th I-TIME
+2015 E-TIME
+( O
+a O
+few O
+weeks O
+after O
+the O
+attack O
+against O
+Bundestag S-IDTY
+appears O
+to O
+have O
+started O
+) O
+the O
+American O
+security O
+firm O
+root9B O
+released O
+a O
+report O
+containing O
+details O
+on O
+malware O
+samples O
+very O
+similar O
+to O
+Artifact O
+#2 O
+. O
+
+The O
+report O
+also O
+includes O
+a O
+mention O
+of O
+the O
+same O
+IP O
+address O
+used O
+as O
+Command B-TOOL
+& I-TOOL
+Control E-TOOL
+server O
+in O
+the O
+attack O
+against O
+Bundestag S-IDTY
+( O
+176.31.112.10 S-IP
+) O
+. O
+
+While O
+the O
+report O
+appears O
+to O
+contain O
+numerous O
+inaccuracies O
+, O
+some O
+of O
+the O
+indicators O
+of O
+compromises O
+are O
+legitimate O
+and O
+appear O
+to O
+be O
+correctly O
+attributed O
+to O
+Sofacy S-APT
+. O
+
+
+A O
+Slice O
+of O
+2017 S-TIME
+Sofacy S-APT
+Activity O
+. O
+
+Sofacy S-APT
+, O
+also O
+known O
+as O
+APT28 S-APT
+, O
+Fancy B-APT
+Bear E-APT
+, O
+and O
+Tsar B-APT
+Team E-APT
+, O
+is O
+a O
+highly O
+active O
+and O
+prolific O
+APT O
+. O
+
+From O
+their O
+high O
+volume O
+0day S-VULNAME
+deployment O
+to O
+their O
+innovative O
+and O
+broad O
+malware O
+set O
+, O
+Sofacy S-APT
+is O
+one O
+of O
+the O
+top O
+groups O
+that O
+we O
+monitor O
+, O
+report O
+, O
+and O
+protect O
+against O
+. O
+2017 S-TIME
+was O
+not O
+any O
+different O
+in O
+this O
+regard O
+. O
+
+Our O
+private O
+reports O
+subscription O
+customers O
+receive O
+a O
+steady O
+stream O
+of O
+YARA S-TOOL
+, O
+IOC S-TOOL
+, O
+and O
+reports O
+on O
+Sofacy S-APT
+, O
+our O
+most O
+reported O
+APT O
+for O
+the O
+year O
+. O
+
+This O
+high O
+level O
+of O
+cyber-espionage O
+activity O
+goes O
+back O
+years O
+. O
+
+In O
+2011-2012 S-TIME
+, O
+the O
+group O
+used O
+a O
+relatively O
+tiny O
+implant O
+( O
+known O
+as O
+“ O
+Sofacy S-APT
+” O
+or O
+SOURFACE S-APT
+) O
+as O
+their O
+first O
+stage O
+malware O
+, O
+which O
+at O
+the O
+time O
+had O
+similarities O
+with O
+the O
+old O
+Miniduke O
+implants O
+. O
+
+This O
+made O
+us O
+believe O
+the O
+two O
+groups O
+were O
+connected O
+, O
+although O
+it O
+looks O
+they O
+split O
+ways O
+at O
+a O
+certain O
+point O
+, O
+with O
+the O
+original O
+Miniduke S-APT
+group O
+switching O
+to O
+the O
+CosmicDuke S-MAL
+implant O
+in O
+2014 S-TIME
+. O
+
+The O
+division O
+in O
+malware O
+was O
+consistent O
+and O
+definitive O
+at O
+that O
+point O
+. O
+
+In O
+2013 S-TIME
+, O
+the O
+Sofacy S-APT
+group O
+expanded O
+their O
+arsenal O
+and O
+added O
+more O
+backdoors O
+and O
+tools O
+, O
+including O
+CORESHELL S-MAL
+, O
+SPLM S-MAL
+( O
+aka O
+Xagent S-MAL
+, O
+aka O
+CHOPSTICK S-MAL
+) O
+, O
+JHUHUGIT S-MAL
+( O
+which O
+is O
+built O
+with O
+code O
+from O
+the O
+Carberp S-MAL
+sources O
+) O
+, O
+AZZY S-MAL
+( O
+aka O
+ADVSTORESHELL S-MAL
+, O
+NETUI S-MAL
+, O
+EVILTOSS S-MAL
+, O
+and O
+spans O
+across O
+4-5 O
+generations O
+) O
+and O
+a O
+few O
+others O
+. O
+
+We O
+’ve O
+seen O
+quite O
+a O
+few O
+versions O
+of O
+these O
