diff --git "a/data/raw/APTNER/APTNERtest.txt" "b/data/raw/APTNER/APTNERtest.txt"
new file mode 100644--- /dev/null
+++ "b/data/raw/APTNER/APTNERtest.txt"
@@ -0,0 +1,40578 @@
+One O
+certificate O
+was O
+generated O
+locally O
+on O
+what O
+appeared O
+to O
+be O
+a O
+HP-UX S-OS
+box O
+, O
+and O
+another O
+was O
+generated O
+on O
+8569985.securefastserver.com S-DOM
+with O
+an O
+email S-TOOL
+address O
+root@8569985.securefastserver.com S-EMAIL
+, O
+as O
+seen O
+here O
+for O
+their O
+nethostnet.com S-DOM
+domain O
+. O
+
+This O
+certificate O
+configuration O
+is O
+ignored O
+by O
+the O
+malware O
+. O
+
+Sofacy S-APT
+, O
+one O
+of O
+the O
+most O
+active O
+APT O
+we O
+monitor O
+, O
+continues O
+to O
+spearphish S-ACT
+their O
+way O
+into O
+targets O
+, O
+reportedly O
+widely O
+phishes O
+for O
+credentials O
+, O
+and O
+infrequently O
+participates O
+in O
+server O
+side O
+activity O
+( O
+including O
+host O
+compromise O
+with O
+BeEF S-TOOL
+deployment O
+, O
+for O
+example O
+) O
+. O
+
+KSN S-SECTEAM
+visibility O
+and O
+detections O
+suggests O
+a O
+shift O
+from O
+their O
+early B-TIME
+2017 E-TIME
+high O
+volume O
+NATO S-IDTY
+spearphish S-ACT
+targeting O
+towards O
+the O
+middle B-LOC
+east E-LOC
+and O
+Central B-LOC
+Asia E-LOC
+, O
+and O
+finally O
+moving O
+their O
+focus O
+further O
+east S-LOC
+into O
+late B-TIME
+2017 E-TIME
+. O
+
+Their O
+operational O
+security O
+is O
+good O
+. O
+
+Their O
+campaigns O
+appear O
+to O
+have O
+broken O
+out O
+into O
+subsets O
+of O
+activity O
+and O
+malware O
+involving O
+GAMEFISH S-MAL
+, O
+Zebrocy S-MAL
+, O
+and O
+SPLM S-MAL
+, O
+to O
+name O
+a O
+few O
+. O
+
+Their O
+evolving O
+and O
+modified O
+SPLM S-MAL
+/ O
+CHOPSTICK S-MAL
+/ O
+XAgent S-MAL
+code O
+is O
+a O
+long-standing O
+part O
+of O
+Sofacy S-APT
+activity O
+, O
+however O
+much O
+of O
+it O
+is O
+changing O
+. O
+
+We O
+’ll O
+cover O
+more O
+recent O
+2018 S-TIME
+change O
+in O
+their O
+targeting O
+and O
+the O
+malware O
+itself O
+at O
+SAS S-IDTY
+2018 S-TIME
+. O
+
+
+A O
+journey O
+to O
+Zebrocy S-MAL
+land O
+. O
+
+The O
+Sednit S-APT
+group O
+– O
+also O
+known O
+as O
+APT28 S-APT
+, O
+Fancy B-APT
+Bear E-APT
+, O
+Sofacy S-APT
+or O
+STRONTIUM S-APT
+– O
+has O
+been O
+operating O
+since O
+at O
+least O
+2004 S-TIME
+and O
+has O
+made O
+headlines O
+frequently O
+in O
+past O
+years O
+. O
+
+Recently O
+, O
+we O
+unveiled O
+the O
+existence O
+of O
+a O
+UEFI S-TOOL
+rootkit O
+, O
+called O
+LoJax S-MAL
+, O
+which O
+we O
+attribute O
+to O
+the O
+Sednit S-APT
+group O
+. O
+
+This O
+is O
+a O
+first O
+for O
+an O
+APT O
+group O
+, O
+and O
+shows O
+Sednit S-APT
+has O
+access O
+to O
+very O
+sophisticated O
+tools O
+to O
+conduct O
+its O
+espionage O
+operations O
+. O
+
+Three O
+years O
+ago O
+, O
+the O
+Sednit S-APT
+group O
+unleashed O
+new O
+components O
+targeting O
+victims O
+in O
+various O
+countries O
+in O
+the O
+Middle B-LOC
+East E-LOC
+and O
+Central B-LOC
+Asia E-LOC
+. O
+
+Since O
+then O
+, O
+the O
+number O
+and O
+diversity O
+of O
+components O
+has O
+increased O
+drastically O
+. O
+
+ESET S-SECTEAM
+researchers O
+and O
+colleagues O
+from O
+other O
+companies O
+have O
+documented O
+these O
+components O
+; O
+however O
+, O
+in O
+this O
+article O
+we O
+will O
+focus O
+on O
+what O
+’s O
+beyond O
+the O
+compromise O
+, O
+what O
+the O
+operators O
+do O
+once O
+a O
+victim O
+system O
+is O
+running O
+a O
+Zebrocy S-MAL
+Delphi S-TOOL
+backdoor O
+. O
+
+At O
+the O
+end O
+of O
+August B-TIME
+2018 E-TIME
+, O
+the O
+Sednit S-APT
+group O
+launched O
+a O
+spearphishing S-ACT
+email S-TOOL
+campaign O
+where O
+it O
+distributed O
+shortened O
+URLs O
+that O
+delivered O
+the O
+first O
+stage O
+of O
+Zebrocy S-MAL
+components O
+. O
+
+In O
+the O
+past O
+, O
+Sednit S-APT
+used O
+a O
+similar O
+technique O
+for O
+credential O
+phishing E-ACT
+. O
+
+However O
+, O
+it O
+is O
+unusual O
+for O
+the O
+group O
+to O
+use O
+this O
+technique O
+to O
+deliver O
+one O
+of O
+its O
+malware O
+components O
+directly O
+. O
+
+Previously O
+, O
+it O
+had O
+used O
+exploits O
+to O
+deliver O
+and O
+execute O
+the O
+first O
+stage O
+malware O
+, O
+while O
+in O
+this O
+campaign O
+the O
+group O
+relied O
+entirely O
+on O
+social O
+engineering O
+to O
+lure O
+victims O
+into O
+running O
+the O
+first O
+part O
+of O
+the O
+chain O
+. O
+
+The O
+screenshot O
+in O
+Figure O
+1 O
+shows O
+Bitly S-TOOL
+statistics O
+for O
+the O
+shortened O
+URL O
+used O
+in O
+this O
+campaign O
+. O
+
+While O
+ESET S-SECTEAM
+telemetry O
+data O
+indicates O
+that O
+this O
+URL O
+was O
+delivered O
+by O
+spearphishing S-ACT
+emails S-TOOL
+, O
+we O
+don’t O
+have O
+a O
+sample O
+of O
+such O
+an O
+email S-TOOL
+. O
+
+The O
+shortened O
+URL O
+leads O
+the O
+victim O
+to O
+an O
+IP-address-based O
+URL O
+, O
+where O
+the O
+archived O
+payload O
+is O
+located O
+. O
+
+Unfortunately O
+, O
+without O
+the O
+email S-TOOL
+message O
+, O
+we O
+don’t O
+know O
+if O
+there O
+are O
+any O
+instructions O
+for O
+the O
+user O
+, O
+if O
+there O
+is O
+any O
+further O
+social O
+engineering O
+, O
+or O
+if O
+it O
+relies O
+solely O
+on O
+the O
+victim O
+’s O
+curiosity O
+. O
+
+The O
+archive O
+contains O
+two O
+files O
+; O
+the O
+first O
+is O
+an O
+executable O
+file O
+, O
+while O
+the O
+second O
+is O
+a O
+decoy O
+PDF S-TOOL
+document O
+. O
+
+Note O
+there O
+is O
+a O
+typo O
+in O
+the O
+executable O
+’s O
+filename O
+; O
+Once O
+the O
+binary O
+is O
+executed O
+, O
+a O
+password O
+prompt O
+dialog O
+box O
+opens O
+. O
+
+The O
+result O
+of O
+the O
+password O
+validation O
+will O
+always O
+be O
+wrong O
+, O
+but O
+after O
+the O
+apparent O
+validation O
+attempt O
+, O
+the O
+decoy O
+PDF S-TOOL
+document O
+is O
+opened O
+. O
+
+That O
+document O
+appears O
+to O
+be O
+empty O
+, O
+but O
+the O
+downloader O
+, O
+which O
+is O
+written O
+in O
+Delphi S-TOOL
+, O
+continues O
+running O
+in O
+the O
+background O
+. O
+
+The O
+IP O
+address O
+is O
+also O
+used O
+in O
+the O
+URL O
+hardcoded O
+into O
+the O
+first O
+binary O
+downloader O
+. O
+
+The O
+Stage-1 O
+downloader O
+will O
+download O
+and O
+execute O
+a O
+new O
+downloader O
+, O
+written O
+in O
+C++ S-TOOL
+, O
+not O
+so O
+different O
+from O
+other O
+Zebrocy S-MAL
+downloaders O
+. O
+
+Once O
+again O
+this O
+downloader O
+is O
+as O
+straightforward O
+as O
+the O
+Zebrocy S-MAL
+gang O
+’s O
+other O
+downloaders O
+. O
+
+It O
+creates O
+an O
+ID O
+and O
+it O
+downloads O
+a O
+new O
+, O
+interesting O
+backdoor O
+, O
+( O
+this O
+time O
+) O
+written O
+in O
+Delphi S-TOOL
+. O
+
+As O
+we O
+explained O
+in O
+our O
+most O
+recent O
+blogpost O
+about O
+Zebrocy S-MAL
+, O
+the O
+configuration O
+of O
+the O
+backdoor O
+is O
+stored O
+in O
+in O
+the O
+resource O
+section O
+and O
+is O
+split O
+into O
+four O
+different O
+hex-encoded S-ENCR
+, O
+encrypted O
+blobs O
+. O
+
+These O
+blobs O
+contain O
+the O
+different O
+parts O
+of O
+the O
+configuration O
+. O
+
+Once O
+the O
+backdoor O
+sends O
+basic O
+information O
+about O
+its O
+newly O
+compromised O
+system O
+, O
+the O
+operators O
+take O
+control O
+of O
+the O
+backdoor O
+and O
+start O
+to O
+send O
+commands O
+right O
+away O
+. O
+
+Hence O
+, O
+the O
+time O
+between O
+the O
+victim O
+running O
+the O
+downloader O
+and O
+the O
+operators O
+’ O
+first O
+commands O
+is O
+only O
+a O
+few O
+minutes O
+. O
+
+In O
+this O
+section O
+we O
+describe O
+in O
+more O
+detail O
+the O
+commands O
+performed O
+manually O
+by O
+the O
+operators O
+through O
+their O
+Delphi S-TOOL
+backdoor O
+. O
+
+The O
+commands O
+available O
+are O
+located O
+in O
+one O
+of O
+the O
+configuration O
+blobs O
+mentioned O
+earlier O
+. O
+
+The O
+number O
+of O
+supported O
+commands O
+has O
+increased O
+over O
+time O
+, O
+with O
+the O
+latest O
+version O
+of O
+the O
+backdoor O
+having O
+more O
+than O
+thirty O
+. O
+
+As O
+we O
+did O
+not O
+identify O
+a O
+pattern O
+in O
+the O
+order O
+which O
+the O
+commands O
+are O
+invoked O
+, O
+we O
+believe O
+the O
+operators O
+are O
+executing O
+them O
+manually O
+. O
+
+The O
+first O
+set O
+of O
+commands O
+gathers O
+information O
+about O
+the O
+victim O
+’s O
+computer O
+and O
+environment O
+: O
+
+Commands O
+Arguments O
+SCREENSHOT O
+None O
+SYS_INFO O
+None O
+GET_NETWORK O
+None O
+SCAN_ALL O
+None O
+. O
+
+The O
+commands O
+above O
+are O
+commonly O
+executed O
+when O
+the O
+operators O
+first O
+connect O
+to O
+a O
+newly O
+activated O
+backdoor O
+. O
+
+They O
+don’t O
+have O
+any O
+arguments O
+, O
+and O
+they O
+are O
+quite O
+self-explanatory O
+. O
+
+Other O
+commands O
+commonly O
+seen O
+executed O
+shortly O
+after O
+these O
+backdoors O
+are O
+activated O
+. O
+
+Those O
+who O
+already O
+have O
+read O
+our O
+previous O
+articles O
+about O
+Zebrocy S-MAL
+will O
+notice O
+that O
+more O
+or O
+less O
+the O
+same O
+kind O
+of O
+information O
+is O
+sent O
+, O
+over O
+and O
+over O
+again O
+by O
+previous O
+stages O
+. O
+
+This O
+information O
+is O
+requested O
+within O
+a O
+few O
+minutes O
+of O
+initial O
+compromise O
+and O
+the O
+amount O
+of O
+data O
+the O
+operator O
+will O
+have O
+to O
+deal O
+with O
+is O
+quite O
+considerable O
+. O
+
+In O
+order O
+to O
+collect O
+even O
+more O
+information O
+, O
+from O
+time O
+to O
+time O
+the O
+Zebrocy S-MAL
+operators O
+upload O
+and O
+use O
+dumpers O
+on O
+victims O
+’ O
+machines O
+. O
+
+The O
+current O
+dumpers O
+have O
+some O
+similarities O
+with O
+those O
+previously O
+used O
+by O
+the O
+group O
+. O
+
+In O
+this O
+case O
+, O
+Yandex B-TOOL
+Browser E-TOOL
+, O
+Chromium S-TOOL
+, O
+7Star B-TOOL
+Browser E-TOOL
+( O
+a O
+Chromium-based B-TOOL
+browser E-TOOL
+) O
+, O
+and O
+CentBrowser S-TOOL
+are O
+targeted O
+, O
+as O
+well O
+as O
+versions O
+of O
+Microsoft S-IDTY
+Outlook S-TOOL
+from O
+1997 S-TIME
+through O
+2016 S-TIME
+. O
+
+These O
+dumpers O
+create O
+log O
+files O
+indicating O
+the O
+presence O
+or O
+absence O
+of O
+potential O
+databases O
+to O
+dump O
+: O
+
+Command O
+Arguments O
+DOWNLOAD_LIST O
+C:\ProgramData\Office\MS\out.txt S-FILE
+, O
+C:\ProgramData\Office\MS\text.txt S-FILE
+. O
+
+These O
+dumpers O
+are O
+quickly O
+removed O
+once O
+they O
+have O
+done O
+their O
+job O
+. O
+
+Moreover O
+, O
+the O
+backdoor O
+contains O
+a O
+list O
+of O
+filenames O
+related O
+to O
+credentials O
+from O
+software O
+listed O
+below O
+( O
+database O
+names O
+) O
+: O
+
+key3.db S-FILE
+Firefox S-TOOL
+private O
+keys O
+( O
+now O
+named O
+key4.db S-FILE
+) O
+cert8.db S-FILE
+Firefox S-TOOL
+certificate O
+database O
+logins.json S-FILE
+Firefox S-TOOL
+encrypted O
+password O
+database O
+account.cfn S-FILE
+The O
+Bat O
+! O
+( O
+email S-TOOL
+client O
+) O
+account O
+credentials O
+wand.dat S-FILE
+Opera S-TOOL
+password O
+database O
+. O
+
+The O
+operators O
+retrieve O
+these O
+files O
+on O
+the O
+machine O
+using O
+the O
+DOWNLOAD_LIST O
+command O
+. O
+
+This O
+command O
+can O
+be O
+used O
+when O
+the O
+operators O
+are O
+aware O
+of O
+the O
+presence O
+of O
+interesting O
+files O
+on O
+the O
+computer O
+. O
+
+Finally O
+, O
+depending O
+on O
+how O
+interesting O
+the O
+victim O
+is O
+, O
+they O
+malware O
+operators O
+may O
+deploy O
+another O
+custom O
+backdoor O
+. O
+
+This O
+backdoor O
+is O
+executed O
+using O
+the O
+CMD_EXECUTE O
+command O
+. O
+
+There O
+are O
+some O
+interesting O
+facts O
+here O
+. O
+
+First O
+, O
+they O
+use O
+COM S-TOOL
+object O
+hijacking O
+to O
+make O
+the O
+malware O
+persistent O
+on O
+the O
+system O
+even O
+though O
+the O
+custom O
+backdoor O
+is O
+installed O
+only O
+for O
+a O
+few O
+hours O
+. O
+
+Second O
+, O
+the O
+hex-encoded S-ENCR
+string O
+is O
+the O
+C&C S-TOOL
+used O
+by O
+the O
+custom O
+backdoor O
+while O
+in O
+the O
+Delphi S-TOOL
+backdoor O
+the O
+C&C S-TOOL
+is O
+embedded O
+in O
+the O
+configuration O
+. O
+
+
+Sofacy S-APT
+Group’s O
+Parallel O
+Attacks O
+. O
+
+The O
+Sofacy S-APT
+group O
+remains O
+a O
+persistent O
+global O
+threat O
+. O
+
+Unit B-SECTEAM
+42 E-SECTEAM
+and O
+others O
+have O
+shown O
+in O
+the O
+first B-TIME
+half I-TIME
+of I-TIME
+2018 E-TIME
+how O
+this O
+threat O
+actor O
+group O
+continues O
+to O
+target O
+multiple O
+organizations O
+throughout O
+the O
+world O
+with O
+a O
+strong O
+emphasis O
+on O
+government O
+, O
+diplomatic O
+and O
+other O
+strategic O
+organizations O
+primarily O
+in O
+North B-LOC
+America E-LOC
+and O
+Europe S-LOC
+. O
+
+Following O
+up O
+our O
+most O
+recent O
+Sofacy S-APT
+research O
+in O
+February S-TIME
+and O
+March B-TIME
+of I-TIME
+2018 E-TIME
+, O
+we O
+have O
+found O
+a O
+new O
+campaign O
+that O
+uses O
+a O
+lesser O
+known O
+tool O
+widely O
+attributed O
+to O
+the O
+Sofacy S-APT
+group O
+called O
+Zebrocy S-MAL
+. O
+
+Zebrocy S-MAL
+is O
+delivered O
+primarily O
+via O
+phishing S-ACT
+attacks O
+that O
+contain O
+malicious O
+Microsoft S-IDTY
+Office S-IDTY
+documents O
+with O
+macros O
+as O
+well O
+as O
+simple O
+executable O
+file O
+attachments O
+. O
+
+This O
+third O
+campaign O
+is O
+consistent O
+with O
+two O
+previously O
+reported O
+attack O
+campaigns O
+in O
+terms O
+of O
+targeting O
+: O
+the O
+targets O
+were O
+government O
+organizations O
+dealing O
+with O
+foreign O
+affairs O
+. O
+
+In O
+this O
+case O
+however O
+the O
+targets O
+were O
+in O
+different O
+geopolitical O
+regions O
+. O
+
+An O
+interesting O
+difference O
+we O
+found O
+in O
+this O
+newest O
+campaign O
+was O
+that O
+the O
+attacks O
+using O
+Zebrocy S-MAL
+cast O
+a O
+far O
+wider O
+net O
+within O
+the O
+target O
+organization O
+: O
+the O
+attackers O
+sent O
+phishing S-ACT
+emails S-TOOL
+to O
+a O
+an O
+exponentially O
+larger O
+number O
+of O
+individuals O
+. O
+
+The O
+targeted O
+individuals O
+did O
+not O
+follow O
+any O
+significant O
+pattern O
+, O
+and O
+the O
+email S-TOOL
+addresses O
+were O
+found O
+easily O
+using O
+web O
+search O
+engines O
+. O
+
+This O
+is O
+a O
+stark O
+contrast O
+with O
+other O
+attacks O
+commonly O
+associated O
+with O
+the O
+Sofacy S-APT
+group O
+where O
+generally O
+no O
+more O
+than O
+a O
+handful O
+of O
+victims O
+are O
+targeted O
+within O
+a O
+single O
+organization O
+in O
+a O
+focus-fire O
+style O
+of O
+attack O
+. O
+
+In O
+addition O
+to O
+the O
+large O
+number O
+of O
+Zebrocy S-MAL
+attacks O
+we O
+discovered O
+, O
+we O
+also O
+observed O
+instances O
+of O
+the O
+Sofacy S-APT
+group O
+leveraging O
+the O
+Dynamic B-PROT
+Data I-PROT
+Exchange E-PROT
+( O
+DDE S-PROT
+) O
+exploit O
+technique O
+previously O
+documented O
+by O
+McAfee S-SECTEAM
+. O
+
+The O
+instances O
+we O
+observed O
+, O
+however O
+, O
+used O
+the O
+DDE O
+exploit O
+to O
+deliver O
+different O
+payloads O
+than O
+what O
+was O
+observed O
+previously O
+. O
+
+In O
+one O
+instance O
+the O
+DDE S-PROT
+attack O
+was O
+used O
+to O
+deliver O
+and O
+install O
+Zebrocy S-MAL
+. O
+
+In O
+another O
+instance O
+, O
+the O
+DDE S-PROT
+attack O
+was O
+used O
+to O
+deliver O
+an O
+open-source O
+penetration O
+testing O
+toolkit O
+called O
+Koadic S-TOOL
+. O
+
+The O
+Sofacy S-APT
+group O
+has O
+leveraged O
+open O
+source O
+or O
+freely O
+available O
+tools O
+and O
+exploits O
+in O
+the O
+past O
+but O
+this O
+is O
+the O
+first O
+time O
+that O
+Unit B-SECTEAM
+42 E-SECTEAM
+has O
+observed O
+them O
+leveraging O
+the O
+Koadic S-TOOL
+toolkit O
+. O
+
+In O
+our O
+February S-TIME
+report O
+, O
+we O
+discovered O
+the O
+Sofacy S-APT
+group O
+using O
+Microsoft S-IDTY
+Office S-IDTY
+documents O
+with O
+malicious O
+macros O
+to O
+deliver O
+the O
+SofacyCarberp S-MAL
+payload O
+to O
+multiple O
+government O
+entities O
+. O
+
+In O
+that O
+report O
+, O
+we O
+documented O
+our O
+observation O
+that O
+the O
+Sofacy S-APT
+group O
+appeared O
+to O
+use O
+conventional O
+obfuscation O
+techniques O
+to O
+mask O
+their O
+infrastructure O
+attribution O
+by O
+using O
+random O
+registrant O
+and O
+service O
+provider O
+information O
+for O
+each O
+of O
+their O
+attacks O
+. O
+
+In O
+particular O
+, O
+we O
+noted O
+that O
+the O
+Sofacy S-APT
+group O
+deployed O
+a O
+webpage O
+on O
+each O
+of O
+the O
+domains O
+. O
+
+This O
+is O
+odd O
+because O
+attackers O
+almost O
+never O
+set O
+up O
+an O
+actual O
+webpage O
+on O
+adversary O
+C2 S-TOOL
+infrastructure O
+. O
+
+Even O
+stranger O
+, O
+each O
+webpage O
+contained O
+the O
+same O
+content O
+within O
+the O
+body O
+. O
+
+Since O
+that O
+report O
+, O
+we O
+continued O
+our O
+research O
+into O
+this O
+oddity O
+. O
+
+Using O
+this O
+artifact O
+, O
+we O
+were O
+able O
+to O
+pivot O
+and O
+discover O
+another O
+attack O
+campaign O
+using O
+the O
+DealersChoice S-TOOL
+exploit O
+kit O
+with O
+similar O
+victimology O
+to O
+what O
+we O
+saw O
+in O
+February O
+. O
+
+Continuing O
+to O
+use O
+this O
+artifact O
+, O
+we O
+discovered O
+another O
+domain O
+with O
+the O
+same O
+content O
+body O
+, O
+supservermgr.com O
+. O
+
+This O
+domain O
+was O
+registered O
+on O
+December B-TIME
+20 I-TIME
+, I-TIME
+2017 E-TIME
+and O
+within O
+a O
+few O
+days O
+was O
+resolving O
+to O
+92.222.136.105 S-IP
+, O
+which O
+belonged O
+to O
+a O
+well-known O
+VPS S-TOOL
+provider O
+often O
+used O
+by O
+the O
+Sofacy S-APT
+group O
+. O
+
+Unfortunately O
+, O
+at O
+the O
+time O
+of O
+collection O
+, O
+the O
+C2 S-TOOL
+domain O
+had O
+been O
+sinkholed O
+by O
+a O
+third O
+party O
+. O
+
+Based O
+on O
+dynamic O
+and O
+static O
+analysis O
+of O
+the O
+malware O
+sample O
+associated O
+with O
+the O
+supservermgr.com S-DOM
+domain O
+however O
+, O
+we O
+were O
+able O
+to O
+determine O
+several O
+unique O
+artifacts O
+which O
+allowed O
+us O
+to O
+expand O
+our O
+dataset O
+and O
+discover O
+additional O
+findings O
+. O
+
+First O
+, O
+we O
+determined O
+the O
+sample O
+we O
+collected O
+, O
+d697160aecf152a81a89a6b5a7d9e1b8b5e121724038c676157ac72f20364edc S-SHA2
+was O
+attempting O
+to O
+communicate O
+to O
+its O
+C2 S-TOOL
+at O
+http://supservermgr.com/sys/upd/pageupd.php S-URL
+to O
+retrieve O
+a O
+Zebrocy S-MAL
+AutoIT S-TOOL
+downloader O
+. O
+
+Because O
+the O
+domain O
+had O
+been O
+sinkholed O
+, O
+this O
+activity O
+could O
+not O
+be O
+completed O
+. O
+
+Using O
+AutoFocus S-TOOL
+, O
+we O
+pivoted O
+from O
+the O
+user O
+agent O
+string O
+to O
+expand O
+our O
+data O
+set O
+to O
+three O
+additional O
+Zebrocy S-MAL
+samples O
+using O
+the O
+exact O
+same O
+user O
+agent O
+. O
+
+This O
+led O
+us O
+to O
+additional O
+infrastructure O
+for O
+Zebrocy S-MAL
+at O
+185.25.51.198 S-IP
+and O
+185.25.50.93 S-IP
+. O
+
+At O
+this O
+point O
+we O
+had O
+collected O
+nearly O
+thirty O
+samples O
+of O
+Zebrocy S-MAL
+in O
+relation O
+to O
+the O
+original O
+sample O
+and O
+its O
+associated O
+C2 S-TOOL
+domain O
+. O
+
+Additional O
+pivoting O
+based O
+on O
+artifacts O
+unique O
+to O
+this O
+malware O
+family O
+expanded O
+our O
+dataset O
+to O
+hundreds O
+of O
+samples O
+used O
+over O
+the O
+last O
+several O
+years O
+. O
+
+Most O
+of O
+the O
+additional O
+samples O
+were O
+the O
+Delphi S-TOOL
+and O
+AutoIT S-TOOL
+variants O
+as O
+reported O
+by O
+ESET S-SECTEAM
+. O
+
+However O
+, O
+several O
+of O
+the O
+collected O
+samples O
+were O
+a O
+C++ S-TOOL
+variant O
+of O
+the O
+Zebrocy S-MAL
+downloader O
+tool O
+. O
+
+In O
+addition O
+, O
+we O
+discovered O
+evidence O
+of O
+a O
+completely O
+different O
+payload O
+in O
+Koadic S-TOOL
+being O
+delivered O
+as O
+well O
+. O
+
+Also O
+, O
+we O
+found O
+the O
+IP O
+address O
+185.25.50.93 S-IP
+hosting O
+C2 S-TOOL
+services O
+for O
+a O
+Delphi S-TOOL
+backdoor O
+that O
+ESET S-SECTEAM
+’s O
+report O
+states O
+is O
+the O
+final O
+stage O
+payload O
+for O
+these O
+attacks O
+. O
+
+Please O
+note O
+this O
+is O
+not O
+a O
+comprehensive O
+chart O
+of O
+all O
+Zebrocy S-MAL
+and O
+Koadic O
+samples O
+we O
+were O
+able O
+to O
+collect O
+. O
+
+Only O
+samples O
+mentioned O
+or O
+relevant O
+to O
+the O
+relational O
+analysis O
+have O
+been O
+included O
+. O
+
+From O
+the O
+185.25.50.93 S-IP
+C2 S-TOOL
+IP O
+, O
+we O
+discovered O
+another O
+hard-coded O
+user O
+agent O
+being O
+used O
+by O
+Zebrocy S-MAL
+: O
+
+Mozilla S-IDTY
+( O
+Windows S-OS
+NT O
+6.1 O
+; O
+WOW64 O
+) O
+WinHttp/1.6.3.8 O
+( O
+WinHTTP/5.1 O
+) O
+like O
+Gecko S-TOOL
+. O
+
+We O
+observed O
+several O
+samples O
+of O
+Zebrocy S-MAL
+using O
+this O
+user O
+agent O
+targeting O
+the O
+foreign O
+affairs O
+ministry O
+of O
+a O
+large O
+Central O
+Asian O
+nation O
+. O
+
+Pivoting O
+off O
+of O
+this O
+artifact O
+provided O
+us O
+additional O
+Zebrocy S-MAL
+samples O
+. O
+
+One O
+sample O
+in O
+particular O
+, O
+cba5ab65a24be52214736bc1a5bc984953a9c15d0a3826d5b15e94036e5497df S-SHA2
+used O
+yet O
+another O
+unique O
+user O
+agent O
+string O
+in O
+combination O
+with O
+the O
+previous O
+user O
+agent O
+for O
+its O
+C2 S-TOOL
+: O
+Mozilla S-IDTY
+v5.1 O
+( O
+Windows S-OS
+NT O
+6.1 O
+; O
+rv O
+: O
+6.0.1 O
+) O
+Gecko S-TOOL
+Firefox S-TOOL
+. O
+
+A O
+malware O
+sample O
+using O
+two O
+separate O
+unique O
+user O
+agent O
+strings O
+is O
+uncommon O
+. O
+
+A O
+closer O
+examination O
+of O
+the O
+tool O
+revealed O
+the O
+second O
+user O
+agent O
+string O
+was O
+from O
+a O
+secondary O
+payload O
+that O
+was O
+retrieved O
+by O
+the O
+cba5ab65a24be52214736bc1a5bc984953a9c15d0a3826d5b15e94036e5497df S-SHA2
+sample O
+. O
+
+Pivoting O
+from O
+the O
+Mozilla S-IDTY
+v5.1 O
+user O
+agent O
+revealed O
+over O
+forty O
+additional O
+Zebrocy S-MAL
+samples O
+, O
+with O
+several O
+again O
+targeting O
+the O
+same O
+Central O
+Asian O
+nation O
+. O
+
+Two O
+samples O
+specifically O
+, O
+25f0d1cbcc53d8cfd6d848e12895ce376fbbfaf279be591774b28f70852a4fd8 S-SHA2
+and O
+115fd8c619fa173622c7a1e84efdf6fed08a25d3ca3095404dcbd5ac3deb1f03 S-SHA2
+provided O
+additional O
+artifacts O
+we O
+were O
+able O
+to O
+pivot O
+from O
+to O
+discover O
+weaponized O
+documents O
+to O
+deliver O
+Zebrocy S-MAL
+as O
+well O
+as O
+a O
+Koadic S-TOOL
+. O
+
+Examining O
+the O
+use O
+of O
+the O
+unique O
+user O
+agents O
+’ O
+strings O
+over O
+time O
+shows O
+that O
+while O
+previously O
+only O
+the O
+Mozilla S-IDTY
+user O
+agent O
+was O
+in O
+use O
+, O
+since O
+mid B-TIME
+2017 E-TIME
+all O
+three O
+user O
+agent O
+strings O
+have O
+been O
+used O
+by O
+the O
+Zebrocy S-MAL
+tool O
+for O
+its O
+C2 S-TOOL
+communications O
+. O
+
+The O
+two O
+weaponized O
+documents O
+we O
+discovered O
+leveraging O
+DDE O
+were O
+of O
+particular O
+interest O
+due O
+to O
+victimology O
+and O
+a O
+change O
+in O
+tactics O
+. O
+
+While O
+examining O
+25f0d1cbcc53d8cfd6d848e12895ce376fbbfaf279be591774b28f70852a4fd8 S-SHA2
+, O
+we O
+were O
+able O
+to O
+pivot O
+from O
+its O
+C2 S-TOOL
+
+220.158.216.127 S-IP
+to O
+gather O
+additional O
+Zebrocy S-MAL
+samples O
+as O
+well O
+as O
+a O
+weaponized O
+document O
+. O
+
+This O
+document O
+85da72c7dbf5da543e10f3f806afd4ebf133f27b6af7859aded2c3a6eced2fd5 S-SHA2
+appears O
+to O
+have O
+been O
+targeting O
+a O
+North O
+American O
+government O
+organization O
+dealing O
+with O
+foreign O
+affairs O
+. O
+
+It O
+leveraged O
+DDE S-PROT
+to O
+retrieve O
+and O
+install O
+a O
+payload O
+onto O
+the O
+victim O
+host O
+. O
+
+A O
+decoy O
+document O
+is O
+deployed O
+in O
+this O
+attack O
+, O
+with O
+the O
+contents O
+purporting O
+be O
+a O
+publicly O
+available O
+document O
+from O
+the O
+United B-LOC
+Nations E-LOC
+regarding O
+the O
+Republic B-LOC
+of I-LOC
+Uzbekistan E-LOC
+. O
+
+The O
+creator O
+of O
+the O
+weaponized O
+document O
+appended O
+their O
+DDE S-LOC
+instructions O
+to O
+the O
+end O
+of O
+the O
+document O
+after O
+all O
+of O
+the O
+decoy O
+contents O
+. O
+
+When O
+the O
+document O
+is O
+opened O
+in O
+Word S-TOOL
+, O
+the O
+instructions O
+are O
+not O
+immediately O
+visible O
+, O
+as O
+Word S-TOOL
+does O
+not O
+display O
+these O
+fields O
+contents O
+by O
+default O
+. O
+
+As O
+you O
+can O
+see O
+in O
+the O
+following O
+screenshot O
+, O
+simply O
+attempting O
+to O
+highlight O
+the O
+lines O
+in O
+which O
+the O
+DDE S-PROT
+instructions O
+reside O
+does O
+not O
+display O
+them O
+. O
+
+Enabling O
+the O
+“ O
+Toggle O
+Field O
+Codes O
+” O
+feature O
+reveals O
+the O
+DDE S-PROT
+instructions O
+to O
+us O
+and O
+shows O
+that O
+the O
+author O
+had O
+set O
+instructions O
+to O
+size O
+1 O
+font O
+and O
+with O
+a O
+white O
+coloring O
+. O
+
+The O
+use O
+of O
+a O
+white O
+font O
+coloring O
+to O
+hide O
+contents O
+within O
+a O
+weaponized O
+document O
+is O
+a O
+technique O
+we O
+had O
+previously O
+reported O
+being O
+used O
+by O
+the O
+Sofacy S-APT
+group O
+in O
+a O
+malicious O
+macro O
+attack O
+. O
+
+The O
+DDE S-PROT
+instructions O
+attempt O
+to O
+run O
+the O
+following O
+the O
+following O
+command O
+on O
+the O
+victim O
+host O
+, O
+which O
+attempts O
+to O
+download O
+and O
+execute O
+a O
+payload O
+from O
+a O
+remote O
+server O
+. O
+
+During O
+our O
+analysis O
+, O
+we O
+observed O
+this O
+DDE S-PROT
+downloading O
+and O
+executing O
+a O
+Zebrocy S-MAL
+AutoIt S-TOOL
+downloader O
+f27836430742c9e014e1b080d89c47e43db299c2e00d0c0801a2830b41b57bc1 S-SHA2
+, O
+configured O
+to O
+attempt O
+to O
+download O
+an O
+additional O
+payload O
+from O
+220.158.216.127 S-IP
+. O
+
+The O
+DDE S-PROT
+instructions O
+also O
+included O
+another O
+command O
+that O
+it O
+did O
+not O
+run O
+, O
+which O
+suggests O
+it O
+is O
+an O
+artifact O
+of O
+a O
+prior O
+version O
+of O
+this O
+delivery O
+document O
+. O
+
+The O
+following O
+shows O
+this O
+unused O
+command O
+, O
+which O
+exposed O
+an O
+additional O
+server O
+within O
+Sofacy S-APT
+’s O
+infrastructure O
+would O
+download O
+and O
+execute O
+an O
+encoded O
+PowerShell S-TOOL
+script O
+from O
+92.114.92.102 S-IP
+. O
+
+The O
+unused O
+command O
+above O
+appears O
+to O
+be O
+related O
+to O
+previous O
+attacks O
+, O
+specifically O
+attacks O
+that O
+occurred O
+in O
+November B-TIME
+2017 E-TIME
+as O
+discussed O
+by O
+McAfee S-SECTEAM
+and O
+ESET S-SECTEAM
+. O
+
+The O
+payload O
+delivered O
+in O
+these O
+November B-TIME
+2017 E-TIME
+attacks O
+using O
+DDE S-PROT
+enabled O
+documents O
+was O
+SofacyCarberp S-MAL
+, O
+which O
+differs O
+from O
+the O
+Zebrocy S-MAL
+downloader O
+delivered O
+in O
+the O
+February B-TIME
+2018 E-TIME
+attacks O
+. O
+115fd8c619fa173622c7a1e84efdf6fed08a25d3ca3095404dcbd5ac3deb1f03 S-SHA2
+was O
+another O
+Zebrocy S-MAL
+sample O
+we O
+were O
+able O
+to O
+pivot O
+from O
+by O
+gathering O
+additional O
+samples O
+connecting O
+to O
+its O
+C2 S-TOOL
+86.106.131.177 S-IP
+. O
+
+The O
+additional O
+samples O
+targeted O
+the O
+same O
+large O
+Central O
+Asian O
+nation O
+state O
+as O
+previously O
+mentioned O
+but O
+more O
+interestingly O
+, O
+one O
+of O
+the O
+samples O
+was O
+a O
+weaponized O
+document O
+also O
+leveraging O
+DDE S-PROT
+and O
+containing O
+a O
+non-Zebrocy O
+payload O
+. O
+
+The O
+payload O
+turned O
+out O
+to O
+be O
+an O
+open O
+source O
+penetration O
+test O
+toolkit O
+called O
+Koadic O
+. O
+
+It O
+is O
+a O
+toolkit O
+similar O
+to O
+Metasploit S-TOOL
+or O
+PowerShell S-TOOL
+Empire S-TOOL
+and O
+is O
+freely O
+available O
+to O
+anyone O
+on O
+Github S-TOOL
+. O
+
+The O
+RTF S-TOOL
+document O
+8cf3bc2bf36342e844e9c8108393562538a9af2a1011c80bb46416c0572c86ff S-SHA2
+was O
+very O
+small O
+in O
+size O
+at O
+264 O
+bytes O
+. O
+
+The O
+contents O
+above O
+use O
+the O
+DDE S-PROT
+functionality O
+in O
+Microsoft S-IDTY
+Word S-TOOL
+to O
+run O
+a O
+PowerShell S-TOOL
+script O
+to O
+download O
+the O
+Koadic S-TOOL
+payload O
+from O
+a O
+remote O
+server O
+, O
+save O
+it O
+as O
+an O
+executable O
+file O
+on O
+the O
+system O
+and O
+then O
+execute O
+the O
+payload O
+. O
+
+The O
+Sofacy S-APT
+group O
+continues O
+their O
+targeted O
+attack O
+campaigns O
+in O
+2018 S-TIME
+. O
+
+As O
+mentioned O
+in O
+this O
+blog O
+, O
+Sofacy S-APT
+is O
+carrying O
+out O
+parallel O
+campaigns O
+to O
+attack O
+similar O
+targets O
+around O
+the O
+world O
+but O
+with O
+different O
+toolsets O
+. O
+
+The O
+Zebrocy S-MAL
+tool O
+associated O
+with O
+this O
+current O
+strain O
+of O
+attacks O
+is O
+constructed O
+in O
+several O
+different O
+forms O
+based O
+on O
+the O
+programming O
+language O
+the O
+developer O
+chose O
+to O
+create O
+the O
+tool O
+. O
+
+We O
+have O
+observed O
+Delphi S-TOOL
+, O
+AutoIt S-TOOL
+, O
+and O
+C++ S-TOOL
+variants O
+of O
+Zebrocy S-MAL
+, O
+all O
+of O
+which O
+are O
+related O
+not O
+only O
+in O
+their O
+functionality O
+, O
+but O
+also O
+at O
+times O
+by O
+chaining O
+the O
+variants O
+together O
+in O
+a O
+single O
+attack O
+. O
+
+These O
+attacks O
+are O
+still O
+largely O
+perpetrated O
+via O
+spear B-ACT
+phishing E-ACT
+campaigns O
+, O
+whether O
+via O
+simple O
+executable O
+attachments O
+in O
+hopes O
+that O
+a O
+victim O
+will O
+launch O
+the O
+file O
+to O
+using O
+a O
+previously O
+observed O
+DDE S-PROT
+exploitation O
+technique O
+. O
+
+
+Sofacy S-APT
+Uses O
+DealersChoice S-TOOL
+to O
+Target O
+European O
+Government O
+Agency O
+. O
+
+Back O
+in O
+October B-TIME
+2016 E-TIME
+, O
+Unit O
+42 O
+published O
+an O
+initial O
+analysis O
+on O
+a O
+Flash S-TOOL
+exploitation O
+framework O
+used O
+by O
+the O
+Sofacy S-APT
+threat O
+group O
+called O
+DealersChoice S-TOOL
+. O
+
+The O
+attack O
+consisted O
+of O
+Microsoft S-IDTY
+Word S-TOOL
+delivery O
+documents O
+that O
+contained O
+Adobe S-IDTY
+Flash S-TOOL
+objects O
+capable O
+of O
+loading O
+additional O
+malicious O
+Flash S-TOOL
+objects O
+embedded O
+in O
+the O
+file O
+or O
+directly O
+provided O
+by O
+a O
+command O
+and O
+control O
+server O
+. O
+
+Sofacy S-APT
+continued O
+to O
+use O
+DealersChoice S-TOOL
+throughout O
+the O
+fall B-TIME
+of I-TIME
+2016 E-TIME
+, O
+which O