+implants O
+, O
+which O
+were O
+relatively O
+widespread O
+at O
+some O
+point O
+or O
+still O
+are O
+. O
+
+In O
+2015 S-TIME
+we O
+noticed O
+another O
+wave O
+of O
+attacks O
+which O
+took O
+advantage O
+of O
+a O
+new O
+release O
+of O
+the O
+AZZY S-MAL
+implant O
+, O
+largely O
+undetected O
+by O
+antivirus O
+products O
+. O
+
+The O
+new O
+wave O
+of O
+attacks O
+included O
+a O
+new O
+generation O
+of O
+USB B-MAL
+stealers E-MAL
+deployed O
+by O
+Sofacy S-APT
+, O
+with O
+initial O
+versions O
+dating O
+to O
+February B-TIME
+2015 E-TIME
+. O
+
+It O
+appeared O
+to O
+be O
+geared O
+exclusively O
+towards O
+high O
+profile O
+targets O
+. O
+
+Sofacy S-APT
+’s O
+reported O
+presence O
+in O
+the O
+DNC S-TOOL
+network O
+alongside O
+APT29 S-APT
+brought O
+possibly O
+the O
+highest O
+level O
+of O
+public O
+attention O
+to O
+the O
+group O
+’s O
+activities O
+in O
+2016 S-TIME
+, O
+especially O
+when O
+data O
+from O
+the O
+compromise O
+was O
+leaked O
+and O
+“ O
+weaponized O
+” O
+. O
+
+And O
+later B-TIME
+2016 E-TIME
+, O
+their O
+focus O
+turned O
+towards O
+the O
+Olympics S-IDTY
+’ O
+and O
+the O
+World B-IDTY
+Anti-Doping I-IDTY
+Agency E-IDTY
+( O
+WADA S-IDTY
+) O
+and O
+Court B-IDTY
+of I-IDTY
+Arbitration I-IDTY
+for I-IDTY
+Sports E-IDTY
+( O
+CAS S-IDTY
+) O
+, O
+when O
+individuals O
+and O
+servers O
+in O
+these O
+organizations O
+were O
+phished O
+and O
+compromised O
+. O
+
+In O
+a O
+similar O
+vein O
+with O
+past O
+CyberBerkut S-ACT
+activity O
+, O
+attackers O
+hid O
+behind O
+anonymous O
+activist O
+groups O
+like O
+“ O
+anonpoland O
+” O
+, O
+and O
+data O
+from O
+victimized O
+organizations O
+were O
+similarly O
+leaked O
+and O
+“ O
+weaponized O
+” O
+. O
+
+This O
+write-up O
+will O
+survey O
+notables O
+in O
+the O
+past O
+year O
+of O
+2017 S-TIME
+Sofacy S-APT
+activity O
+, O
+including O
+their O
+targeting O
+, O
+technology O
+, O
+and O
+notes O
+on O
+their O
+infrastructure O
+. O
+
+No O
+one O
+research O
+group O
+has O
+100% O
+global O
+visibility O
+, O
+and O
+our O
+collected O
+data O
+is O
+presented O
+accordingly O
+. O
+
+Here O
+, O
+external O
+APT28 S-APT
+reports O
+on O
+2017 S-TIME
+Darkhotel-style S-ACT
+activity O
+in O
+Europe S-LOC
+and O
+Dealer O
+’s O
+Choice O
+spearphishing S-ACT
+are O
+of O
+interest O
+. O
+
+From O
+where O
+we O
+sit O
+, O
+2017 S-TIME
+Sofacy S-APT
+activity O
+starts O
+with O
+a O
+heavy O
+focus O
+on O
+NATO S-IDTY
+and O
+Ukrainian O
+partners O
+, O
+coinciding O
+with O
+lighter O
+interest O
+in O
+Central B-LOC
+Asian E-LOC
+targets O
+, O
+and O
+finishing O
+the O
+second O
+half O
+of O
+the O
+year O
+with O
+a O
+heavy O
+focus O
+on O
+Central B-LOC
+Asian E-LOC
+targets O
+and O
+some O
+shift O
+further O
+East S-LOC
+. O
+
+Sofacy S-APT
+kicked O
+off O
+the O
+year O
+deploying O
+two O
+0day S-VULNAME
+in O
+a O
+spearphish O
+document O
+, O
+both O
+a O
+Microsoft S-IDTY
+Office S-TOOL
+encapsulated O
+postscript O
+type O
+confusion O
+exploit O
+( O
+abusing O
+CVE-2017-0262 S-VULID
+) O
+and O
+an O
+escalation O
+of O
+privilege O
+use-after-free O
+exploit O
+( O
+abusing O
+CVE-2017-0263 S-VULID
+) O
+. O
+
+The O
+group O
+attempted O
+to O
+deploy O
+this O
+spearphish O
+attachment O
+to O
+push O
+a O
+small O
+30kb O
+backdoor O
+known O
+as O
+GAMEFISH S-MAL
+to O
+targets O
+in O
+Europe S-LOC
+at O
+the O
+beginning B-TIME
+of I-TIME
+2017 E-TIME
+. O
+
+They O
+took O
+advantage O
+of O
+the O
+Syrian O
+military O
+conflict O
+for O
+thematic O
+content O
+and O
+file O
+naming O
+“ O
+Trump B-FILE
+’s_Attack_on_Syria_English.docx E-FILE
+” O
+. O
+
+Again O
+, O
+this O
+deployment O
+was O
+likely O
+a O
+part O
+of O
+their O
+focus O
+on O
+NATO S-IDTY
+targets O
+. O
+
+Meanwhile O
+in O
+early-to-mid B-TIME
+2017 E-TIME
+, O
+SPLM S-MAL
+/ O
+CHOPSTICK S-MAL
+/ O
+XAgent S-MAL
+detections O
+in O
+Central B-LOC
+Asia E-LOC
+provided O
+a O
+glimpse O
+into O
+ongoing O
+focus O
+on O
+ex-Soviet O
+republics O
+in O
+Central B-LOC
+Asia E-LOC
+. O
+
+These O
+particular O
+detections O
+are O
+interesting O
+because O
+they O
+indicate O
+an O
+attempted O
+selective O
+2nd O
+stage O
+deployment O
+of O
+a O
+backdoor O
+maintaining O
+filestealer O
+, O
+keylogger O
+, O
+and O
+remoteshell O
+functionality O
+to O
+a O
+system O
+of O
+interest O
+. O
+
+As O
+the O
+latest O
+revision O
+of O
+the O
+backdoor O
+, O
+portions O
+of O
+SPLM S-MAL
+didn’t O
+match O
+previous O
+reports O
+on O
+SPLM S-MAL
+/ O
+XAgent S-MAL
+while O
+other O
+similarities O
+were O
+maintained O
+. O
+
+SPLM S-MAL
+64-bit O
+modules O
+already O
+appeared O
+to O
+be O
+at O
+version O
+4 O
+of O
+the O
+software O
+by O
+May B-TIME
+of I-TIME
+the I-TIME
+year E-TIME
+. O
+
+Targeting O
+profiles O
+included O
+defense O
+related O
+commercial O
+and O
+military O
+organizations O
+, O
+and O
+telecommunications O
+. O
+
+Since O
+mid-November B-TIME
+2015 E-TIME
+, O
+the O
+threat O
+actor O
+referred O
+to O
+as O
+“ O
+Sofacy S-APT
+” O
+or O
+“ O
+APT28 S-APT
+” O
+has O
+been O
+utilizing O
+a O
+unique O
+payload O
+and O
+delivery O
+mechanism O
+written O
+in O
+Delphi S-TOOL
+and O
+AutoIT S-TOOL
+. O
+
+We O
+collectively O
+refer O
+to O
+this O
+package O
+and O
+related O
+activity O
+as O
+“ O
+Zebrocy S-MAL
+” O
+and O
+had O
+written O
+a O
+few O
+reports O
+on O
+its O
+usage O
+and O
+development O
+by O
+June B-TIME
+2017 E-TIME
+– O
+Sofacy S-APT
+developers O
+modified O
+and O
+redeployed O
+incremented O
+versions O
+of O
+the O
+malware O
+. O
+
+The O
+Zebrocy S-MAL
+chain O
+follows O
+a O
+pattern O
+: O
+spearphish S-ACT
+attachment O
+-> O
+compiled O
+Autoit S-TOOL
+script O
+( O
+downloader O
+) O
+-> O
+Zebrocy S-MAL
+payload O
+. O
+
+In O
+some O
+deployments O
+, O
+we O
+observed O
+Sofacy S-APT
+actively O
+developing O
+and O
+deploying O
+a O
+new O
+package O
+to O
+a O
+much O
+smaller O
+, O
+specific O
+subset O
+of O
+targets O
+within O
+the O
+broader O
+set O
+. O
+
+Targeting O
+profiles O
+, O
+spearphish S-ACT
+filenames O
+, O
+and O
+lures O
+carry O