+we O
+also O
+documented O
+in O
+our O
+December B-TIME
+2016 E-TIME
+publication O
+discussing O
+Sofacy S-APT
+’s O
+larger O
+campaign O
+. O
+
+On O
+March B-TIME
+12 E-TIME
+and O
+March B-TIME
+14 E-TIME
+, O
+we O
+observed O
+the O
+Sofacy S-APT
+group O
+carrying O
+out O
+an O
+attack O
+on O
+a O
+European O
+government O
+agency O
+involving O
+an O
+updated O
+variant O
+of O
+DealersChoice S-TOOL
+. O
+
+The O
+updated O
+DealersChoice S-TOOL
+documents O
+used O
+a O
+similar O
+process O
+to O
+obtain O
+a O
+malicious O
+Flash S-TOOL
+object O
+from O
+a O
+C2 S-TOOL
+server O
+, O
+but O
+the O
+inner O
+mechanics O
+of O
+the O
+Flash S-TOOL
+object O
+contained O
+significant O
+differences O
+in O
+comparison O
+to O
+the O
+original O
+samples O
+we O
+analyzed O
+. O
+
+One O
+of O
+the O
+differences O
+was O
+a O
+particularly O
+clever O
+evasion O
+technique O
+: O
+to O
+our O
+knowledge O
+this O
+has O
+never O
+been O
+observed O
+in O
+use O
+. O
+
+With O
+the O
+previous O
+iterations O
+of O
+DealersChoice S-TOOL
+samples O
+, O
+the O
+Flash S-TOOL
+object O
+would O
+immediately O
+load O
+and O
+begin O
+malicious O
+tasks O
+. O
+
+In O
+the O
+March S-TIME
+attacks O
+, O
+the O
+Flash S-TOOL
+object O
+is O
+only O
+loaded O
+if O
+the O
+user O
+scrolls O
+through O
+the O
+entire O
+content O
+of O
+the O
+delivery O
+document O
+and O
+views O
+the O
+specific O
+page O
+the O
+Flash S-TOOL
+object O
+is O
+embedded O
+on O
+. O
+
+Also O
+, O
+DealersChoice S-TOOL
+requires O
+multiple O
+interactions O
+with O
+an O
+active O
+C2 S-TOOL
+server O
+to O
+successfully O
+exploit O
+an O
+end O
+system O
+. O
+
+The O
+overall O
+process O
+to O
+result O
+in O
+a O
+successful O
+exploitation O
+is O
+: O
+
+User O
+must O
+open O
+the O
+Microsoft S-IDTY
+Word S-TOOL
+email S-TOOL
+attachment O
+; O
+
+User O
+must O
+scroll O
+to O
+page O
+three O
+of O
+the O
+document O
+, O
+which O
+will O
+run O
+the O
+DealersChoice S-TOOL
+Flash S-TOOL
+object O
+; O
+
+The O
+Flash S-TOOL
+object O
+must O
+contact O
+an O
+active O
+C2 S-TOOL
+server O
+to O
+download O
+an O
+additional O
+Flash S-TOOL
+object O
+containing O
+exploit O
+code O
+; O
+
+The O
+initial O
+Flash S-TOOL
+object O
+must O
+contact O
+the O
+same O
+C2 S-TOOL
+server O
+to O
+download O
+a O
+secondary O
+payload O
+; O
+
+Victim O
+host O
+must O
+have O
+a O
+vulnerable O
+version O
+of O
+Flash S-TOOL
+installed O
+. O
+
+The O
+attack O
+involving O
+this O
+updated O
+variant O
+of O
+DealersChoice S-TOOL
+was O
+targeting O
+a O
+European O
+government O
+organization O
+. O
+
+The O
+attack O
+relied O
+on O
+a O
+spear-phishing S-ACT
+email S-TOOL
+with O
+a O
+subject O
+of O
+“ O
+Defence O
+& O
+Security O
+2018 O
+Conference O
+Agenda O
+” O
+that O
+had O
+an O
+attachment O
+with O
+a O
+filename O
+of O
+“ O
+Defence&Security_2018_Conference_Agenda.docx S-FILE
+” O
+. O
+
+The O
+attached O
+document O
+contains O
+a O
+conference O
+agenda O
+that O
+the O
+Sofacy S-APT
+group O
+appears O
+to O
+have O
+copied O
+directly O
+from O
+the O
+website O
+for O
+the O
+“ O
+Underwater O
+Defence O
+& O
+Security O
+2018 O
+Conference O
+” O
+here O
+. O
+
+Opening O
+the O
+attached O
+“ O
+Defence B-FILE
+& I-FILE
+Security I-FILE
+2018 I-FILE
+Conference I-FILE
+Agenda.docx E-FILE
+” O
+file O
+does O
+not O
+immediately O
+run O
+malicious O
+code O
+to O
+exploit O
+the O
+system O
+. O
+
+Instead O
+, O
+the O
+user O
+must O
+scroll O
+to O
+the O
+third O
+page O
+of O
+the O
+document O
+, O
+which O
+will O
+load O
+a O
+Flash S-TOOL
+object O
+that O
+contains O
+ActionScript S-TOOL
+that O
+will O
+attempt O
+to O
+exploit O
+the O
+user O
+’s O
+system O
+to O
+install O
+a O
+malicious O
+payload O
+. O
+
+The O
+Flash S-TOOL
+object O
+embedded O
+within O
+this O
+delivery O
+document O
+is O
+a O
+variant O
+of O
+an O
+exploit O
+tool O
+that O
+we O
+call O
+DealersChoice S-TOOL
+. O
+
+This O
+suggests O
+that O
+the O
+Sofacy S-APT
+group O
+is O
+confident O
+that O
+the O
+targeted O
+individuals O
+would O
+be O
+interested O
+enough O
+in O
+the O
+content O
+to O
+peruse O
+through O
+it O
+. O
+
+We O
+analyzed O
+the O
+document O
+to O
+determine O
+the O
+reason O
+that O
+the O
+malicious O
+Flash S-TOOL
+object O
+only O
+ran O
+when O
+the O
+user O
+scrolled O
+to O
+the O
+third O
+page O
+. O
+
+According O
+to O
+the O
+document.xml S-FILE
+file O
+, O
+the O
+DealersChoice S-TOOL
+loader O
+SWF S-TOOL
+exists O
+after O
+the O
+“ O
+covert-shores-small.png S-FILE
+” O
+image O
+file O
+within O
+the O
+delivery O
+document O
+. O
+
+This O
+image O
+file O
+exists O
+on O
+the O
+third O
+page O
+of O
+the O
+document O
+, O
+so O
+the O
+user O
+would O
+have O
+to O
+scroll O
+down O
+in O
+the O
+document O
+to O
+this O
+third O
+page O
+to O
+get O
+the O
+SWF S-TOOL
+file O
+to O
+run O
+. O
+
+The O
+user O
+may O
+not O
+notice O
+the O
+Flash S-TOOL
+object O
+on O
+the O
+page O
+, O
+as O
+Word S-TOOL
+displays O
+it O
+as O
+a O
+tiny O
+black O
+box O
+in O
+the O
+document O
+, O
+as O
+seen O
+in O
+Figure O
+1 O
+. O
+
+This O
+is O
+an O
+interesting O
+anti-sandbox O
+technique O
+, O
+as O
+it O
+requires O
+human O
+interaction O
+prior O
+to O
+the O
+document O
+exhibiting O
+any O
+malicious O
+activity O
+. O
+
+This O
+DealersChoice S-TOOL
+Flash S-TOOL
+object O
+shares O
+a O
+similar O
+process O
+to O
+previous O
+variants O
+; O
+however O
+, O
+it O
+appears O
+that O
+the O
+Sofacy S-APT
+actors O
+have O
+made O
+slight O
+changes O
+to O
+its O
+internal O
+code O
+. O
+
+Also O
+, O
+it O
+appears O
+that O
+the O
+actors O
+used O
+ActionScript S-TOOL
+from O
+an O
+open O
+source O
+video O
+player O
+called O
+“ O
+f4player S-TOOL
+” O
+, O
+which O
+is O
+freely O
+available O
+on O
+GitHub S-TOOL
+. O
+
+The O
+Sofacy S-APT
+developer O
+modified O
+the O
+f4player S-TOOL
+’s O
+ActionScript S-TOOL
+to O
+include O
+additional O
+code O
+to O
+load O
+an O
+embedded O
+Flash S-TOOL
+object O
+. O
+
+The O
+additions O
+include O
+code O
+to O
+decrypt O
+an O
+embedded O
+Flash S-TOOL
+object O
+and O
+an O
+event O
+handler O
+that O
+calls O
+a O
+newly O
+added O
+function O
+( O
+“ O
+skinEvent2 O
+” O
+) O
+that O
+plays O
+the O
+decrypted O
+object O
+. O
+
+The O
+above O
+code O
+allows O
+DealersChoice S-TOOL
+to O
+load O
+a O
+second O
+SWF S-TOOL
+object O
+, O
+specifically O
+loading O
+it O
+with O
+an O
+argument O
+that O
+includes O
+a O
+C2 S-TOOL
+URL O
+of O
+“ O
+http://ndpmedia24.com/0pq6m4f.m3u8 S-URL
+” O
+. O
+
+The O
+embedded O
+SWF S-TOOL
+extracts O
+the O
+domain O
+from O
+the O
+C2 S-TOOL
+URL O
+passed O
+to O
+it O
+and O
+uses O
+it O
+to O
+craft O
+a O
+URL O
+to O
+get O
+the O
+server O
+’s O
+‘ O
+crossdomain.xml S-FILE
+’ O
+file O
+in O
+order O
+to O
+obtain O
+permissions O
+to O
+load O
+additional O
+Flash S-TOOL
+objects O
+from O
+the O
+C2 S-TOOL
+domain O
+. O
+
+The O
+ActionScript S-TOOL
+relies O
+on O
+event O
+listeners O
+to O
+call O
+specific O
+functions O
+when O
+the O
+event O
+“ O
+Event.COMPLETE S-FILE
+” O
+is O
+triggered O
+after O
+successful O
+HTTP S-PROT
+requests O
+are O
+issued O
+to O
+the O
+C2 S-TOOL
+server O
+. O
+
+The O
+event O
+handlers O
+call O
+functions O
+with O
+the O
+following O
+names O
+, O
+which O
+includes O
+an O
+incrementing O
+number O
+that O
+represents O
+the O
+order O
+in O
+which O
+the O
+functions O
+are O
+called O
+: O
+onload1 O
+, O
+onload2 O
+, O
+onload3 O
+, O
+onload5 O
+. O
+
+With O
+these O
+event O
+handlers O
+created O
+, O
+the O
+ActionScript S-TOOL
+starts O
+by O
+gathering O
+system O
+data O
+from O
+the O
+flash.system.Capabilities.serverString O
+property O
+( O
+just O
+like O
+in O
+the O
+original O
+DealersChoice.B S-FILE
+samples O
+) O
+and O
+issues O
+an O
+HTTP S-PROT
+GET O
+with O
+the O
+system O
+data O
+as O
+a O
+parameter O
+to O
+the O
+C2 S-TOOL
+URL O
+that O
+was O
+passed O
+as O
+an O
+argument O
+to O
+the O
+embedded O
+SWF S-TOOL
+when O
+it O
+was O
+initially O
+loaded O
+. O
+
+When O
+this O
+HTTP S-PROT
+request O
+completes O
+, O
+the O
+event O
+listener O
+will O
+call O
+the O
+‘ O
+onload1 O
+’ O
+function O
+. O
+
+The O
+‘ O
+onload1 O
+’ O
+function O
+parses O
+the O
+response O
+data O
+from O
+the O
+request O
+to O
+the O
+C2 S-TOOL
+URL O
+using O
+regular O
+expressions O
+. O
+
+The O
+regular O
+expressions O
+suggest O
+that O
+the O
+C2 S-TOOL
+server O
+responds O
+with O
+content O
+that O
+is O
+meant O
+to O
+resemble O
+HTTP B-TOOL
+Live I-TOOL
+Steaming E-TOOL
+( O
+HLS S-TOOL
+) O
+traffic O
+, O
+which O
+is O
+a O
+protocol O
+that O
+uses O
+HTTP S-PROT
+to O
+deliver O
+audio O
+and O
+video O
+files O
+for O
+streaming O
+. O
+
+The O
+use O
+of O
+HLS S-TOOL
+coincides O
+with O
+the O
+use O
+of O
+ActionScript S-TOOL
+code O
+from O
+the O
+f4player S-TOOL
+to O
+make O
+the O
+traffic O
+seem O
+legitimate O
+. O
+
+The O
+variables O
+storing O
+the O
+results O
+of O
+the O
+regular O
+expression O
+matches O
+are O
+used O
+within O
+the O
+ActionScript S-TOOL
+for O
+further O
+interaction O
+with O
+the O
+C2 S-TOOL
+server O
+. O
+
+The O
+‘ O
+onload1 O
+’ O
+function O
+then O
+sends O
+an O
+HTTP S-PROT
+GET O
+request O
+to O
+the O
+C2 S-TOOL
+domain O
+using O
+the O
+value O
+stored O
+in O
+the O
+‘ O
+r3 O
+’ O
+variable O
+as O
+a O
+URL O
+. O
+
+When O
+this O
+HTTP S-PROT
+request O
+completes O
+, O
+the O
+event O
+listener O
+will O
+call O
+the O
+‘ O
+onload2 O
+’ O
+function O
+. O
+
+The O
+‘ O
+onload2 O
+’ O
+function O
+decrypts O
+the O
+response O
+received O
+from O
+the O
+HTTP S-PROT
+request O
+issued O
+in O
+‘ O
+onload1 O
+’ O
+function O
+. O
+
+It O
+does O
+so O
+by O
+calling O
+a O
+sub-function O
+to O
+decrypt O
+the O
+content O
+, O
+using O
+the O
+value O
+stored O
+in O
+the O
+‘ O
+r1 O
+’ O
+variable O
+as O
+a O
+key O
+. O
+
+The O
+sub-function O
+to O
+decrypt O
+the O
+content O
+skips O
+the O
+first O
+4 O
+bytes O
+, O
+suggesting O
+that O
+the O
+first O
+four O
+bytes O
+of O
+the O
+downloaded O
+content O
+is O
+in O
+cleartext O
+( O
+most O
+likely O
+the O
+“ O
+FWS S-TOOL
+” O
+or O
+“ O
+CWS S-TOOL
+” O
+header O
+to O
+look O
+legitimate O
+) O
+. O
+
+After O
+decrypting O
+the O
+content O
+, O
+the O
+‘ O
+onload2 O
+’ O
+function O
+will O
+issue O
+another O
+HTTP S-PROT
+GET O
+request O
+with O
+the O
+system O
+data O
+as O
+a O
+parameter O
+, O
+but O
+this O
+time O
+to O
+the O
+C2 S-TOOL
+using O
+a O
+URL O
+from O
+the O
+‘ O
+r4 O
+’ O
+variable O
+. O
+
+When O
+this O
+request O
+completes O
+, O
+the O
+event O
+listener O
+will O
+call O
+the O
+‘ O
+onload3 O
+’ O
+function O
+. O
+
+The O
+‘ O
+onload3 O
+’ O
+function O
+will O
+take O
+the O
+response O
+to O
+the O
+HTTP S-PROT
+request O
+in O
+‘ O
+onload2 O
+’ O
+and O
+treat O
+it O
+as O
+the O
+payload O
+. O
+
+The O
+ActionScript S-TOOL
+will O
+read O
+each O
+byte O
+of O
+the O
+C2 S-TOOL
+response O
+and O
+get O
+the O
+hexadecimal O
+value O
+. O
+
+This O
+hexadecimal O
+string O
+will O
+most O
+likely O
+be O
+a O
+string O
+of O
+shellcode O
+that O
+will O
+contain O
+and O
+decrypt O
+the O
+ultimate O
+portable B-TOOL
+executable E-TOOL
+( O
+PE S-TOOL
+) O
+payload O
+. O
+
+The O
+string O
+of O
+comma O
+separated O
+hexadecimal O
+values O
+is O
+passed O
+as O
+a O
+parameter O
+when O
+loading O
+the O
+SWF S-TOOL
+file O
+downloaded O
+in O
+‘ O
+onload2 O
+’ O
+. O
+
+This O
+function O
+creates O
+an O
+event O
+listener O
+for O
+when O
+the O
+SWF S-TOOL
+file O
+is O
+successfully O
+loaded O
+, O
+which O
+will O
+call O
+the O
+‘ O
+onload5 O
+’ O
+function O
+. O
+
+The O
+‘ O
+onload5 O
+’ O
+function O
+is O
+responsible O
+for O
+adding O
+the O
+newly O
+loaded O
+SWF S-TOOL
+object O
+as O
+a O
+child O
+object O
+. O
+
+This O
+loads O
+the O
+SWF S-TOOL
+file O
+, O
+effectively O
+running O
+the O
+malicious O
+code O
+on O
+the O
+system O
+. O
+
+During O
+our O
+analysis O
+, O
+we O
+were O
+unable O
+to O
+coerce O
+the O
+C2 S-TOOL
+into O
+providing O
+a O
+malicious O
+SWF S-TOOL
+or O
+payload O
+. O
+
+As O
+mentioned O
+in O
+our O
+previous O
+blogs O
+on O
+DealersChoice S-TOOL
+, O
+the O
+payload O
+of O
+choice O
+for O
+previous O
+variants O
+was O
+SofacyCarberp S-MAL
+( O
+Seduploader S-MAL
+) O
+, O
+but O
+we O
+have O
+no O
+evidence O
+to O
+suggest O
+this O
+tool O
+was O
+used O
+in O
+this O
+attack O
+. O
+
+We O
+are O
+actively O
+researching O
+and O
+will O
+update O
+this O
+blog O
+in O
+the O
+event O
+we O
+discover O
+the O
+malicious O
+Flash S-TOOL
+object O
+and O
+payload O
+delivered O
+in O
+this O
+attack O
+. O
+
+The O
+delivery O
+document O
+used O
+in O
+this O
+attack O
+was O
+last O
+modified O
+by O
+a O
+user O
+named O
+‘ O
+Nick O
+Daemoji O
+’ O
+, O
+which O
+provides O
+a O
+linkage O
+to O
+previous O
+Sofacy S-APT
+related O
+delivery O
+documents O
+. O
+
+The O
+previous O
+documents O
+that O
+used O
+this O
+user O
+name O
+were O
+macro-laden O
+delivery O
+documents O
+that O
+installed O
+SofacyCarberp S-MAL/Seduploader S-MAL
+payloads O
+, O
+as O
+discussed O
+in O
+Talos O
+’ O
+blog O
+. O
+
+This O
+overlap O
+also O
+points O
+to O
+a O
+similar O
+social O
+engineering O
+theme O
+between O
+these O
+two O
+campaigns O
+, O
+as O
+both O
+used O
+content O
+from O
+upcoming O
+military O
+and O
+defense O
+conferences O
+as O
+a O
+lure O
+. O
+
+The O
+Sofacy S-APT
+threat O
+group O
+continues O
+to O
+use O
+their O
+DealersChoice S-TOOL
+framework O
+to O
+exploit O
+Flash S-TOOL
+vulnerabilities O
+in O
+their O
+attack O
+campaigns O
+. O
+
+In O
+the O
+most O
+recent O
+variant O
+, O
+Sofacy S-APT
+modified O
+the O
+internals O
+of O
+the O
+malicious O
+scripts O
+, O
+but O
+continues O
+to O
+follow O
+the O
+same O
+process O
+used O
+by O
+previous O
+variants O
+by O
+obtaining O
+a O
+malicious O
+Flash S-TOOL
+object O
+and O
+payload O
+directly O
+from O
+the O
+C2 S-TOOL
+server O
+. O
+
+Unlike O
+previous O
+samples O
+, O
+this O
+DealersChoice S-TOOL
+used O
+a O
+DOCX S-TOOL
+delivery O
+document O
+that O
+required O
+the O
+user O
+to O
+scroll O
+through O
+the O
+document O
+to O
+trigger O
+the O
+malicious O
+Flash S-TOOL
+object O
+. O
+
+DealersChoice S-TOOL
+: O
+
+0cd9ac328d858d8d83c9eb73bfdc59a958873b3d71b24c888d7408d9512a41d7 S-SHA2
+( O
+Defence&Security_2018_Conference_Agenda.docx S-FILE
+) O
+ndpmedia24.com S-DOM
+. O
+
+Corporate O
+IoT S-TOOL
+– O
+a O
+path O
+to O
+intrusion O
+. O
+
+Several O
+sources O
+estimate O
+that O
+by O
+the O
+year O
+2020 S-TIME
+some O
+50 O
+billion O
+IoT S-TOOL
+devices O
+will O
+be O
+deployed O
+worldwide O
+. O
+
+IoT S-TOOL
+devices O
+are O
+purposefully O
+designed O
+to O
+connect O
+to O
+a O
+network O
+and O
+many O
+are O
+simply O
+connected O
+to O
+the O
+internet O
+with O
+little O
+management O
+or O
+oversight O
+. O
+
+Such O
+devices O
+still O
+must O
+be O
+identifiable O
+, O
+maintained O
+, O
+and O
+monitored O
+by O
+security O
+teams O
+, O
+especially O
+in O
+large O
+complex O
+enterprises O
+. O
+
+Some O
+IoT S-TOOL
+devices O
+may O
+even O
+communicate O
+basic O
+telemetry O
+back O
+to O
+the O
+device O
+manufacturer O
+or O
+have O
+means O
+to O
+receive O
+software O
+updates O
+. O
+
+In O
+most O
+cases O
+however O
+, O
+the O
+customers O
+’ O
+IT O
+operation O
+center O
+don’t O
+know O
+they O
+exist O
+on O
+the O
+network O
+. O
+
+In O
+2016 S-TIME
+, O
+the O
+Mirai S-MAL
+botnet O
+was O
+discovered O
+by O
+the O
+malware O
+research O
+group O
+MalwareMustDie S-SECTEAM
+. O
+
+The O
+botnet O
+initially O
+consisted O
+of O
+IP O
+cameras O
+and O
+basic O
+home O
+routers O
+, O
+two O
+types O
+of O
+IoT S-TOOL
+devices O
+commonly O
+found O
+in O
+the O
+household O
+. O
+
+As O
+more O
+variants O
+of O
+Mirai S-MAL
+emerged O
+, O
+so O
+did O
+the O
+list O
+IoT S-TOOL
+devices O
+it O
+was O
+targeting O
+. O
+
+The O
+source O
+code O
+for O
+the O
+malware O
+powering O
+this O
+botnet O
+was O
+eventually O
+leaked O
+online O
+. O
+
+In O
+2018 S-TIME
+, O
+hundreds O
+of O
+thousands O
+of O
+home O
+and O
+small O
+business O
+networking O
+and O
+storage O
+devices O
+were O
+compromised O
+and O
+loaded O
+with O
+the O
+so-called O
+“ O
+VPN B-MAL
+Filter E-MAL
+” O
+malware O
+. O
+
+The O
+FBI S-IDTY
+has O
+publicly O
+attributed O
+this O
+activity O
+to O
+a O
+nation-state O
+actor O
+and O
+took O
+subsequent O
+actions O
+to O
+disrupt O
+this O
+botnet O
+, O
+although O
+the O
+devices O
+would O
+remain O
+vulnerable O
+to O
+re-infection O
+unless O
+proper O
+firmware O
+or O
+security O
+controls O
+were O
+put O
+in O
+place O
+by O
+the O
+user O
+. O
+
+There O
+were O
+also O
+multiple O
+press O
+reports O
+of O
+cyber-attacks O
+on O
+several O
+devices O
+during O
+the O
+opening O
+ceremonies O
+for O
+the O
+2018 S-TIME
+Olympic B-IDTY
+Games E-IDTY
+in O
+PyeongChang S-LOC
+. O
+
+Officials O
+did O
+confirm O
+a O
+few O
+days O
+later O
+that O
+they O
+were O
+a O
+victim O
+of O
+malicious O
+cyber-attacks O
+that O
+prevented O
+attendees O
+from O
+printing O
+their O
+tickets O
+to O
+the O
+Games S-IDTY
+and O
+televisions O
+and O
+internet O
+access O
+in O
+the O
+main O
+press O
+center O
+simply O
+stopped O
+working O
+. O
+
+In O
+April S-TIME
+, O
+security O
+researchers O
+in O
+the O
+Microsoft S-IDTY
+Threat B-SECTEAM
+Intelligence I-SECTEAM
+Center E-SECTEAM
+discovered O
+infrastructure O
+of O
+a O
+known O
+adversary O
+communicating O
+to O
+several O
+external O
+devices O
+. O
+
+Further O
+research O
+uncovered O
+attempts O
+by O
+the O
+actor O
+to O
+compromise O
+popular O
+IoT S-TOOL
+devices O
+( O
+a O
+VOIP B-TOOL
+phone E-TOOL
+, O
+an O
+office B-TOOL
+printer E-TOOL
+, O
+and O
+a O
+video B-TOOL
+decoder E-TOOL
+) O
+across O
+multiple O
+customer O
+locations O
+. O
+
+The O
+investigation O
+uncovered O
+that O
+an O
+actor O
+had O
+used O
+these O
+devices O
+to O
+gain O
+initial O
+access O
+to O
+corporate O
+networks O
+. O
+
+In O
+two O
+of O
+the O
+cases O
+, O
+the O
+passwords O
+for O
+the O
+devices O
+were O
+deployed O
+without O
+changing O
+the O
+default O
+manufacturer O
+’s O
+passwords O
+and O
+in O
+the O
+third O
+instance O
+the O
+latest O
+security O
+update O
+had O
+not O
+been O
+applied O
+to O
+the O
+device O
+. O
+
+These O
+devices O
+became O
+points O
+of O
+ingress O
+from O
+which O
+the O
+actor O
+established O
+a O
+presence O
+on O
+the O
+network O
+and O
+continued O
+looking O
+for O
+further O
+access O
+. O
+
+Once O
+the O
+actor O
+had O
+successfully O
+established O
+access O
+to O
+the O
+network O
+, O
+a O
+simple O
+network O
+scan O
+to O
+look O
+for O
+other O
+insecure O
+devices O
+allowed O
+them O
+to O
+discover O
+and O
+move O
+across O
+the O
+network O
+in O
+search O
+of O
+higher-privileged O
+accounts O
+that O
+would O
+grant O
+access O
+to O
+higher-value O
+data O
+. O
+
+After O
+gaining O
+access O
+to O
+each O
+of O
+the O
+IoT S-TOOL
+devices O
+, O
+the O
+actor O
+ran O
+tcpdump O
+to O
+sniff O
+network O
+traffic O
+on O
+local O
+subnets O
+. O
+
+They O
+were O
+also O
+seen O
+enumerating O
+administrative O
+groups O
+to O
+attempt O
+further O
+exploitation O
+. O
+
+As O
+the O
+actor O
+moved O
+from O
+one O
+device O
+to O
+another O
+, O
+they O
+would O
+drop O
+a O
+simple O
+shell O
+script O
+to O
+establish O
+persistence O
+on O
+the O
+network O
+which O
+allowed O
+extended O
+access O
+to O
+continue O
+hunting O
+. O
+
+Analysis O
+of O
+network O
+traffic O
+showed O
+the O
+devices O
+were O
+also O
+communicating O
+with O
+an O
+external O
+command B-TOOL
+and I-TOOL
+control E-TOOL
+( O
+C2 S-TOOL
+) O
+server O
+. O
+
+The O
+following O
+IP O
+addresses O
+are O
+believed O
+to O
+have O
+been O
+used O
+by O
+the O
+actor O
+for O
+command B-TOOL
+and I-TOOL
+control E-TOOL
+( O
+C2 S-TOOL
+) O
+during O
+these O
+intrusions O
+: O
+
+167.114.153.55 S-IP
+94.237.37.28 S-IP
+82.118.242.171 S-IP
+31.220.61.251 S-IP
+128.199.199.187 S-IP
+. O
+
+We O
+attribute O
+the O
+attacks O
+on O
+these O
+customers O
+using O
+three O
+popular O
+IoT S-TOOL
+devices O
+to O
+an O
+activity O
+group O
+that O
+Microsoft S-IDTY
+refers O
+to O
+as O
+STRONTIUM S-APT
+. O
+
+Since O
+we O
+identified O
+these O
+attacks O
+in O
+the O
+early O
+stages O
+, O
+we O
+have O
+not O
+been O
+able O
+to O
+conclusively O
+determine O
+what O
+STRONTIUM S-APT
+’s O
+ultimate O
+objectives O
+were O
+in O
+these O
+intrusions O
+. O
+
+Over O
+the O
+last O
+twelve O
+months O
+, O
+Microsoft S-IDTY
+has O
+delivered O
+nearly O
+1400 O
+nation-state O
+notifications O
+to O
+those O
+who O
+have O
+been O
+targeted O
+or O
+compromised O
+by O
+STRONTIUM S-APT
+. O
+
+One O
+in O
+five O
+notifications O
+of O
+STRONTIUM S-APT
+activity O
+were O
+tied O
+to O
+attacks O
+against O
+non-governmental O
+organizations O
+, O
+think O
+tanks O
+, O
+or O
+politically O
+affiliated O
+organizations O
+around O
+the O
+world O
+. O
+
+The O
+remaining O
+80% O
+of O
+STRONTIUM S-APT
+attacks O
+have O
+largely O
+targeted O
+organizations O
+in O
+the O
+following O
+sectors O
+: O
+government O
+, O
+IT O
+, O
+military O
+, O
+defense O
+, O
+medicine O
+, O
+education O
+, O
+and O
+engineering O
+. O
+
+We O
+have O
+also O
+observed O
+and O
+notified O
+STRONTIUM S-APT
+attacks O
+against O
+Olympic S-IDTY
+organizing O
+committees O
+, O
+anti-doping O
+agencies O
+, O
+and O
+the O
+hospitality O
+industry O
+. O
+
+The O
+“ O
+VPN B-MAL
+Filter E-MAL
+” O
+malware O
+has O
+also O
+been O
+attributed O
+to O
+STRONTIUM S-APT
+by O
+the O
+FBI S-IDTY
+. O
+
+Today O
+we O
+are O
+sharing O
+this O
+information O
+to O
+raise O
+awareness O
+of O
+these O
+risks O
+across O
+the O
+industry O
+and O
+calling O
+for O
+better O
+enterprise O
+integration O
+of O
+IoT S-TOOL
+devices O
+, O
+particularly O
+the O
+ability O
+to O
+monitor O
+IoT S-TOOL
+device O
+telemetry O
+within O
+enterprise O
+networks O
+. O
+
+Today O
+, O
+the O
+number O
+of O
+deployed O
+IoT S-TOOL
+devices O
+outnumber O
+the O
+population O
+of O
+personal O
+computers S-TOOL
+and O
+mobile B-TOOL
+phones E-TOOL
+, O
+combined O
+. O
+
+With O
+each O
+networked O
+IoT S-TOOL
+device O
+having O
+its O
+own O
+separate O
+network O
+stack O
+, O
+it O
+’s O
+quite O
+easy O
+to O
+see O
+the O
+need O
+for O
+better O
+enterprise O
+management O
+, O
+especially O
+in O
+today O
+’s O
+“ O
+bring O
+your O
+own O
+device O
+” O
+world O
+. O
+
+While O
+much O
+of O
+the O
+industry O
+focuses O
+on O
+the O
+threats O
+of O
+hardware O
+implants O
+, O
+we O
+can O
+see O
+in O
+this O
+example O
+that O
+adversaries O
+are O
+happy O
+to O
+exploit O
+simpler O
+configuration O
+and O
+security O
+issues O
+to O
+achieve O
+their O
+objectives O
+. O
+
+These O
+simple O
+attacks O
+taking O
+advantage O
+of O
+weak O
+device O
+management O
+are O
+likely O
+to O
+expand O
+as O
+more O
+IoT S-TOOL
+devices O
+are O
+deployed O
+in O
+corporate O
+environments O
+. O
+
+Upon O
+conclusion O
+of O
+our O
+investigation O
+, O
+we O
+shared O
+this O
+information O
+with O
+the O
+manufacturers O
+of O
+the O
+specific O
+devices O
+involved O
+and O
+they O
+have O
+used O
+this O
+event O
+to O
+explore O
+new O
+protections O
+in O
+their O
+products O
+. O
+
+However O
+, O
+there O
+is O
+a O
+need O
+for O
+broader O
+focus O
+across O
+IoT S-TOOL
+in O
+general O
+, O
+both O
+from O
+security O
+teams O
+at O
+organizations O
+that O
+need O
+to O
+be O
+more O
+aware O
+of O
+these O
+types O
+of O
+threats O
+, O
+as O
+well O
+as O
+from O
+IoT S-TOOL
+device O
+makers O
+who O
+need O
+to O
+provide O
+better O
+enterprise O
+support O
+and O
+monitoring O
+capabilities O
+to O
+make O
+it O
+easier O
+for O
+security O
+teams O
+to O
+defend O
+their O
+networks O
+. O
+
+Below O
+are O
+a O
+series O
+of O
+indicators O
+Microsoft S-IDTY
+has O
+observed O
+as O
+active O
+during O
+the O
+STRONTIUM S-APT
+activity O
+discussed O
+in O
+this O
+article O
+. O
+
+Command-and-Control S-TOOL
+( O
+C2 S-TOOL
+) O
+IP O
+addresses O
+: O
+
+167.114.153.55 S-IP
+94.237.37.28 S-IP
+82.118.242.171 S-IP
+31.220.61.251 S-IP
+128.199.199.187 S-IP
+. O
+
+
+Operation O
+RussianDoll S-ACT
+: O
+Adobe S-TOOL
+& O
+Windows S-OS
+Zero-Day S-VULNAME
+Exploits O
+Likely O
+Leveraged O
+by O
+Russia S-LOC
+’s O
+APT28 S-APT
+in O
+Highly-Targeted O
+Attack O
+. O
+
+FireEye B-SECTEAM
+Labs E-SECTEAM
+recently O
+detected O
+a O
+limited O
+APT O
+campaign O
+exploiting O
+zero-day S-VULNAME
+vulnerabilities O
+in O
+Adobe B-TOOL
+Flash E-TOOL
+and O
+a O
+brand-new O
+one O
+in O
+Microsoft S-IDTY
+Windows S-OS
+. O
+
+Using O
+the O
+Dynamic B-TOOL
+Threat I-TOOL
+Intelligence I-TOOL
+Cloud E-TOOL
+( O
+DTI S-TOOL
+) O
+, O
+FireEye S-SECTEAM
+researchers O
+detected O
+a O
+pattern O
+of O
+attacks O
+beginning O
+on O
+April B-TIME
+13th I-TIME
+, I-TIME
+2015 E-TIME
+. O
+
+Adobe S-TOOL
+independently O
+patched O
+the O
+vulnerability O
+( O
+CVE-2015-3043 S-VULID
+) O
+in O
+APSB15-06 O
+. O
+
+Through O
+correlation O
+of O
+technical O
+indicators O
+and O
+command B-TOOL
+and I-TOOL
+control E-TOOL
+infrastructure O
+, O
+FireEye S-SECTEAM
+assess O
+that O
+APT28 S-APT
+is O
+probably O
+responsible O
+for O
+this O
+activity O
+. O
+
+Microsoft S-IDTY
+is O
+aware O
+of O
+the O
+outstanding O
+local O
+privilege O
+escalation O
+vulnerability O
+in O
+Windows S-OS
+( O
+CVE-2015-1701 S-VULID
+) O
+. O
+
+While O
+there O
+is O
+not O
+yet O
+a O
+patch O
+available O
+for O
+the O
+Windows S-OS
+vulnerability O
+, O
+updating O
+Adobe B-TOOL
+Flash E-TOOL
+to O
+the O
+latest O
+version O
+will O
+render O
+this O
+in-the-wild O
+exploit O
+innocuous O
+. O
+
+We O
+have O
+only O
+seen O
+CVE-2015-1701 S-VULID
+in O
+use O
+in O
+conjunction O
+with O
+the O
+Adobe B-TOOL
+Flash E-TOOL
+exploit O
+for O
+CVE-2015-3043 S-VULID
+. O
+
+The O
+Microsoft B-SECTEAM
+Security I-SECTEAM
+Team E-SECTEAM
+is O
+working O
+on O
+a O
+fix O
+for O
+CVE-2015-1701 S-VULID
+. O
+
+The O
+high O
+level O
+flow O
+of O
+the O
+exploit O
+is O
+as O
+follows O
+: O
+
+User O
+clicks O
+link O
+to O
+attacker O
+controlled O
+website O
+. O
+
+HTML/JS S-TOOL
+launcher O
+page O
+serves O
+Flash S-TOOL
+exploit O
+. O
+
+Flash S-TOOL
+exploit O
+triggers O
+CVE-2015-3043 S-VULID
+, O
+executes O
+shellcode S-TOOL
+. O
+
+Shellcode S-TOOL
+downloads O
+and O
+runs O
+executable O
+payload O
+. O
+
+Executable O
+payload O
+exploits O
+local O
+privilege O
+escalation O
+( O
+CVE-2015-1701 S-VULID
+) O
+to O
+steal O
+System O
+token O
+. O
+
+The O
+Flash S-TOOL
+exploit O
+is O
+served O
+from O
+unobfuscated O
+HTML/JS S-TOOL
+. O
+
+The O
+launcher O
+page O
+picks O
+one O
+of O
+two O
+Flash S-TOOL
+files O
+to O
+deliver O
+depending O
+upon O
+the O
+target O
+’s O
+platform O
+( O
+Windows B-OS
+32 E-OS
+versus O
+64bits O
+) O
+. O
+
+The O
+Flash S-TOOL
+exploit O
+is O
+mostly O
+unobfuscated O
+with O
+only O
+some O
+light O
+variable O
+name O
+mangling O
+. O
+
+The O
+attackers O
+relied O
+heavily O
+on O
+the O
+CVE-2014-0515 S-VULID
+Metasploit S-TOOL
+module O
+, O
+which O
+is O
+well O
+documented O
+. O
+
+It O
+is O
+ROPless S-TOOL
+, O
+and O
+instead O
+constructs O
+a O
+fake O
+vtable O
+for O
+a O
+FileReference O
+object O
+that O
+is O
+modified O
+for O
+each O
+call O
+to O
+a O
+Windows S-OS
+API S-TOOL
+. O
+
+The O
+payload O
+exploits O
+a O
+local O
+privilege O
+escalation O
+vulnerability O
+in O
+the O
+Windows S-OS
+kernel O
+if O
+it O
+detects O
+that O
+it O
+is O
+running O
+with O
+limited O
+privileges O
+. O
+
+It O
+uses O
+the O
+vulnerability O
+to O
+run O
+code O
+from O
+userspace O
+in O
+the O
+context O
+of O
+the O
+kernel O
+, O
+which O
+modifies O
+the O
+attacker O
+’s O
+process O
+token O
+to O
+have O
+the O
+same O
+privileges O
+as O
+that O
+of O
+the O
+System O
+process O
+. O
+
+The O
+primary O
+difference O
+between O
+the O
+CVE-2014-0515 S-VULID
+metasploit O
+module O
+and O
+this O
+exploit O
+is O
+, O
+obviously O
+, O
+the O
+vulnerability O
+. O
+
+CVE-2014-0515 S-VULID
+exploits O
+a O
+vulnerability O
+in O
+Flash S-TOOL
+’s O
+Shader O
+processing O
+, O
+whereas O
+CVE-2015-3043 S-VULID
+exploits O
+a O
+vulnerability O
+in O
+Flash S-TOOL
+’s O
+FLV S-TOOL
+processing O
+. O
+
+The O
+culprit O
+FLV S-TOOL
+file O
+is O
+embedded O
+within O
+AS3 S-ENCR
+in O
+two O
+chunks O
+, O
+and O
+is O
+reassembled O
+at O
+runtime O
+. O
+
+A O
+buffer O
+overflow O
+vulnerability O
+exists O
+in O
+Adobe B-TOOL
+Flash I-TOOL
+Player E-TOOL
+( O
+<=17.0.0.134 O
+) O
+when O
+parsing O
+malformed O
+FLV S-TOOL
+objects O
+. O
+
+Attackers O
+exploiting O
+the O
+vulnerability O
+can O
+corrupt O
+memory O
+and O
+gain O
+remote O
+code O
+execution O
+. O
+
+In O
+the O
+exploit O
+, O
+the O
+attacker O
+embeds O
+the O
+FLV S-TOOL
+object O
+directly O
+in O
+the O
+ActionScript S-TOOL
+code O
+, O
+and O
+plays O
+the O
+video O
+using O
+NetStream O
+class O
+. O
+
+Files O
+of O
+the O
+FLV S-TOOL
+file O
+format O
+contain O
+a O
+sequence O
+of O
+Tag O
+structures O
+. O
+
+Beginning O
+within O
+the O
+data O
+field O
+, O
+all O
+contents O
+of O
+the O
+FLV S-TOOL
+stream O
+become O
+0xEE O
+. O
+
+Consequently O
+, O
+the O
+data O
+and O
+lastsize O
+fields O
+are O
+mangled O
+. O
+
+Since O
+the O
+size O
+is O
+controlled O
+by O
+the O
+attacker O
+, O
+it O
+’s O
+possible O
+to O
+overflow O
+the O
+fixed O
+size O
+buffer O
+with O
+certain O
+data O
+. O
+
+As O
+the O
+previous O
+picture O
+demonstrated O
+, O
+the O
+followed O
+Vector O
+object O
+’s O
+length O
+field O
+being O
+overflowed O
+as O
+0x80007fff O
+, O
+which O
+enables O
+the O
+attacker O
+to O
+read/write O
+arbitrary O
+data O
+within O
+user O
+space O
+. O
+
+Shellcode S-TOOL
+is O
+passed O
+to O
+the O
+exploit O
+from O
+HTML S-TOOL
+in O
+flashvars O
+. O
+
+The O
+shellcode S-TOOL
+downloads O
+the O
+next O
+stage O
+payload O
+, O
+which O
+is O
+an O
+executable O
+passed O
+in O
+plaintext O
+, O
+to O
+the O
+temp O
+directory O
+with O
+UrlDownloadToFileA O
+, O
+which O
+it O
+then O
+runs O
+with O
+WinExec O
+. O
+
+This O
+exploit O
+delivers O
+a O
+malware O
+variant O