+thematic O
+content O
+related O
+to O
+visa O
+applications O
+and O
+scanned O
+images O
+, O
+border O
+control O
+administration O
+, O
+and O
+various O
+administrative O
+notes O
+. O
+
+Targeting O
+appears O
+to O
+be O
+widely O
+spread O
+across O
+the O
+Middle B-LOC
+East E-LOC
+, O
+Europe S-LOC
+, O
+and O
+Asia S-LOC
+. O
+
+We O
+identified O
+new O
+MSIL S-TOOL
+components O
+deployed O
+by O
+Zebrocy S-MAL
+. O
+
+While O
+recent O
+Zebrocy S-MAL
+versioning O
+was O
+7.1 O
+, O
+some O
+of O
+the O
+related O
+Zebrocy S-MAL
+modules O
+that O
+drop O
+file-stealing O
+MSIL S-TOOL
+modules O
+we O
+call O
+Covfacy S-TOOL
+were O
+v7.0 O
+. O
+
+The O
+components O
+were O
+an O
+unexpected O
+inclusion O
+in O
+this O
+particular O
+toolset O
+. O
+
+For O
+example O
+, O
+one O
+sent O
+out O
+to O
+a O
+handful O
+of O
+countries O
+identifies O
+network O
+drives O
+when O
+they O
+are O
+added O
+to O
+target O
+systems O
+, O
+and O
+then O
+RC4 S-ENCR
+like-encrypts O
+and O
+writes O
+certain O
+file O
+metadata O
+and O
+contents O
+to O
+a O
+local O
+path O
+for O
+later O
+Exfiltration S-ACT
+. O
+
+The O
+stealer O
+searches O
+for O
+files O
+60mb O
+and O
+less O
+with O
+these O
+extensions O
+: O
+.doc S-FILE
+, O
+.docx S-FILE
+, O
+.xls S-FILE
+, O
+.xlsx S-FILE
+, O
+.ppt S-FILE
+, O
+.pptx S-FILE
+, O
+.exe S-FILE
+, O
+.zip S-FILE
+, O
+.rar S-FILE
+. O
+
+At O
+execution O
+, O
+it O
+installs O
+an O
+application-defined O
+Windows S-OS
+hook O
+. O
+
+The O
+hook O
+gets O
+windows S-OS
+messages O
+indicating O
+when O
+a O
+network O
+drive O
+has O
+been O
+attached O
+. O
+
+Upon O
+adding O
+a O
+network O
+drive O
+, O
+the O
+hook O
+calls O
+its O
+“ O
+RecordToFile O
+” O
+file O
+stealer O
+method O
+. O
+
+SPLM S-MAL
+/ O
+CHOPSTICK S-MAL
+components O
+deployed O
+throughout O
+2017 S-TIME
+were O
+native O
+64-bit O
+modular O
+C++ S-TOOL
+Windows S-OS
+COM S-TOOL
+backdoors O
+supporting O
+http S-PROT
+over O
+fully O
+encrypted O
+TLSv1 S-PROT
+and O
+TLSv1.2 S-PROT
+communications O
+, O
+mostly O
+deployed O
+in O
+the O
+second B-TIME
+half I-TIME
+of I-TIME
+2017 E-TIME
+by O
+Sofacy S-APT
+. O
+
+Earlier O
+SPLM S-MAL
+activity O
+deployed O
+32-bit O
+modules O
+over O
+unencrypted O
+http S-PROT
+( O
+and O
+sometimes O
+smtp S-PROT
+) O
+sessions O
+. O
+
+In O
+2016 S-TIME
+we O
+saw O
+fully O
+functional O
+, O
+very O
+large O
+SPLM S-MAL
+/ O
+X-Agent S-MAL
+modules O
+supporting O
+OS B-OS
+X E-OS
+. O
+
+The O
+executable O
+module O
+continues O
+to O
+be O
+part O
+of O
+a O
+framework O
+supporting O
+various O
+internal O
+and O
+external O
+components O
+communicating O
+over O
+internal O
+and O
+external O
+channels O
+, O
+maintaining O
+slightly O
+morphed O
+encryption O
+and O
+functionality O
+per O
+deployment O
+. O
+
+Sofacy S-APT
+selectively O
+used O
+SPLM S-MAL
+/ O
+CHOPSTICK S-MAL
+modules O
+as O
+second O
+stage O
+implants O
+to O
+high O
+interest O
+targets O
+for O
+years O
+now O
+. O
+
+The O
+newer O
+SPLM S-MAL
+modules O
+are O
+deployed O