+that O
+shares O
+characteristics O
+with O
+the O
+APT28 S-APT
+backdoors O
+CHOPSTICK S-MAL
+and O
+CORESHELL S-MAL
+malware O
+families O
+, O
+both O
+described O
+in O
+our O
+APT28 S-APT
+whitepaper O
+. O
+
+The O
+malware O
+uses O
+an O
+RC4 S-ENCR
+encryption O
+key O
+that O
+was O
+previously O
+used O
+by O
+the O
+CHOPSTICK B-MAL
+backdoor E-MAL
+. O
+
+And O
+the O
+C2 S-TOOL
+messages O
+include O
+a O
+checksum O
+algorithm O
+that O
+resembles O
+those O
+used O
+in O
+CHOPSTICK B-MAL
+backdoor E-MAL
+communications O
+. O
+
+In O
+addition O
+, O
+the O
+network O
+beacon O
+traffic O
+for O
+the O
+new O
+malware O
+resembles O
+those O
+used O
+by O
+the O
+CORESHELL B-MAL
+backdoor E-MAL
+. O
+
+Like O
+CORESHELL S-MAL
+, O
+one O
+of O
+the O
+beacons O
+includes O
+a O
+process O
+listing O
+from O
+the O
+victim O
+host O
+. O
+
+And O
+like O
+CORESHELL S-MAL
+, O
+the O
+new O
+malware O
+attempts O
+to O
+download O
+a O
+second-stage O
+executable O
+. O
+
+One O
+of O
+the O
+C2 S-TOOL
+locations O
+for O
+the O
+new O
+payload O
+, O
+87.236.215.246 S-IP
+, O
+also O
+hosts O
+a O
+suspected O
+APT28 S-APT
+domain O
+ssl-icloud.com S-DOM
+. O
+
+The O
+same O
+subnet O
+( O
+87.236.215.0 S-DOM
+/ O
+24 O
+) O
+also O
+hosts O
+several O
+known O
+or O
+suspected O
+APT28 S-APT
+domains O
+. O
+
+The O
+payload O
+contains O
+an O
+exploit O
+for O
+the O
+unpatched O
+local O
+privilege O
+escalation O
+vulnerability O
+CVE-2015-1701 S-VULID
+in O
+Microsoft S-IDTY
+Windows S-OS
+. O
+
+The O
+exploit O
+uses O
+CVE-2015-1701 S-VULID
+to O
+execute O
+a O
+callback O
+in O
+userspace O
+. O
+
+The O
+callback O
+gets O
+the O
+EPROCESS S-TOOL
+structures O
+of O
+the O
+current O
+process O
+and O
+the O
+System O
+process O
+, O
+and O
+copies O
+data O
+from O
+the O
+System O
+token O
+into O
+the O
+token O
+of O
+the O
+current O
+process O
+. O
+
+Upon O
+completion O
+, O
+the O
+payload O
+continues O
+execution O
+in O
+usermode O
+with O
+the O
+privileges O
+of O
+the O
+System O
+process O
+. O
+
+Because O
+CVE-2015-3043 S-VULID
+is O
+already O
+patched O
+, O
+this O
+remote O
+exploit O
+will O
+not O
+succeed O
+on O
+a O
+fully O
+patched O
+system O
+. O
+
+If O
+an O
+attacker O
+wanted O
+to O
+exploit O
+CVE-2015-1701 S-VULID
+, O
+they O
+would O
+first O
+have O
+to O
+be O
+executing O
+code O
+on O
+the O
+victim O
+’s O
+machine O
+. O
+
+Barring O
+authorized O
+access O
+to O
+the O
+victim O
+’s O
+machine O
+, O
+the O
+attacker O
+would O
+have O
+to O
+find O
+some O
+other O
+means O
+, O
+such O
+as O
+crafting O
+a O
+new O
+Flash S-TOOL
+exploit O
+, O
+to O
+deliver O
+a O
+CVE-2015-1701 S-VULID
+payload O
+. O
+
+Microsoft S-IDTY
+is O
+aware O
+of O
+CVE-2015-1701 S-VULID
+and O
+is O
+working O
+on O
+a O
+fix O
+. O
+
+CVE-2015-1701 S-VULID
+does O
+not O
+affect O
+Windows B-OS
+8 E-OS
+and O
+later O
+. O
+
+
+Sofacy S-APT
+Attacks O
+Multiple O
+Government O
+Entities O
+. O
+
+Release_Time O
+: O
+2018-02-28 O
+
+Report_URL O
+: O
+https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/ O
+
+The O
+Sofacy S-APT
+group O
+( O
+AKA O
+APT28 S-APT
+, O
+Fancy B-APT
+Bear E-APT
+, O
+STRONTIUM S-APT
+, O
+Sednit S-APT
+, O
+Tsar B-APT
+Team E-APT
+, O
+Pawn B-APT
+Storm E-APT
+) O
+is O
+a O
+well-known O
+adversary O
+that O
+remains O
+highly O
+active O
+in O
+the O
+new O
+calendar O
+year O
+of O
+2018 S-TIME
+. O
+
+Unit B-SECTEAM
+42 E-SECTEAM
+actively O
+monitors O
+this O
+group O
+due O
+to O
+their O
+persistent O
+nature O
+globally O
+across O
+all O
+industry O
+verticals O
+. O
+
+Recently O
+, O
+we O
+discovered O
+a O
+campaign O
+launched O
+at O
+various O
+Ministries B-IDTY
+of I-IDTY
+Foreign I-IDTY
+Affairs E-IDTY
+around O
+the O
+world O
+. O
+
+Interestingly O
+, O
+there O
+appear O
+to O
+be O
+two O
+parallel O
+efforts O
+within O
+the O
+campaign O
+, O
+with O
+each O
+effort O
+using O
+a O
+completely O
+different O
+toolset O
+for O
+the O
+attacks O
+. O
+
+In O
+this O
+blog O
+, O
+we O
+will O
+discuss O
+one O
+of O
+the O
+efforts O
+which O
+leveraged O
+tools O
+that O
+have O
+been O
+known O
+to O
+be O
+associated O
+with O
+the O
+Sofacy S-APT
+group O
+. O
+
+At O
+the O
+beginning O
+of O
+February B-TIME
+2018 E-TIME
+, O
+we O
+discovered O
+an O
+attack O
+targeting O
+two O
+government O
+institutions O
+related O
+to O
+foreign O
+affairs O
+. O
+
+These O
+entities O
+are O
+not O
+regionally O
+congruent O
+, O
+and O
+the O
+only O
+shared O
+victimology O
+involves O
+their O
+organizational O
+functions O
+. O
+
+Specifically O
+, O
+one O
+organization O
+is O
+geographically O
+located O
+in O
+Europe S-LOC
+and O
+the O
+other O
+in O
+North B-LOC
+America E-LOC
+. O
+
+The O
+initial O
+attack O
+vector O
+leveraged O
+a O
+phishing B-ACT
+email E-ACT
+, O
+using O
+the O
+subject O
+line O
+of O
+Upcoming B-SECTEAM
+Defense E-SECTEAM
+events O
+February B-TIME
+2018 E-TIME
+and O
+a O
+sender O
+address O
+claiming O
+to O
+be O
+from O
+Jane O
+’s O
+360 S-SECTEAM
+defense O
+events O
+events@ihsmarkit.com S-EMAIL
+. O
+
+Jane O
+’s O
+by O
+IHSMarkit S-IDTY
+is O
+a O
+well-known O
+supplier O
+of O
+information O
+and O
+analysis O
+often O
+times O
+associated O
+with O
+the O
+defense O
+and O
+government O
+sector O
+. O
+
+Analysis O
+of O
+the O
+email S-TOOL
+header O
+data O
+showed O
+that O
+the O
+sender O
+address O
+was O
+spoofed O
+and O
+did O
+not O
+originate O
+from O
+IHSMarkit S-IDTY
+at O
+all O
+. O
+
+The O
+lure O
+text O
+in O
+the O
+phishing B-ACT
+email E-ACT
+claims O
+the O
+attachment O
+is O
+a O
+calendar O
+of O
+events O
+relevant O
+to O
+the O
+targeted O
+organizations O
+and O
+contained O
+specific O
+instructions O
+regarding O
+the O
+actions O
+the O
+victim O
+would O
+have O
+to O
+take O
+if O
+they O
+had O
+“ O
+trouble O
+viewing O
+the O
+document O
+” O
+. O
+
+The O
+attachment O
+itself O
+is O
+an O
+Microsoft S-IDTY
+Excel S-TOOL
+XLS S-TOOL
+document O
+that O
+contains O
+malicious O
+macro S-TOOL
+script O
+. O
+
+The O
+document O
+presents O
+itself O
+as O
+a O
+standard O
+macro S-TOOL
+document O
+but O
+has O
+all O
+of O
+its O
+text O
+hidden O
+until O
+the O
+victim O
+enables O
+macros S-TOOL
+. O
+
+Notably O
+, O
+all O
+of O
+the O
+content O
+text O
+is O
+accessible O
+to O
+the O
+victim O
+even O
+before O
+macros S-TOOL
+are O
+enabled O
+. O
+
+However O
+, O
+a O
+white O
+font O
+color O
+is O
+applied O
+to O
+the O
+text O
+to O
+make O
+it O
+appear O
+that O
+the O
+victim O
+must O
+enable O
+macros O
+to O
+access O
+the O
+content O
+. O
+
+The O
+code O
+above O
+changes O
+the O
+font O
+color O
+to O
+black O
+within O
+the O
+specified O
+cell O
+range O
+and O
+presents O
+the O
+content O
+to O
+the O
+user O
+. O
+
+On O
+initial O
+inspection O
+, O
+the O
+content O
+appears O
+to O
+be O
+the O
+expected O
+legitimate O
+content O
+, O
+however O
+, O
+closer O
+examination O
+of O
+the O
+document O
+shows O
+several O
+abnormal O
+artifacts O
+that O
+would O
+not O
+exist O
+in O
+a O
+legitimate O
+document O
+. O
+
+Figure O
+2 O
+below O
+shows O
+how O
+the O
+delivery O
+document O
+initially O
+looks O
+and O
+the O
+transformation O
+the O
+content O
+undergoes O
+as O
+the O
+macro S-TOOL
+runs O
+. O
+
+As O
+mentioned O
+in O
+a O
+recent O
+ISC S-TOOL
+diary O
+entry O
+, O
+the O
+macro S-TOOL
+gets O
+the O
+contents O
+of O
+cells O
+in O
+column O
+170 O
+in O
+rows O
+2227 O
+to O
+2248 O
+to O
+obtain O
+the O
+base64 S-ENCR
+encoded O
+payload O
+. O
+
+The O
+macro S-TOOL
+prepends O
+the O
+string O
+—–BEGIN O
+CERTIFICATE—– O
+to O
+the O
+beginning O
+of O
+the O
+base64 S-ENCR
+encoded O
+payload O
+and O
+appends O
+—–END O
+CERTIFICATE—– O
+to O
+the O
+end O
+of O
+the O
+data O
+. O
+
+The O
+macro S-TOOL
+then O
+writes O
+this O
+data O
+to O
+a O
+text O
+file O
+in O
+the O
+C:\Programdata O
+folder O
+using O
+a O
+random O
+filename O
+with O
+the O
+.txt S-FILE
+extension O
+. O
+
+The O
+macro S-TOOL
+then O
+uses O
+the O
+command O
+certutil O
+-decode O
+to O
+decode O
+the O
+contents O
+of O
+this O
+text O
+file O
+and O
+outputs O
+the O
+decoded O
+content O
+to O
+a O
+randomly O
+named O
+file O
+with O
+a O
+.exe S-FILE
+extension O
+in O
+the O
+C:\Programdata O
+folder O
+. O
+
+The O
+macro S-TOOL
+sleeps O
+for O
+two O
+seconds O
+and O
+then O
+executes O
+the O
+newly O
+dropped O
+executable O
+. O
+
+The O
+newly O
+dropped O
+executable O
+is O
+a O
+loader O
+Trojan S-VULNAME
+responsible O
+for O
+installing O
+and O
+running O
+the O
+payload O
+of O
+this O
+attack O
+. O
+
+We O
+performed O
+a O
+more O
+detailed O
+analysis O
+on O
+this O
+loader O
+Trojan S-VULNAME
+, O
+which O
+readers O
+can O
+view O
+in O
+this O
+report O
+’s O
+appendix O
+. O
+
+Upon O
+execution O
+, O
+the O
+loader O
+will O
+decrypt O
+the O
+embedded O
+payload O
+( O
+DLL S-TOOL
+) O
+using O
+a O
+custom O
+algorithm O
+, O
+decompress O
+it O
+and O
+save O
+it O
+to O
+the O
+following O
+file O
+: O
+%LOCALAPPDATA%\cdnver.dll S-FILE
+. O
+
+The O
+loader O
+will O
+then O
+create O
+the O
+batch O
+file O
+%LOCALAPPDATA%\cdnver.bat S-FILE
+, O
+which O
+it O
+will O
+write O
+the O
+following O
+: O
+
+start O
+rundll32.exe S-FILE
+“ O
+C:\Users\user\AppData\Local\cdnver.dll S-FILE
+” O
+. O
+
+The O
+loader O
+Trojan S-VULNAME
+uses O
+this O
+batch O
+file O
+to O
+run O
+the O
+embedded O
+DLL S-TOOL
+payload O
+. O
+
+For O
+persistence O
+, O
+the O
+loader O
+will O
+write O
+the O
+path O
+to O
+this O
+batch O
+file O
+to O
+the O
+following O
+registry O
+key O
+. O
+
+The O
+cdnver.dll S-FILE
+payload O
+installed O
+by O
+the O
+loader O
+executable O
+is O
+a O
+variant O
+of O
+the O
+SofacyCarberp S-MAL
+payload O
+, O
+which O
+is O
+used O
+extensively O
+by O
+the O
+Sofacy S-APT
+threat O
+group O
+. O
+
+Overall O
+, O
+SofacyCarberp S-MAL
+does O
+initial O
+reconnaissance O
+by O
+gathering O
+system O
+information O
+and O
+sending O
+it O
+to O
+the O
+C2 S-TOOL
+server O
+prior O
+to O
+downloading O
+additional O
+tools O
+to O
+the O
+system O
+. O
+
+This O
+variant O
+of O
+SofacyCarberp S-MAL
+was O
+configured O
+to O
+use O
+the O
+following O
+domain O
+as O
+its O
+C2 S-TOOL
+server O
+: O
+cdnverify.net S-DOM
+. O
+
+The O
+loader O
+and O
+the O
+SofacyCarberp S-MAL
+sample O
+delivered O
+in O
+this O
+attack O
+is O
+similar O
+to O
+samples O
+we O
+have O
+analyzed O
+in O
+the O
+past O
+but O
+contains O
+marked O
+differences O
+. O
+
+These O
+differences O
+include O
+a O
+new O
+hashing O
+algorithm O
+to O
+resolve O
+API S-TOOL
+functions O
+and O
+to O
+find O
+running O
+browser O
+processes O
+for O
+injection O
+, O
+as O
+well O
+as O
+changes O
+to O
+the O
+C2 S-TOOL
+communication O
+mechanisms O
+. O
+
+It O
+appears O
+that O
+Sofacy S-APT
+may O
+have O
+used O
+an O
+open-source O
+tool O
+called O
+Luckystrike S-TOOL
+to O
+generate O
+the O
+delivery O
+document O
+and/or O
+the O
+macro S-TOOL
+used O
+in O
+this O
+attack O
+. O
+
+Luckystrike S-TOOL
+, O
+which O
+was O
+presented O
+at O
+DerbyCon S-SECTEAM
+6 O
+in O
+September B-TIME
+2016 E-TIME
+, O
+is O
+a O
+Microsoft S-IDTY
+PowerShell S-TOOL
+based O
+tool O
+that O
+generates O
+malicious O
+delivery O
+documents O
+by O
+allowing O
+a O
+user O
+to O
+add O
+a O
+macro S-TOOL
+to O
+an O
+Excel S-TOOL
+or O
+Word S-TOOL
+document O
+to O
+execute O
+an O
+embedded O
+payload O
+. O
+
+We O
+believe O
+Sofacy S-APT
+used O
+this O
+tool O
+, O
+as O
+the O
+macro S-TOOL
+within O
+their O
+delivery O
+document O
+closely O
+resembles O
+the O
+macros O
+found O
+within O
+Luckystrike S-TOOL
+. O
+
+To O
+confirm O
+our O
+suspicions O
+, O
+we O
+generated O
+a O
+malicious O
+Excel S-TOOL
+file O
+with O
+Luckystrike S-TOOL
+and O
+compared O
+its O
+macro S-TOOL
+to O
+the O
+macro S-TOOL
+found O
+within O
+Sofacy S-APT
+’s O
+delivery O
+document O
+. O
+
+We O
+found O
+that O
+there O
+was O
+only O
+one O
+difference O
+between O
+the O
+macros O
+besides O
+the O
+random O
+function O
+name O
+and O
+random O
+cell O
+values O
+that O
+the O
+Luckystrike S-TOOL
+tool O
+generates O
+for O
+each O
+created O
+payload O
+. O
+
+The O
+one O
+non-random O
+string O
+difference O
+was O
+the O
+path O
+to O
+the O
+“ O
+.txt S-FILE
+” O
+and O
+“ O
+.exe S-FILE
+” O
+files O
+within O
+the O
+command O
+“ O
+certutil O
+-decode O
+” O
+, O
+as O
+the O
+Sofacy S-APT
+document O
+used O
+“ O
+C:\Programdata\ O
+” O
+for O
+the O
+path O
+whereas O
+the O
+Luckystrike S-TOOL
+document O
+used O
+the O
+path O
+stored O
+in O
+the O
+Application.UserLibraryPath S-FILE
+environment O
+variable O
+. O
+
+Figure O
+3 O
+below O
+shows O
+a O
+diff O
+with O
+the O
+LuckyStrike S-TOOL
+macro S-TOOL
+on O
+the O
+left O
+and O
+Sofacy S-APT
+macro S-TOOL
+on O
+the O
+right O
+, O
+where O
+everything O
+except O
+the O
+file O
+path O
+and O
+randomly O
+generated O
+values O
+in O
+the O
+macro S-TOOL
+are O
+exactly O
+the O
+same O
+, O
+including O
+the O
+obfuscation O
+attempts O
+that O
+use O
+concatenation O
+to O
+build O
+strings O
+. O
+
+With O
+much O
+of O
+our O
+research O
+, O
+our O
+initial O
+direction O
+and O
+discovery O
+of O
+emerging O
+threats O
+is O
+generally O
+some O
+combination O
+of O
+previously O
+observed O
+behavioral O
+rulesets O
+or O
+relationships O
+. O
+
+In O
+this O
+case O
+, O
+we O
+had O
+observed O
+a O
+strange O
+pattern O
+emerging O
+from O
+the O
+Sofacy S-APT
+group O
+over O
+the O
+past O
+year O
+within O
+their O
+command B-TOOL
+and I-TOOL
+control E-TOOL
+infrastructure O
+. O
+
+Patterning O
+such O
+as O
+reuse O
+of O
+WHOIS S-TOOL
+artifacts O
+, O
+IP O
+reuse O
+, O
+or O
+even O
+domain O
+name O
+themes O
+are O
+common O
+and O
+regularly O
+used O
+to O
+group O
+attacks O
+to O
+specific O
+campaigns O
+. O
+
+In O
+this O
+case O
+, O
+we O
+had O
+observed O
+the O
+Sofacy S-APT
+group O
+registering O
+new O
+domains O
+, O
+then O
+placing O
+a O
+default O
+landing O
+page O
+which O
+they O
+then O
+used O
+repeatedly O
+over O
+the O
+course O
+of O
+the O
+year O
+. O
+
+No O
+other O
+parts O
+of O
+the O
+C2 S-TOOL
+infrastructure O
+amongst O
+these O
+domains O
+contained O
+any O
+overlapping O
+artifacts O
+. O
+
+Instead O
+, O
+the O
+actual O
+content O
+within O
+the O
+body O
+of O
+the O
+websites O
+was O
+an O
+exact O
+match O
+in O
+each O
+instance O
+. O
+
+Specifically O
+, O
+the O
+strings O
+866-593-54352 O
+( O
+notice O
+it O
+is O
+one O
+digit O
+too O
+long O
+) O
+, O
+403-965-2341 O
+, O
+or O
+the O
+address O
+522 O
+Clematis O
+. O
+
+Suite O
+3000 O
+was O
+repeatedly O
+found O
+in O
+each O
+instance O
+. O
+
+ThreatConnect S-TOOL
+had O
+made O
+the O
+same O
+observation O
+regarding O
+this O
+patterning O
+in O
+September B-TIME
+2017 E-TIME
+. O
+
+Hotfixmsupload.com S-DOM
+is O
+particularly O
+interesting O
+as O
+it O
+has O
+been O
+identified O
+as O
+a O
+Sofacy S-APT
+C2 S-TOOL
+domain O
+repeatedly O
+, O
+and O
+was O
+also O
+brought O
+forth O
+by O
+Microsoft S-IDTY
+in O
+a O
+legal O
+complaint O
+against O
+STRONTIUM S-APT
+( O
+Sofacy S-APT
+) O
+as O
+documented O
+here O
+. O
+
+Leveraging O
+this O
+intelligence O
+allowed O
+us O
+to O
+begin O
+predicting O
+potential O
+C2 S-TOOL
+domains O
+that O
+would O
+eventually O
+be O
+used O
+by O
+the O
+Sofacy S-APT
+group O
+. O
+
+In O
+this O
+scenario O
+, O
+the O
+domain O
+cdnverify.net O
+was O
+registered O
+on O
+January B-TIME
+30 I-TIME
+, I-TIME
+2018 E-TIME
+and O
+just O
+two O
+days O
+later O
+, O
+an O
+attack O
+was O
+launched O
+using O
+this O
+domain O
+as O
+a O
+C2 S-TOOL
+. O
+
+The O
+Sofacy S-APT
+group O
+should O
+no O
+longer O
+be O
+an O
+unfamiliar O
+threat O
+at O
+this O
+stage O
+. O
+
+They O
+have O
+been O
+well O
+documented O
+and O
+well O
+researched O
+with O
+much O
+of O
+their O
+attack O
+methodologies O
+exposed O
+. O
+
+They O
+continue O
+to O
+be O
+persistent O
+in O
+their O
+attack O
+campaigns O
+and O
+continue O
+to O
+use O
+similar O
+tooling O
+as O
+in O
+the O
+past O
+. O
+
+This O
+leads O
+us O
+to O
+believe O
+that O
+their O
+attack O
+attempts O
+are O
+likely O
+still O
+succeeding O
+, O
+even O
+with O
+the O
+wealth O
+of O
+threat O
+intelligence O
+available O
+in O
+the O
+public O
+domain O
+. O
+
+Application O
+of O
+the O
+data O
+remains O
+challenging O
+, O
+and O
+so O
+to O
+continue O
+our O
+initiative O
+of O
+establishing O
+playbooks O
+for O
+adversary O
+groups O
+, O
+we O
+have O
+added O
+this O
+attack O
+campaign O
+as O
+the O
+next O
+playbook O
+in O
+our O
+dataset O
+. O
+
+Palo B-SECTEAM
+Alto I-SECTEAM
+Networks E-SECTEAM
+customers O
+are O
+protected O
+from O
+this O
+threat O
+by O
+: O
+
+WildFire S-SECTEAM
+detects O
+all O
+SofacyCarberp S-MAL
+payloads O
+with O
+malicious O
+verdicts O
+. O
+
+AutoFocus S-SECTEAM
+customers O
+can O
+track O
+these O
+tools O
+with O
+the O
+Sofacy S-APT
+, O
+SofacyMacro S-MAL
+and O
+SofacyCarberp S-MAL
+. O
+
+Traps O
+blocks O
+the O
+Sofacy S-APT
+delivery O
+documents O
+and O
+the O
+SofacyCarberp S-MAL
+payload O
+. O
+
+SHA256 S-ENCR
+: O
+ff808d0a12676bfac88fd26f955154f8884f2bb7c534b9936510fd6296c543e8 S-SHA2
+SHA256 S-ENCR
+: O
+12e6642cf6413bdf5388bee663080fa299591b2ba023d069286f3be9647547c8 S-SHA2
+SHA256 S-ENCR
+: O
+cb85072e6ca66a29cb0b73659a0fe5ba2456d9ba0b52e3a4c89e86549bc6e2c7 S-SHA2
+SHA256 S-ENCR
+: O
+23411bb30042c9357ac4928dc6fca6955390361e660fec7ac238bbdcc8b83701 S-SHA2
+Sofacy S-APT
+: O
+Cdnverify.net S-DOM
+Sofacy S-APT
+Filename O
+: O
+Upcoming_Events_February_2018.xls S-FILE
+. O
+
+
+APT28 S-APT
+Targets O
+Hospitality O
+Sector O
+, O
+Presents O
+Threat O
+to O
+Travelers O
+. O
+
+Release_Time O
+: O
+2017-08-11 O
+Report_URL O
+: O
+https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html O
+
+FireEye S-SECTEAM
+has O
+moderate O
+confidence O
+that O
+a O
+campaign S-ACT
+targeting O
+the O
+hospitality O
+sector O
+is O
+attributed O
+to O
+Russian O
+actor O
+APT28 S-APT
+. O
+
+We O
+believe O
+this O
+activity O
+, O
+which O
+dates O
+back O
+to O
+at O
+least O
+July B-TIME
+2017 E-TIME
+, O
+was O
+intended O
+to O
+target O
+travelers O
+to O
+hotels O
+throughout O
+Europe S-LOC
+and O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+The O
+actor O
+has O
+used O
+several O
+notable O
+techniques O
+in O
+these O
+incidents O
+such O
+as O
+sniffing B-TOOL
+passwords E-TOOL
+from O
+Wi-Fi B-TOOL
+traffic E-TOOL
+, O
+poisoning O
+the O
+NetBIOS B-TOOL
+Name I-TOOL
+Service E-TOOL
+, O
+and O
+spreading O
+laterally O
+via O
+the O
+EternalBlue S-VULNAME
+exploit O
+. O
+
+FireEye S-SECTEAM
+has O
+uncovered O
+a O
+malicious O
+document O
+sent O
+in O
+spear B-ACT
+phishing I-ACT
+emails E-ACT
+to O
+multiple O
+companies O
+in O
+the O
+hospitality O
+industry O
+, O
+including O
+hotels O
+in O
+at O
+least O
+seven O
+European O
+countries O
+and O
+one O
+Middle O
+Eastern O
+country O
+in O
+early O
+July S-TIME
+. O
+
+Successful O
+execution O
+of O
+the O
+macro S-TOOL
+within O
+the O
+malicious O
+document O
+results O
+in O
+the O
+installation O
+of O
+APT28 S-APT
+’s O
+signature O
+GAMEFISH S-MAL
+malware O
+. O
+
+The O
+malicious O
+document O
+– O
+Hotel_Reservation_Form.doc S-FILE
+( O
+MD5 S-ENCR
+: O
+9b10685b774a783eabfecdb6119a8aa3 S-MD5
+) O
+, O
+contains O
+a O
+macro S-TOOL
+that O
+base64 S-ENCR
+decodes O
+a O
+dropper O
+that O
+then O
+deploys O
+APT28 S-APT
+’s O
+signature O
+GAMEFISH S-MAL
+malware O
+( O
+MD5 S-ENCR
+: O
+1421419d1be31f1f9ea60e8ed87277db S-MD5
+) O
+, O
+which O
+uses O
+mvband.net S-DOM
+and O
+mvtband.net S-DOM
+as O
+command B-TOOL
+and I-TOOL
+control E-TOOL
+( O
+C2 S-TOOL
+) O
+domains O
+. O
+
+APT28 S-APT
+is O
+using O
+novel O
+techniques O
+involving O
+the O
+EternalBlue S-VULNAME
+exploit O
+and O
+the O
+open O
+source O
+tool O
+Responder S-TOOL
+to O
+spread O
+laterally O
+through O
+networks O
+and O
+likely O
+target O
+travelers O
+. O
+
+Once O
+inside O
+the O
+network O
+of O
+a O
+hospitality O
+company O
+, O
+APT28 S-APT
+sought O
+out O
+machines O
+that O
+controlled O
+both O
+guest O
+and O
+internal O
+Wi-Fi B-TOOL
+networks E-TOOL
+. O
+
+No O
+guest O
+credentials O
+were O
+observed O
+being O
+stolen O
+at O
+the O
+compromised O
+hotels O
+; O
+however O
+, O
+in O
+a O
+separate O
+incident O
+that O
+occurred O
+in O
+Fall B-TIME
+2016 E-TIME
+, O
+APT28 S-APT
+gained O
+initial O
+access O
+to O
+a O
+victim O
+’s O
+network O
+via O
+credentials O
+likely O
+stolen O
+from O
+a O
+hotel O
+Wi-Fi B-TOOL
+network E-TOOL
+. O
+
+Upon O
+gaining O
+access O
+to O
+the O
+machines O
+connected O
+to O
+corporate O
+and O
+guest O
+Wi-Fi B-TOOL
+networks E-TOOL
+, O
+APT28 S-APT
+deployed O
+Responder S-TOOL
+. O
+
+Responder S-TOOL
+facilitates O
+NetBIOS B-TOOL
+Name I-TOOL
+Service E-TOOL
+( O
+NBT-NS S-TOOL
+) O
+poisoning O
+. O
+
+This O
+technique O
+listens O
+for O
+NBT-NS S-TOOL
+( O
+UDP S-PROT
+) O
+broadcasts O
+from O
+victim O
+computers O
+attempting O
+to O
+connect O
+to O
+network O
+resources O
+. O
+
+Once O
+received O
+, O
+Responder S-TOOL
+masquerades O
+as O
+the O
+sought-out O
+resource O
+and O
+causes O
+the O
+victim O
+computer O
+to O
+send O
+the O
+username O
+and O
+hashed O
+password O
+to O
+the O
+attacker-controlled O
+machine O
+. O
+
+APT28 S-APT
+used O
+this O
+technique O
+to O
+steal O
+usernames O
+and O
+hashed O
+passwords O
+that O
+allowed O
+escalation O
+of O
+privileges O
+in O
+the O
+victim O
+network O
+. O
+
+To O
+spread O
+through O
+the O
+hospitality O
+company O
+’s O
+network O
+, O
+APT28 S-APT
+used O
+a O
+version O
+of O
+the O
+EternalBlue S-VULNAME
+SMB S-PROT
+exploit O
+. O
+
+This O
+was O
+combined O
+with O
+the O
+heavy O
+use O
+of O
+py2exe S-TOOL
+to O
+compile O
+Python S-TOOL
+scripts O
+. O
+
+This O
+is O
+the O
+first O
+time O
+we O
+have O
+seen O
+APT28 S-APT
+incorporate O
+this O
+exploit O
+into O
+their O
+intrusions O
+. O
+
+In O
+the O
+2016 S-TIME
+incident O
+, O
+the O
+victim O
+was O
+compromised O
+after O
+connecting O
+to O
+a O
+hotel O
+Wi-Fi B-TOOL
+network E-TOOL
+. O
+
+Twelve O
+hours O
+after O
+the O
+victim O
+initially O
+connected O
+to O
+the O
+publicly O
+available O
+Wi-Fi B-TOOL
+network E-TOOL
+, O
+APT28 S-APT
+logged O
+into O
+the O
+machine O
+with O
+stolen O
+credentials O
+. O
+
+These O
+12 O
+hours O
+could O
+have O
+been O
+used O
+to O
+crack O
+a O
+hashed O
+password O
+offline O
+. O
+
+After O
+successfully O
+accessing O
+the O
+machine O
+, O
+the O
+attacker O
+deployed O
+tools O
+on O
+the O
+machine O
+, O
+spread O
+laterally O
+through O
+the O
+victim's O
+network O
+, O
+and O
+accessed O
+the O
+victim's O
+OWA S-TOOL
+account O
+. O
+
+The O
+login O
+originated O
+from O
+a O
+computer O
+on O
+the O
+same O
+subnet O
+, O
+indicating O
+that O
+the O
+attacker O
+machine O
+was O
+physically O
+close O
+to O
+the O
+victim O
+and O
+on O
+the O
+same O
+Wi-Fi B-TOOL
+network E-TOOL
+. O
+
+We O
+cannot O
+confirm O
+how O
+the O
+initial O
+credentials O
+were O
+stolen O
+in O
+the O
+2016 S-TIME
+incident O
+; O
+however O
+, O
+later O
+in O
+the O
+intrusion O
+, O
+Responder S-TOOL
+was O
+deployed O
+. O
+
+Since O
+this O
+tool O
+allows O
+an O
+attacker O
+to O
+sniff O
+passwords O
+from O
+network B-TOOL
+traffic E-TOOL
+, O
+it O
+could O
+have O
+been O
+used O
+on O
+the O
+hotel O
+Wi-Fi B-TOOL
+network E-TOOL
+to O
+obtain O
+a O
+user O
+’s O
+credentials O
+. O
+
+Cyber B-ACT
+espionage I-ACT
+activity E-ACT
+against O
+the O
+hospitality O
+industry O
+is O
+typically O
+focused O
+on O
+collecting O
+information O
+on O
+or O
+from O
+hotel O
+guests O
+of O
+interest O
+rather O
+than O
+on O
+the O
+hotel O
+industry O
+itself O
+, O
+though O
+actors O
+may O
+also O
+collect O
+information O
+on O
+the O
+hotel O
+as O
+a O
+means O
+of O
+facilitating O
+operations O
+. O
+
+Business O
+and O
+government O
+personnel O
+who O
+are O
+traveling O
+, O
+especially O
+in O
+a O
+foreign O
+country O
+, O
+often O
+rely O
+on O
+systems O
+to O
+conduct O
+business O
+other O
+than O
+those O
+at O
+their O
+home O
+office O
+, O
+and O
+may O
+be O
+unfamiliar O
+with O
+threats O
+posed O
+while O
+abroad O
+. O
+
+APT28 S-APT
+isn’t O
+the O
+only O
+group O
+targeting O
+travelers O
+. O
+
+South B-LOC
+Korea E-LOC
+nexus O
+Fallout B-APT
+Team E-APT
+( O
+aka O
+Darkhotel S-APT
+) O
+has O
+used O
+spoofed O
+software O
+updates O
+on O
+infected O
+Wi-Fi B-TOOL
+networks E-TOOL
+in O
+Asian O
+hotels O
+, O
+and O
+Duqu B-MAL
+2.0 E-MAL
+malware O
+has O
+been O
+found O
+on O
+the O
+networks O
+of O
+European O
+hotels O
+used O
+by O
+participants O
+in O
+the O
+Iranian O
+nuclear O
+negotiations O
+. O
+
+Additionally O
+, O
+open O
+sources O
+have O
+reported O
+for O
+several O
+years O
+that O
+in O
+Russia S-LOC
+and O
+China S-LOC
+, O
+high-profile O
+hotel O
+guests O
+may O
+expect O
+their O
+hotel O
+rooms O
+to O
+be O
+accessed O
+and O
+their O
+laptops O
+and O
+other O
+electronic O
+devices O
+accessed O
+. O
+
+These O
+incidents O
+show O
+a O
+novel O
+infection O
+vector O
+being O
+used O
+by O
+APT28 S-APT
+. O
+
+The O
+group O
+is O
+leveraging O
+less O
+secure O
+hotel O
+Wi-Fi B-TOOL
+networks E-TOOL
+to O
+steal O
+credentials O
+and O
+a O
+NetBIOS B-APT
+Name I-APT
+Service E-APT
+poisoning O
+utility O
+to O
+escalate O
+privileges O
+. O
+
+APT28 S-APT
+’s O
+already O
+wide-ranging O
+capabilities O
+and O
+tactics O
+are O
+continuing O
+to O
+grow O
+and O
+refine O
+as O
+the O
+group O
+expands O
+its O
+infection O
+vectors O
+. O
+
+Travelers O
+must O
+be O
+aware O
+of O
+the O
+threats O
+posed O
+when O
+traveling O
+– O
+especially O
+to O
+foreign O
+countries O
+– O
+and O
+take O
+extra O
+precautions O
+to O
+secure O
+their O
+systems O
+and O
+data O
+. O
+
+Publicly O
+accessible O
+Wi-Fi B-TOOL
+networks E-TOOL
+present O
+a O
+significant O
+threat O
+and O
+should O
+be O
+avoided O
+whenever O
+possible O
+. O
+
+
+Sofacy S-APT
+Continues O
+Global O
+Attacks O
+and O
+Wheels O
+Out O
+New O
+Cannon S-TOOL
+Trojan S-MAL
+. O
+
+Release_Time O
+: O
+2018-11-20 O
+
+Report_URL O
+: O
+https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/ O
+
+In O
+late O
+October S-TIME
+and O
+early O
+November B-TIME
+2018 E-TIME
+, O
+Unit B-SECTEAM
+42 E-SECTEAM
+intercepted O
+a O
+series O
+of O
+weaponized O
+documents O
+that O
+use O
+a O
+technique O
+to O
+load O
+remote O
+templates O
+containing O
+a O
+malicious B-TOOL
+macro E-TOOL
+. O
+
+These O
+types O
+of O
+weaponized O
+documents O
+are O
+not O
+uncommon O
+but O
+are O
+more O
+difficult O
+to O
+identify O
+as O
+malicious O
+by O
+automated O
+analysis O
+systems O
+due O
+to O
+their O
+modular O
+nature O
+. O
+
+Specific O
+to O
+this O
+technique O
+, O
+if O
+the O
+C2 S-TOOL
+server O
+is O
+not O
+available O
+at O
+the O
+time O
+of O
+execution O
+, O
+the O
+malicious O
+code O
+cannot O
+be O
+retrieved O
+, O
+rendering O
+the O
+delivery O
+document O
+largely O
+benign O
+. O
+
+The O
+weaponized O
+documents O
+targeted O
+several O
+government O
+entities O
+around O
+the O
+globe O
+, O
+including O
+North B-LOC
+America E-LOC
+, O
+Europe S-LOC
+, O
+and O
+a O
+former O
+USSR B-LOC
+state E-LOC
+. O
+
+Fortunately O
+for O
+us O
+, O
+the O
+C2 S-TOOL
+servers O
+for O
+several O
+of O
+these O
+documents O
+were O
+still O
+operational O
+allowing O
+for O
+retrieval O
+of O
+the O
+malicious B-TOOL
+macro E-TOOL
+and O
+the O
+subsequent O
+payloads O
+. O
+
+Analysis O
+revealed O
+a O
+consistent O
+first-stage O
+payload O
+of O
+the O
+well-documented O
+Zebrocy S-MAL
+Trojan S-MAL
+. O
+
+Additional O
+collection O
+of O
+related O
+documents O
+revealed O
+a O
+second O
+first-stage O
+payload O
+that O
+we O
+have O
+named O
+‘ O
+Cannon S-MAL
+’ O
+. O
+
+Cannon S-MAL
+has O
+not O
+been O
+previously O
+observed O
+in O
+use O
+by O
+the O
+Sofacy S-APT
+group O
+and O
+contains O
+a O
+novel O
+email-based O
+C2 S-TOOL
+communication O
+channel O
+. O
+
+email S-TOOL
+as O
+a O
+C2 S-TOOL
+channel O
+is O
+not O
+a O
+new O
+tactic O
+, O
+but O
+it O
+is O
+generally O
+not O
+observed O
+in O
+the O
+wild O
+as O
+often O
+as O
+HTTP S-PROT
+or O
+HTTPS S-PROT
+. O
+
+Using O
+email S-TOOL
+as O
+a O
+C2 S-TOOL
+channel O
+may O
+also O
+decrease O
+the O
+chance O
+of O
+detection O
+, O
+as O
+sending O
+email S-TOOL
+via O
+non-sanctioned O
+email S-TOOL
+providers O
+may O
+not O
+necessarily O
+construe O
+suspicious O
+or O
+even O
+malicious O
+activity O
+in O
+many O
+enterprises O
+. O
+
+The O
+activity O
+discussed O
+in O
+this O
+blog O
+revolves O
+around O
+two O
+of O
+the O
+multitude O
+of O
+weaponized O
+documents O
+that O
+we O
+collected O
+. O
+
+These O
+two O
+documents O
+shared O
+multiple O
+data O
+artifacts O
+, O
+such O
+as O
+a O
+shared O
+C2 S-TOOL
+IP O
+, O
+shared O
+author O
+name O
+, O
+and O
+shared O
+tactics O
+. O
+
+Details O
+of O
+the O
+extended O
+attack O
+campaign O
+associated O
+with O
+the O
+Cannon S-MAL
+Trojan S-MAL
+will O
+be O
+discussed O
+in O
+a O
+later O
+blog O
+. O
+
+A O
+particularly O
+interesting O
+aspect O
+of O
+one O
+of O
+the O
+two O
+documents O
+we O
+analyzed O
+was O
+the O
+filename O
+used O
+, O
+crash B-FILE
+list I-FILE
+( I-FILE
+Lion I-FILE
+Air I-FILE
+Boeing I-FILE
+737 I-FILE
+).docx E-FILE
+. O
+
+This O
+is O
+not O
+the O
+first O
+instance O
+of O
+an O
+adversary O
+group O
+using O
+recent O
+current O
+events O
+as O
+a O
+lure O
+, O
+but O
+it O
+is O
+interesting O
+to O
+see O
+this O
+group O
+attempt O
+to O
+capitalize O
+on O
+the O
+attention O
+of O
+a O
+catastrophic O
+event O
+to O
+execute O
+their O
+attack O
+. O
+
+The O
+initial O
+sample O
+we O
+intercepted O
+was O
+a O
+Microsoft S-IDTY
+Word S-TOOL
+document O
+( O
+SHA256 S-ENCR
+: O
+2cfc4b3686511f959f14889d26d3d9a0d06e27ee2bb54c9afb1ada6b8205c55f S-SHA2
+) O
+with O
+the O
+filename O
+crash B-FILE
+list I-FILE
+( I-FILE
+Lion I-FILE
+Air I-FILE
+Boeing I-FILE
+737 I-FILE
+).docx E-FILE
+using O
+the O
+author O
+name O
+Joohn O
+. O
+
+This O
+document O
+appeared O
+to O
+be O
+targeting O
+a O
+government O
+organization O
+dealing O
+with O
+foreign O
+affairs O
+in O
+Europe S-LOC
+via O
+spear-phishing S-ACT