+mostly O
+to O
+Central B-LOC
+Asian E-LOC
+based O
+targets O
+that O
+may O
+have O
+a O
+tie O
+to O
+NATO S-IDTY
+in O
+some O
+form O
+. O
+
+These O
+targets O
+include O
+foreign O
+affairs O
+government O
+organizations O
+both O
+localized O
+and O
+abroad O
+, O
+and O
+defense O
+organizations O
+’ O
+presence O
+localized O
+, O
+located O
+in O
+Europe S-LOC
+and O
+also O
+located O
+in O
+Afghanistan S-LOC
+. O
+
+One O
+outlier O
+SPLM S-MAL
+target O
+profile O
+within O
+our O
+visibility O
+includes O
+an O
+audit O
+and O
+consulting O
+firm O
+in O
+Bosnia S-LOC
+and O
+Herzegovina S-LOC
+. O
+
+Minor O
+changes O
+and O
+updates O
+to O
+the O
+code O
+were O
+released O
+with O
+these O
+deployments O
+, O
+including O
+a O
+new O
+mutex O
+format O
+and O
+the O
+exclusive O
+use O
+of O
+encrypted O
+HTTP S-PROT
+communications O
+over O
+TLS S-PROT
+. O
+
+The O
+compiled O
+code O
+itself O
+already O
+is O
+altered O
+per O
+deployment O
+in O
+multiple O
+subtle O
+ways O
+, O
+in O
+order O
+to O
+stymie O
+identification O
+and O
+automated O
+analysis O
+and O
+accommodate O
+targeted O
+environments O
+. O
+
+Strings O
+( O
+c2 S-TOOL
+domains O
+and O
+functionality O
+, O
+error O
+messages O
+, O
+etc O
+) O
+are O
+custom O
+encrypted O
+per O
+deployment O
+. O
+
+This O
+subset O
+of O
+SPLM S-MAL
+/ O
+CHOPSTICK S-MAL
+activity O
+leads O
+into O
+several O
+small O
+surprises O
+that O
+take O
+us O
+into O
+2018 S-TIME
+, O
+to O
+be O
+discussed O
+in O
+further O
+detail O
+at O
+SAS S-IDTY
+2018 S-TIME
+. O
+
+The O
+group O
+demonstrates O
+malleability O
+and O
+innovation O
+in O
+maintaining O
+and O
+producing O
+familiar O
+SPLM S-MAL
+functionality O
+, O
+but O
+the O
+pragmatic O
+and O
+systematic O
+approach O
+towards O
+producing O
+undetected O
+or O
+difficult-to-detect O
+malware O
+continues O
+. O
+
+Changes O
+in O
+the O
+second O
+stage O
+SPLM B-MAL
+backdoor E-MAL
+are O
+refined O
+, O
+making O
+the O
+code O
+reliably O
+modular O
+. O
+
+It O
+’s O
+interesting O
+to O
+note O
+that O
+this O
+version O
+of O
+SPLM S-MAL
+implements O
+communications O
+that O
+are O
+fully O
+encrypted O
+over O
+HTTPS S-PROT
+. O
+
+As O
+an O
+example O
+, O
+we O
+might O
+see O
+extraneous O
+data O
+in O
+their O
+SSL S-PROT
+/ O
+TLS S-PROT
+certificates O
+that O
+give O
+away O
+information O
+about O
+their O
+provider O
+or O
+resources O
+. O
+
+Leading O
+up O
+to O
+summer B-TIME
+2017 E-TIME
+, O
+infrastructure O
+mostly O
+was O
+created O
+with O
+PDR O
+and O
+Internet O
+Domain O
+Service O
+BS O
+Corp O
+, O
+and O
+their O
+resellers O
+. O
+
+Hosting O
+mostly O
+was O
+provided O
+at O
+Fast O
+Serv O
+Inc O
+and O
+resellers O
+, O
+in O
+all O
+likelihood O
+related O
+to O
+bitcoin O
+payment O
+processing O
+. O
+
+Accordingly O
+, O
+the O
+server O
+side O
+certificates O
+appear O
+to O
+be O
+generated O
+locally O
+on O
+VPS S-TOOL
+hosts O
+that O
+exclusively O
+are O
+paid O
+for O
+at O
+providers O
+with O
+bitcoin O
+merchant O
+processing O
+. O