+. O
+
+Once O
+the O
+user O
+attempts O
+to O
+open O
+the O
+document O
+, O
+Microsoft S-IDTY
+Word S-TOOL
+immediately O
+attempts O
+to O
+load O
+the O
+remote O
+template O
+containing O
+a O
+malicious B-TOOL
+macro E-TOOL
+and O
+payload O
+from O
+the O
+location O
+specified O
+within O
+the O
+settings.xml.rels S-FILE
+file O
+of O
+the O
+DOCX S-TOOL
+document O
+. O
+
+If O
+the O
+C2 S-TOOL
+has O
+already O
+been O
+taken O
+offline O
+the O
+document O
+will O
+still O
+open O
+, O
+but O
+Word S-TOOL
+will O
+be O
+unable O
+to O
+retrieve O
+the O
+remote O
+template O
+and O
+thus O
+Word S-TOOL
+will O
+not O
+load O
+a O
+macro S-TOOL
+. O
+
+In O
+this O
+situation O
+, O
+Word S-TOOL
+will O
+present O
+the O
+same O
+lure O
+document O
+to O
+the O
+victim O
+as O
+seen O
+in O
+Figure O
+2 O
+, O
+but O
+without O
+the O
+ability O
+to O
+enable O
+macros S-TOOL
+via O
+an O
+Enable B-TOOL
+Content I-TOOL
+button E-TOOL
+. O
+
+Assuming O
+the O
+C2 S-TOOL
+is O
+still O
+operational O
+however O
+, O
+Word S-TOOL
+loads O
+the O
+remote O
+template O
+( O
+SHA256 S-ENCR
+: O
+f1e2bceae81ccd54777f7862c616f22b581b47e0dda5cb02d0a722168ef194a5 S-SHA2
+) O
+and O
+the O
+user O
+is O
+presented O
+with O
+the O
+screen O
+. O
+
+Once O
+the O
+victim O
+presses O
+the O
+Enable B-TOOL
+content I-TOOL
+button E-TOOL
+, O
+the O
+embedded O
+macro S-TOOL
+is O
+executed O
+. O
+
+The O
+macros S-TOOL
+used O
+for O
+these O
+delivery O
+documents O
+use O
+a O
+less O
+common O
+method O
+of O
+using O
+the O
+AutoClose O
+function O
+. O
+
+This O
+is O
+a O
+form O
+of O
+anti-analysis O
+as O
+Word S-TOOL
+will O
+not O
+fully O
+execute O
+the O
+malicious O
+code O
+until O
+the O
+user O
+closes O
+the O
+document O
+. O
+
+If O
+an O
+automated O
+sandbox O
+exits O
+its O
+analysis O
+session O
+without O
+specifically O
+closing O
+out O
+the O
+document O
+, O
+the O
+sandbox O
+may O
+miss O
+the O
+malicious O
+activity O
+entirely O
+. O
+
+Once O
+successfully O
+executed O
+, O
+the O
+macro S-TOOL
+will O
+install O
+a O
+payload O
+and O
+save O
+a O
+document O
+to O
+the O
+system O
+. O
+
+Typically O
+, O
+we O
+expect O
+to O
+see O
+a O
+decoy O
+document O
+saved O
+to O
+the O
+system O
+and O
+later O
+displayed O
+to O
+make O
+the O
+victim O
+less O
+suspicious O
+of O
+malicious O
+activity O
+; O
+however O
+, O
+in O
+this O
+case O
+the O
+document O
+saved O
+to O
+the O
+system O
+was O
+never O
+displayed O
+and O
+does O
+not O
+contain O
+any O
+pertinent O
+content O
+to O
+the O
+Lion B-IDTY
+Air E-IDTY
+tragedy O
+theme O
+seen O
+in O
+the O
+filename O
+. O
+
+The O
+macro S-TOOL
+obtains O
+the O
+document O
+saved O
+to O
+the O
+system O
+from O
+within O
+the O
+document O
+stored O
+as O
+UserForm1.Label1.Caption S-FILE
+and O
+will O
+write O
+it O
+to O
+: O
+%TEMP%\~temp.docm S-FILE
+. O
+
+The O
+macro S-TOOL
+obtains O
+the O
+payload O
+saved O
+to O
+the O
+system O
+from O
+within O
+the O
+document O
+stored O
+as O
+UserForm1.Label2.Caption S-FILE
+and O
+will O
+write O
+it O
+to O
+: O
+%APPDATA%\MSDN\~msdn.exe S-FILE
+. O
+
+The O
+macro S-TOOL
+executes O
+this O
+payload O
+in O
+a O
+rather O
+interesting O
+way O
+by O
+loading O
+the O
+dropped O
+~temp.docm S-FILE
+document O
+and O
+calling O
+a O
+function O
+within O
+its O
+embedded O
+macro O
+to O
+run O
+the O
+payload O
+. O
+
+We O
+believe O
+the O
+creator O
+of O
+this O
+delivery O
+document O
+chose O
+to O
+run O
+the O
+payload O
+from O
+the O
+dropped O
+file O
+as O
+an O
+evasion O
+technique O
+. O
+
+Also O
+, O
+the O
+fact O
+the O
+initial O
+macro S-TOOL
+uses O
+this O
+dropped O
+document O
+for O
+the O
+execution O
+of O
+the O
+payload O
+may O
+also O
+explain O
+why O
+the O
+document O
+did O
+not O
+contain O
+any O
+decoy O
+contents O
+. O
+
+To O
+carry O
+out O
+this O
+functionality O
+, O
+after O
+writing O
+the O
+
+~temp.docm S-FILE
+and O
+~msdn.exe S-FILE
+files O
+to O
+the O
+system O
+, O
+the O
+initial O
+macro S-TOOL
+will O
+load O
+the O
+~temp.docm S-FILE
+file O
+as O
+a O
+Word S-TOOL
+Document O
+object O
+and O
+attempts O
+to O
+run O
+the O
+function O
+Proc1 O
+in O
+the O
+Module1 O
+macro S-TOOL
+within O
+the O
+~temp.docm S-FILE
+file O
+. O
+
+The O
+Proc1 O
+function O
+within O
+the O
+Module1 O
+does O
+nothing O
+more O
+than O
+build O
+the O
+%APPDATA%\MSDN\~msdn.exe S-FILE
+path O
+to O
+the O
+dropped O
+payload O
+and O
+executes O
+it O
+using O
+the O
+built-in O
+Shell O
+function O
+. O
+
+The O
+payload O
+dropped O
+to O
+the O
+system O
+( O
+SHA256 S-ENCR
+: O
+6ad3eb8b5622145a70bec67b3d14868a1c13864864afd651fe70689c95b1399a S-SHA2
+) O
+is O
+a O
+UPX S-TOOL
+packed O
+Zebrocy S-MAL
+variant O
+written O
+in O
+the O
+Delphi S-TOOL
+language O
+. O
+
+This O
+variant O
+of O
+Zebrocy S-MAL
+is O
+functionally O
+very O
+similar O
+to O
+the O
+Delphi S-TOOL
+based O
+payloads O
+discussed O
+in O
+our O
+previous O
+publication O
+on O
+Sofacy S-APT
+attacks O
+using O
+Zebrocy S-MAL
+earlier O
+this O
+year O
+. O
+
+The O
+developer O
+of O
+this O
+particular O
+payload O
+configured O
+it O
+to O
+use O
+the O
+following O
+URL O
+to O
+communicate O
+with O
+as O
+its O
+C2 S-TOOL
+: O
+http://188.241.58.170/local/s3/filters.php  S-FILE
+. O
+
+The O
+Zebrocy S-MAL
+Trojan S-MAL
+gathers O
+system O
+specific O
+information O
+that O
+it O
+will O
+send O
+to O
+the O
+C2 S-TOOL
+server O
+via O
+an O
+HTTP O
+POST O
+request O
+to O
+the O
+above O
+URL O
+. O
+
+Like O
+other O
+Zebrocy S-MAL
+samples O
+, O
+this O
+Trojan S-MAL
+collects O
+system O
+specific O
+information O
+it O
+will O
+send O
+to O
+the O
+C2 S-TOOL
+server O
+by O
+running O
+the O
+command O
+SYSTEMINFO O
+& O
+TASKLIST O
+on O
+the O
+command O
+line O
+and O
+by O
+enumerating O
+information O
+about O
+connected O
+storage O
+devices O
+. O
+
+This O
+specific O
+variant O
+of O
+Zebrocy S-MAL
+will O
+also O
+send O
+a O
+screenshot O
+of O
+the O
+victim O
+host O
+as O
+a O
+JPEG S-TOOL
+image O
+to O
+the O
+C2 S-TOOL
+server O
+. O
+
+The O
+C2 S-TOOL
+server O
+will O
+then O
+provide O
+a O
+secondary O
+payload O
+to O
+the O
+beacon O
+in O
+ASCII S-TOOL
+hexadecimal O
+representation O
+, O
+which O
+the O
+Trojan S-MAL
+will O
+decode O
+and O
+write O
+to O
+the O
+following O
+location O
+: O
+%APPDATA%\Roaming\Audio\soundfix.exe S-FILE
+. O
+
+During O
+our O
+analysis O
+, O
+the O
+C2 S-TOOL
+server O
+provided O
+a O
+secondary O
+payload O
+that O
+functionally O
+appeared O
+similar O
+to O
+the O
+initial O
+Zebrocy S-MAL
+sample O
+. O
+
+The O
+secondary O
+payload O
+was O
+also O
+written O
+in O
+Delphi S-TOOL
+and O
+its O
+developer O
+configured O
+it O
+to O
+communicate O
+with O
+its O
+C2 S-TOOL
+server O
+using O
+HTTPS S-PROT
+via O
+the O
+following O
+URL O
+: O
+https://200.122.181.25/catalog/products/books.php S-URL
+. O
+
+We O
+were O
+able O
+to O
+collect O
+a O
+second O
+delivery O
+document O
+that O
+shared O
+the O
+Joohn O
+author O
+from O
+the O
+crash B-FILE
+list I-FILE
+( I-FILE
+Lion I-FILE
+Air I-FILE
+Boeing I-FILE
+737 I-FILE
+).docx E-FILE
+document O
+, O
+as O
+well O
+as O
+the O
+188.241.58.170 S-IP
+C2 S-TOOL
+IP O
+to O
+host O
+its O
+remote O
+template O
+. O
+
+Structurally O
+this O
+sample O
+was O
+very O
+similar O
+to O
+the O
+initially O
+analyzed O
+document O
+, O
+but O
+the O
+payload O
+turned O
+out O
+to O
+be O
+a O
+completely O
+new O
+tool O
+which O
+we O
+have O
+named O
+Cannon S-MAL
+. O
+
+The O
+tool O
+is O
+written O
+in O
+C# S-TOOL
+whose O
+malicious O
+code O
+exists O
+in O
+a O
+namespace O
+called O
+cannon S-MAL
+, O
+which O
+is O
+the O
+basis O
+of O
+the O
+Trojan S-MAL
+’s O
+name O
+. O
+
+The O
+Trojan S-MAL
+functions O
+primarily O
+as O
+a O
+downloader O
+that O
+relies O
+on O
+emails S-TOOL
+to O
+communicate O
+between O
+the O
+Trojan S-MAL
+and O
+the O
+C2 S-TOOL
+server O
+. O
+
+To O
+communicate O
+with O
+the O
+C2 S-TOOL
+server O
+, O
+the O
+Trojan S-MAL
+will O
+send O
+emails S-TOOL
+to O
+specific O
+email S-TOOL
+addresses O
+via O
+SMTPS S-PROT
+over O
+TCP S-PROT
+port O
+587 O
+. O
+
+This O
+tool O
+also O
+has O
+a O
+heavy O
+reliance O
+on O
+EventHandlers O
+with O
+timers O
+to O
+run O
+its O
+methods O
+in O
+a O
+specific O
+order O
+and O
+potentially O
+increase O
+its O
+evasion O
+capability O
+. O
+
+The O
+overall O
+purpose O
+of O
+Cannon S-MAL
+is O
+to O
+use O
+several O
+email S-TOOL
+accounts O
+to O
+send O
+system O
+data O
+( O
+system O
+information O
+and O
+screenshot O
+) O
+to O
+the O
+threat O
+actors O
+and O
+to O
+ultimately O
+obtain O
+a O
+payload O
+from O
+an O
+email S-TOOL
+from O
+the O
+actors O
+. O
+
+In O
+addition O
+to O
+the O
+following O
+step-by-step O
+process O
+illustrates O
+how O
+Cannon S-MAL
+communicates O
+with O
+the O
+actor-controlled O
+C2 S-TOOL
+email S-TOOL
+address O
+to O
+obtain O
+a O
+secondary O
+payload O
+. O
+
+Cannon S-MAL
+gathers O
+system O
+information O
+and O
+saves O
+it O
+to O
+a O
+file O
+named O
+ini O
+. O
+
+The O
+Trojan S-MAL
+sends O
+an O
+email S-TOOL
+to O
+sahro.bella7@post.cz S-EMAIL
+with O
+i.ini S-FILE
+as O
+the O
+attachment O
+, O
+S_inf O
+within O
+the O
+body O
+and O
+a O
+subject O
+with O
+a O
+unique O
+system O
+identifier O
+via O
+SMTPS S-PROT
+from O
+one O
+of O
+the O
+following O
+accounts O
+: O
+Bishtr.cam47 S-FILE
+, O
+Lobrek.chizh S-FILE
+, O
+Cervot.woprov S-FILE
+. O
+
+Cannon S-MAL
+takes O
+a O
+screenshot O
+and O
+saves O
+it O
+to O
+a O
+file O
+named O
+ops O
+. O
+
+The O
+Trojan S-MAL
+sends O
+an O
+email S-TOOL
+to O
+sahro.bella7@post.cz S-EMAIL
+with O
+sysscr.ops S-FILE
+as O
+the O
+attachment O
+, O
+the O
+string O
+SCreen O
+within O
+the O
+body O
+and O
+a O
+subject O
+with O
+the O
+unique O
+system O
+identifier O
+via O
+SMTPS S-PROT
+from O
+one O
+of O
+three O
+previously O
+used O
+accounts O
+. O
+
+The O
+actors O
+likely O
+log O
+into O
+sahro.bella7@post.cz S-EMAIL
+and O
+process O
+the O
+system O
+information O
+and O
+screenshot O
+sent O
+by O
+the O
+Trojan S-MAL
+to O
+determine O
+if O
+the O
+compromised O
+host O
+is O
+of O
+interest O
+. O
+
+If O
+the O
+actor O
+wishes O
+to O
+download O
+an O
+additional O
+payload O
+to O
+the O
+compromised O
+host O
+, O
+they O
+will O
+respond O
+by O
+sending O
+emails S-TOOL
+in O
+the O
+following O
+steps O
+. O
+
+The O
+actor O
+sends O
+an O
+email S-TOOL
+to O
+trala.cosh2@post.cz S-EMAIL
+with O
+the O
+unique O
+system O
+identifier O
+as O
+a O
+subject O
+with O
+a O
+secondary O
+email S-TOOL
+account O
+and O
+credentials O
+in O
+ASCII S-TOOL
+hexadecimal O
+format O
+within O
+the O
+message O
+body O
+. O
+
+This O
+secondary O
+email S-TOOL
+account O
+is O
+unknown O
+at O
+this O
+time O
+, O
+so O
+we O
+will O
+refer O
+to O
+it O
+as O
+“ O
+secondary O
+email S-TOOL
+account O
+” O
+in O
+future O
+steps O
+. O
+
+The O
+actor O
+sends O
+an O
+email S-TOOL
+to O
+the O
+secondary O
+email S-TOOL
+account O
+with O
+the O
+unique O
+system O
+identifier O
+as O
+a O
+subject O
+with O
+a O
+secondary O
+payload O
+attached O
+with O
+a O
+filename O
+of O
+txt S-TOOL
+. O
+
+Cannon S-MAL
+logs O
+into O
+the O
+trala.cosh2@post.cz S-EMAIL
+account O
+via O
+POP3S S-PROT
+looking O
+for O
+emails S-TOOL
+with O
+a O
+subject O
+that O
+matches O
+the O
+unique O
+system O
+identifier O
+. O
+
+Cannon S-MAL
+opens O
+the O
+email S-TOOL
+with O
+the O
+correct O
+subject O
+and O
+decodes O
+the O
+hexadecimal O
+data O
+in O
+the O
+body O
+of O
+the O
+message O
+to O
+obtain O
+the O
+secondary O
+email S-TOOL
+account O
+. O
+
+Cannon S-MAL
+acknowledges O
+the O
+receipt O
+of O
+the O
+secondary O
+email S-TOOL
+address O
+by O
+sending O
+an O
+email S-TOOL
+to O
+sahro.bella7@post.cz S-EMAIL
+with O
+s.txt S-FILE
+( O
+contains O
+{SysPar O
+= O
+65} O
+string O
+) O
+as O
+the O
+attachment O
+, O
+ok O
+within O
+the O
+body O
+and O
+a O
+subject O
+with O
+the O
+unique O
+system O
+identifier O
+via O
+SMTPS S-PROT
+from O
+one O
+of O
+the O
+three O
+accounts O
+from O
+Step O
+1 O
+. O
+
+The O
+actor O
+sends O
+an O
+email S-TOOL
+to O
+trala.cosh2@post.cz S-EMAIL
+with O
+the O
+unique O
+system O
+identifier O
+as O
+a O
+subject O
+with O
+a O
+file O
+path O
+that O
+the O
+Cannon S-MAL
+Trojan S-MAL
+will O
+use O
+to O
+save O
+the O
+secondary O
+payload O
+. O
+
+Cannon S-MAL
+logs O
+into O
+the O
+secondary O
+email S-TOOL
+account O
+via O
+POP3S S-PROT
+looking O
+for O
+emails S-TOOL
+with O
+a O
+subject O
+that O
+matches O
+the O
+unique O
+system O
+identifier O
+. O
+
+Cannon S-MAL
+opens O
+the O
+email S-TOOL
+with O
+the O
+correct O
+subject O
+and O
+saves O
+the O
+attachment O
+named O
+auddevc.txt S-FILE
+. O
+
+Cannon S-MAL
+acknowledges O
+the O
+receipt O
+of O
+file O
+download O
+by O
+sending O
+an O
+email S-TOOL
+to O
+sahro.bella7@post.cz S-EMAIL
+with O
+l.txt S-FILE
+( O
+contains O
+090 O
+string O
+) O
+as O
+the O
+attachment O
+, O
+ok2 O
+within O
+the O
+body O
+and O
+a O
+subject O
+with O
+the O
+unique O
+system O
+identifier O
+via O
+SMTPS S-PROT
+from O
+one O
+of O
+the O
+three O
+accounts O
+from O
+Step O
+1 O
+. O
+
+Cannon S-MAL
+logs O
+into O
+the O
+trala.cosh2@post.cz S-EMAIL
+account O
+via O
+POP3S S-PROT
+looking O
+for O
+emails S-TOOL
+with O
+a O
+subject O
+that O
+matches O
+the O
+unique O
+system O
+identifier O
+. O
+
+Cannon S-MAL
+opens O
+the O
+email S-TOOL
+with O
+the O
+correct O
+subject O
+and O
+decodes O
+the O
+hexadecimal O
+data O
+in O
+the O
+body O
+of O
+the O
+message O
+to O
+obtain O
+the O
+file O
+path O
+that O
+it O
+will O
+use O
+to O
+move O
+the O
+downloaded O
+auddevc.txt S-FILE
+file O
+. O
+
+Cannon S-MAL
+acknowledges O
+the O
+receipt O
+of O
+file O
+path O
+by O
+sending O
+an O
+email S-TOOL
+to O
+sahro.bella7@post.cz S-EMAIL
+with O
+s.txt S-FILE
+( O
+contains O
+{SysPar O
+= O
+65} O
+string O
+) O
+as O
+the O
+attachment O
+, O
+ok3 O
+within O
+the O
+body O
+and O
+a O
+subject O
+with O
+the O
+unique O
+system O
+identifier O
+via O
+SMTPS S-PROT
+from O
+one O
+of O
+the O
+three O
+accounts O
+from O
+Step O
+1 O
+. O
+
+Cannon S-MAL
+moves O
+the O
+downloaded O
+file O
+to O
+the O
+specified O
+path O
+. O
+
+Cannon S-MAL
+acknowledges O
+the O
+successful O
+move O
+by O
+sending O
+an O
+email S-TOOL
+to O
+sahro.bella7@post.cz S-EMAIL
+with O
+l.txt S-FILE
+( O
+contains O
+090 O
+string O
+) O
+as O
+the O
+attachment O
+, O
+ok4 O
+within O
+the O
+body O
+and O
+a O
+subject O
+with O
+the O
+unique O
+system O
+identifier O
+via O
+SMTPS S-PROT
+from O
+one O
+of O
+the O
+three O
+accounts O
+from O
+Step O
+1 O
+. O
+
+Cannon S-MAL
+runs O
+the O
+downloaded O
+file O
+from O
+the O
+specified O
+path O
+. O
+
+Cannon S-MAL
+acknowledges O
+the O
+successful O
+execution O
+by O
+sending O
+an O
+email S-TOOL
+to O
+sahro.bella7@post.cz S-EMAIL
+with O
+s.txt S-FILE
+( O
+contains O
+{SysPar O
+= O
+65} O
+string O
+) O
+as O
+the O
+attachment O
+, O
+ok5 O
+within O
+the O
+body O
+and O
+a O
+subject O
+with O
+the O
+unique O
+system O
+identifier O
+via O
+SMTPS S-PROT
+from O
+one O
+of O
+the O
+three O
+accounts O
+from O
+Step O
+1 O
+. O
+
+The O
+Sofacy S-APT
+threat O
+group O
+continues O
+to O
+target O
+government O
+organizations O
+in O
+the O
+EU S-LOC
+, O
+US S-LOC
+, O
+and O
+former O
+Soviet B-LOC
+states E-LOC
+to O
+deliver O
+the O
+Zebrocy S-MAL
+tool O
+as O
+a O
+payload O
+. O
+
+In O
+these O
+attacks O
+, O
+the O
+delivery O
+documents O
+used O
+to O
+install O
+Zebrocy S-MAL
+used O
+remote O
+templates O
+, O
+which O
+increases O
+the O
+difficulty O
+to O
+analyze O
+the O
+attack O
+as O
+an O
+active O
+C2 S-TOOL
+server O
+is O
+needed O
+to O
+obtain O
+the O
+macro-enabled O
+document O
+. O
+
+The O
+Sofacy S-APT
+group O
+also O
+leveraged O
+the O
+recent O
+Lion O
+Air O
+disaster O
+as O
+a O
+lure O
+in O
+one O
+of O
+these O
+attacks O
+, O
+which O
+continues O
+to O
+show O
+a O
+willingness O
+to O
+use O
+current O
+events O
+in O
+their O
+social O
+engineering O
+themes O
+. O
+
+Of O
+note O
+, O
+we O
+also O
+discovered O
+the O
+Sofacy S-APT
+group O
+using O
+a O
+very O
+similar O
+delivery O
+document O
+to O
+deliver O
+a O
+new O
+Trojan S-MAL
+called O
+Cannon S-MAL
+. O
+
+Cannon S-MAL
+uses O
+SMTPS S-PROT
+and O
+POP3S S-PROT
+as O
+its O
+C2 S-TOOL
+channel O
+compared O
+to O
+Zebrocy S-MAL
+that O
+uses O
+a O
+more O
+commonly O
+observed O
+HTTP S-PROT
+or O
+HTTPS S-PROT
+based O
+C2 S-TOOL
+. O
+
+This O
+is O
+not O
+a O
+new O
+tactic O
+but O
+may O
+be O
+more O
+effective O
+at O
+evading O
+detection O
+as O
+the O
+external O
+hosts O
+involved O
+are O
+a O
+legitimate O
+email S-TOOL
+service O
+provider O
+. O
+
+Add O
+the O
+layer O
+of O
+encryption O
+that O
+the O
+SMTPS S-PROT
+and O
+POP3S S-PROT
+protocols O
+provide O
+to O
+the O
+legitimate O
+web-based O
+service O
+and O
+you O
+have O
+a O
+very O
+difficult O
+C2 S-TOOL
+channel O
+to O
+block O
+While O
+Sofacy S-APT
+’s O
+campaign O
+delivering O
+Zebrocy S-MAL
+and O
+Cannon S-MAL
+remains O
+active O
+, O
+Palo B-SECTEAM
+Alto I-SECTEAM
+Networks E-SECTEAM
+customers O
+are O
+protected O
+from O
+this O
+threat O
+in O
+the O
+following O
+ways O
+: O
+
+AutoFocus S-SECTEAM
+customers O
+can O
+track O
+these O
+samples O
+with O
+the O
+Zebrocy S-MAL
+and O
+Cannon S-MAL
+WildFire S-SECTEAM
+detects O
+the O
+delivery O
+documents O
+, O
+Zebrocy S-MAL
+and O
+Cannon S-MAL
+payloads O
+discussed O
+in O
+this O
+blog O
+with O
+malicious O
+verdicts O
+. O
+
+Traps O
+blocks O
+the O
+macro-ladened O
+remote O
+templates O
+as O
+Suspicious O
+macro S-TOOL
+detected O
+, O
+as O
+well O
+as O
+Zebrocy S-MAL
+and O
+Cannon S-MAL
+payloads O
+as O
+Suspicious O
+executable O
+detected O
+. O
+
+The O
+IP O
+addresses O
+hosting O
+remote O
+templates O
+and O
+C2 S-TOOL
+services O
+in O
+these O
+attacks O
+are O
+classified O
+as O
+Command B-TOOL
+and I-TOOL
+Control E-TOOL
+. O
+
+Delivery O
+Hashes O
+: O
+
+2cfc4b3686511f959f14889d26d3d9a0d06e27ee2bb54c9afb1ada6b8205c55f S-SHA2
+af77e845f1b0a3ae32cb5cfa53ff22cc9dae883f05200e18ad8e10d7a8106392 S-SHA2
+. O
+
+Remote B-TOOL
+Template E-TOOL
+Hashes O
+: O
+
+f1e2bceae81ccd54777f7862c616f22b581b47e0dda5cb02d0a722168ef194a5 S-SHA2
+fc69fb278e12fc7f9c49a020eff9f84c58b71e680a9e18f78d4e6540693f557d S-SHA2
+. O
+
+Remote B-TOOL
+Templates E-TOOL
+: O
+
+http://188.241.58.170/live/owa/office.dotm S-URL
+. O
+
+Zebrocy S-MAL
+Hashes O
+: O
+
+6ad3eb8b5622145a70bec67b3d14868a1c13864864afd651fe70689c95b1399a S-SHA2
+. O
+
+Zebrocy S-MAL
+C2 S-TOOL
+URLs O
+: O
+
+http://188.241.58.170/local/s3/filters.php S-URL
+https://200.122.181.25/catalog/products/books.php S-URL
+. O
+
+Cannon S-MAL
+Hashes O
+: O
+
+61a1f3b4fb4dbd2877c91e81db4b1af8395547eab199bf920e9dd11a1127221e S-SHA2
+. O
+
+Cannon S-MAL
+email S-TOOL
+Accounts O
+: O
+
+sahro.bella7@post.cz S-EMAIL
+trala.cosh2@post.cz S-EMAIL
+bishtr.cam47@post.cz S-EMAIL
+lobrek.chizh@post.cz S-EMAIL
+cervot.woprov@post.cz S-EMAIL
+. O
+
+
+THE O
+DUKES S-APT
+7 O
+YEARS O
+OF O
+RUSSIAN O
+CYBERESPIONAGE O
+. O
+
+The O
+Dukes S-APT
+are O
+a O
+well-resourced O
+, O
+highly O
+dedicated O
+and O
+organized O
+cyberespionage O
+group O
+that O
+we O
+believe O
+has O
+been O
+working O
+for O
+the O
+Russian O
+Federation O
+since O
+at O
+least O
+2008 S-TIME
+to O
+collect O
+intelligence O
+in O
+support O
+of O
+foreign O
+and O
+security O
+policy O
+decision-making O
+. O
+
+The O
+Dukes S-APT
+primarily O
+target O
+Western O
+governments O
+and O
+related O
+organizations O
+, O
+such O
+as O
+government O
+ministries O
+and O
+agencies O
+, O
+political O
+think O
+tanks O
+, O
+and O
+governmental O
+subcontractors O
+. O
+
+Their O
+targets O
+have O
+also O
+included O
+the O
+governments O
+of O
+members O
+of O
+the O
+Commonwealth B-IDTY
+of I-IDTY
+Independent I-IDTY
+States E-IDTY
+; O
+Asian O
+, O
+African O
+, O
+and O
+Middle O
+Eastern O
+governments O
+; O
+organizations O
+associated O
+with O
+Chechen O
+extremism O
+; O
+and O
+Russian O
+speakers O
+engaged O
+in O
+the O
+illicit O
+trade O
+of O
+controlled O
+substances O
+and O
+drugs O
+. O
+
+The O
+Dukes S-APT
+are O
+known O
+to O
+employ O
+a O
+vast O
+arsenal O
+of O
+malware O
+toolsets O
+, O
+which O
+we O
+identify O
+as O
+MiniDuke S-MAL
+, O
+CosmicDuke S-MAL
+, O
+OnionDuke S-MAL
+, O
+CozyDuke S-MAL
+, O
+CloudDuke S-MAL
+, O
+SeaDuke S-MAL
+, O
+HammerDuke S-MAL
+, O
+PinchDuke S-MAL
+, O
+and O
+GeminiDuke S-MAL
+. O
+
+In O
+recent O
+years O
+, O
+the O
+Dukes S-APT
+have O
+engaged O
+in O
+apparently O
+biannual O
+large-scale O
+spear-phishing S-ACT
+campaigns O
+against O
+hundreds O
+or O
+even O
+thousands O
+of O
+recipients O
+associated O
+with O
+governmental O
+institutions O
+and O
+affiliated O
+organizations O
+. O
+
+The O
+earliest O
+activity O
+we O
+have O
+been O
+able O
+to O
+definitively O
+attribute O
+to O
+the O
+Dukes S-APT
+are O
+two O
+PinchDuke S-MAL
+campaigns O
+from O
+November B-TIME
+2008 E-TIME
+. O
+
+These O
+campaigns O
+use O
+PinchDuke S-MAL
+samples O
+that O
+were O
+, O
+according O
+to O
+their O
+compilation O
+timestamps O
+, O
+created O
+on O
+the O
+5th B-TIME
+and I-TIME
+12th I-TIME
+of I-TIME
+November I-TIME
+2008 E-TIME
+. O
+
+The O
+campaign O
+identifiers O
+found O
+in O
+these O
+two O
+samples O
+are O
+respectively O
+, O
+“ O
+alkavkaz.com20081105 S-ACT
+” O
+and O
+“ O
+cihaderi.net20081112 S-ACT
+” O
+. O
+
+The O
+first O
+campaign O
+identifier O
+, O
+found O
+in O
+the O
+sample O
+compiled O
+on O
+the O
+5th S-TIME
+, O
+references O
+alkavkaz.com S-DOM
+, O
+a O
+domain O
+associated O
+with O
+a O
+Turkish O
+website O
+proclaiming O
+to O
+be O
+the O
+“ O
+Chechan S-LOC
+[sic] O
+Informational O
+Center O
+” O
+. O
+
+The O
+second O
+campaign O
+identifier O
+, O
+from O
+the O
+sample O
+compiled O
+on O
+the O
+12th S-TIME
+, O
+references O
+cihaderi.net S-DOM
+, O
+another O
+Turkish O
+website O
+that O
+claims O
+to O
+provide O
+“ O
+news O
+from O
+the O
+jihad O
+world O
+” O
+and O
+which O
+dedicates O
+a O
+section O
+of O
+its O
+site O
+to O
+Chechnya S-LOC
+. O
+
+Due O
+to O
+a O
+lack O
+of O
+other O
+PinchDuke S-MAL
+samples O
+from O
+2008 S-TIME
+or O
+earlier O
+, O
+we O
+are O
+unable O
+to O
+estimate O
+when O
+the O
+Duke S-APT
+operation O
+originally O
+began O
+. O
+
+Based O
+on O
+our O
+technical O
+analysis O
+of O
+the O
+known O
+PinchDuke S-MAL
+samples O
+from O
+2008 S-TIME
+however O
+, O
+we O
+believe O
+PinchDuke S-MAL
+to O
+have O
+been O
+under O
+development O
+by O
+the O
+summer B-TIME
+of I-TIME
+2008 E-TIME
+. O
+
+In O
+fact O
+, O
+we O
+believe O
+that O
+by O
+the O
+autumn O
+of O
+2008 O
+, O
+the O
+Dukes O
+were O
+already O
+developing O
+not O
+one O
+but O
+at O
+least O
+two O
+distinct O
+malware O
+toolsets O
+. O
+
+This O
+assertion O
+is O
+based O
+on O
+the O
+oldest O
+currently O
+known O
+sample O
+of O
+another O
+Duke S-APT
+related O
+toolset O
+, O
+GeminiDuke S-MAL
+, O
+which O
+was O
+compiled O
+on O
+the O
+26th B-TIME
+of I-TIME
+January I-TIME
+2009 E-TIME
+. O
+
+This O
+sample O
+, O
+like O
+the O
+early O
+PinchDuke S-MAL
+samples O
+, O
+appears O
+to O
+already O
+be O
+a O
+“ O
+fully-grown O
+” O
+sample O
+, O
+which O
+is O
+why O
+we O
+believe O
+GeminiDuke S-MAL
+was O
+under O
+development O
+by O
+the O
+autumn B-TIME
+of I-TIME
+2008 E-TIME
+. O
+
+That O
+the O
+Dukes S-APT
+were O
+already O
+developing O
+and O
+operating O
+at O
+least O
+two O
+distinct O
+malware O
+toolsets O
+by O
+the O
+second B-TIME
+half I-TIME
+of I-TIME
+2008 E-TIME
+suggests O
+to O
+us O
+that O
+either O
+the O
+size O
+of O
+their O
+cyberespionage O
+operation O
+was O
+already O
+large O
+enough O
+to O
+warrant O
+such O
+an O
+arsenal O
+of O
+tools O
+, O
+or O
+that O
+they O
+expected O
+their O
+operation O
+to O
+grow O
+significantly O
+enough O
+in O
+the O
+foreseeable O
+future O
+to O
+warrant O
+the O
+development O
+of O
+such O
+an O
+arsenal O
+. O
+
+The O
+origins O
+of O
+the O
+Duke S-APT
+toolset O
+names O
+can O
+be O
+traced O
+back O
+to O
+when O
+researchers O
+at O
+Kaspersky B-SECTEAM
+Labs E-SECTEAM
+coined O
+the O
+term O
+“ O
+MiniDuke S-MAL
+” O
+to O
+identify O
+the O
+first O
+Duke S-APT
+related O
+malware O
+they O
+found O
+. O
+
+As O
+explained O
+in O
+their O
+whitepaper O
+, O
+the O
+researchers O
+observed O
+the O
+surprisingly O
+small O
+MiniDuke B-MAL
+backdoor E-MAL
+being O
+spread O
+via O
+the O
+same O
+exploit O
+that O
+was O
+being O
+used O
+by O
+a O
+malware O
+that O
+they O
+had O
+already O
+named O
+ItaDuke S-MAL
+; O
+the O
+“ O
+Duke S-APT
+” O
+part O
+of O
+this O
+malware O
+’s O
+name O
+had O
+in O
+turn O
+come O
+about O
+because O
+it O
+reminded O
+the O
+researchers O
+of O
+the O
+notable O
+Duqu S-MAL
+threat O
+. O
+
+Despite O
+the O
+shared O
+history O
+of O
+the O
+name O
+itself O
+however O
+, O
+it O
+is O
+important O
+to O
+note O
+that O
+there O
+is O
+no O
+reason O
+to O
+believe O
+that O
+the O
+Duke S-APT
+toolsets O
+themselves O
+are O
+in O
+any O
+way O
+related O
+to O
+the O
+ItaDuke S-MAL
+malware O
+, O
+or O
+to O
+Duqu S-MAL
+for O
+that O
+matter O
+. O
+
+As O
+researchers O
+continued O
+discovering O
+new O
+toolsets O
+that O
+were O
+created O
+and O
+used O
+by O
+the O
+same O
+group O
+that O
+had O
+been O
+operating O
+MiniDuke S-MAL
+, O
+the O
+new O
+toolsets O
+were O
+also O
+given O
+“ O
+Duke S-APT
+” O
+-derived O
+names O
+, O
+and O
+thus O
+the O
+threat O
+actor O
+operating O
+the O
+toolsets O
+started O
+to O
+be O
+commonly O
+referred O
+to O
+as O
+“ O
+the O
+Dukes S-APT
+” O
+. O
+
+The O
+only O
+other O
+publicly O
+used O
+name O
+for O
+the O
+threat O
+actor O
+that O
+we O
+are O
+aware O
+of O
+is O
+“ O
+APT29 S-APT
+” O
+. O
+
+Based O
+on O
+the O
+campaign O
+identifiers O
+found O
+in O
+PinchDuke S-MAL
+samples O
+discovered O
+from O
+2009 S-TIME
+, O
+the O
+targets O
+of O
+the O
+Dukes S-APT
+group O
+during O
+that O
+year O
+included O
+organizations O
+such O
+as O
+the O
+Ministry B-IDTY
+of I-IDTY
+Defense E-IDTY
+of O
+Georgia S-LOC
+and O
+the O
+ministries O
+of O
+foreign O
+affairs O
+of O
+Turkey S-LOC
+and O
+Uganda S-LOC
+. O
+
+Campaign O
+identifiers O
+from O
+2009 S-TIME
+also O
+reveal O
+that O
+by O
+that O
+time O
+, O
+the O
+Dukes S-APT
+were O
+already O
+actively O
+interested O
+in O
+political O
+matters O
+related O
+to O
+the O
+United B-LOC
+States E-LOC
+( O
+US S-LOC
+) O
+and O
+the O
+North B-IDTY
+Atlantic I-IDTY
+Treaty I-IDTY
+Organization E-IDTY
+( O
+NATO S-IDTY
+) O
+, O
+as O
+they O
+ran O
+campaigns O
+targeting O
+( O
+among O
+other O
+organizations O
+) O
+a O
+US S-LOC
+based O
+foreign O
+policy O
+think O
+tank O
+, O
+another O
+set O
+of O
+campaigns O
+related O
+to O
+a O
+NATO S-IDTY
+exercise O
+held O
+in O
+Europe S-LOC
+, O
+and O
+a O
+third O
+set O
+apparently O
+targeting O
+what O
+was O
+then O
+known O
+as O
+the O
+Georgian S-LOC
+“ O
+Information O
+Centre O
+on O
+NATO S-IDTY
+” O
+. O
+
+Of O
+these O
+campaigns O
+, O
+two O
+clusters O
+in O
+particular O
+stand O
+out O
+. O
+
+The O
+first O
+is O
+a O
+set O
+of O
+campaigns O
+from O
+the O
+16th B-TIME
+and I-TIME
+17th I-TIME
+of I-TIME
+April I-TIME
+, I-TIME
+2009 E-TIME
+, O
+that O
+targeted O
+a O
+US S-LOC
+based O
+foreign O
+policy O
+think O
+tank O
+, O
+as O
+well O
+as O
+government O
+institutions O
+in O
+Poland S-LOC
+and O
+the O
+Czech B-LOC
+Republic E-LOC
+. O
+
+These O
+campaigns O
+utilized O
+specially-crafted O
+malicious O
+Microsoft S-IDTY
+Word S-TOOL
+documents O
+and O
+PDF S-TOOL
+files O
+, O
+which O
+were O
+sent O
+as O
+e-mail S-TOOL
+attachments O
+to O
+various O
+personnel O
+in O
+an O
+attempt O
+to O
+infiltrate O
+the O
+targeted O
+organizations O
+. O
+
+We O
+believe O
+this O
+cluster O
+of O
+campaigns O
+had O
+a O
+joint O
+goal O
+of O
+gathering O
+intelligence O
+on O
+the O
+sentiments O
+of O
+the O
+targeted O
+5 O
+countries O
+with O
+respect O
+to O
+the O
+plans O
+being O
+discussed O
+at O
+the O
+time O
+for O
+the O
+US S-LOC
+to O
+locate O
+their O
+“ O
+European O
+Interceptor O
+Site O
+” O
+missile O
+defense O
+base O
+in O
+Poland S-LOC
+, O
+with O
+a O
+related O
+radar O
+station O
+that O
+was O
+intended O
+to O
+be O
+located O
+in O
+the O
+Czech B-LOC
+Republic E-LOC
+. O
+
+Regarding O
+the O
+timing O
+of O
+these O
+campaigns O
+, O
+it O
+is O
+curious O
+to O
+note O
+that O
+they O
+began O
+only O
+11 O
+days O
+after O
+President O
+Barack O
+Obama O
+gave O
+a O
+speech O
+on O
+the O
+5th B-TIME
+of I-TIME
+April E-TIME
+declaring O
+his O
+intention O
+to O
+proceed O
+with O
+the O
+deployment O
+of O
+these O
+missile O
+defenses O
+. O
+
+The O
+second O
+notable O
+cluster O
+comprises O
+of O
+two O
+campaigns O
+that O
+were O
+possibly O
+aimed O
+at O
+gathering O
+information O
+on O
+Georgia S-LOC-NATO S-IDTY
+relations O
+. O
+
+The O
+first O
+of O
+these O
+runs O
+used O
+the O
+campaign O
+identifier O
+“ O
+natoinfo_ge S-ACT
+” O
+, O
+an O
+apparent O
+reference O
+to O
+the O
+www.natoinfo.ge S-DOM
+website O
+belonging O
+to O
+a O
+Georgian O
+political O
+body O
+that O
+has O
+since O
+been O
+renamed O
+“ O
+Information O
+Centre O
+on O
+NATO S-IDTY
+and O
+EU S-LOC
+” O
+. O
+
+Although O
+the O
+campaign O
+identifier O
+itself O
+doesn’t O
+contain O
+a O
+date O
+, O
+we O
+believe O
+the O
+campaign O
+to O
+have O
+originated O
+around O
+the O
+7th B-TIME
+of I-TIME
+June I-TIME
+2009 E-TIME
+, O
+which O
+was O
+when O
+the O
+PinchDuke S-MAL
+sample O
+in O
+question O
+was O
+compiled O
+. O
+
+This O
+belief O
+is O
+based O
+on O
+the O
+observation O
+that O
+in O
+all O
+of O
+the O
+other O
+PinchDuke S-MAL
+samples O
+we O
+have O
+analyzed O
+, O
+the O
+date O
+of O
+the O
+campaign O
+identifier O
+has O
+been O
+within O
+a O
+day O
+of O
+the O
+compilation O
+date O
+. O
+
+The O
+second O
+campaign O
+identifier O
+, O
+which O
+we O
+suspect O
+may O
+be O
+related O
+, O
+is O
+“ O
+mod_ge_2009_07_03 S-ACT
+” O
+from O
+a O
+month O
+later O
+and O
+apparently O
+targeting O
+the O
+Ministry B-IDTY
+of I-IDTY
+Defense E-IDTY
+of O
+Georgia S-LOC
+. O
+
+The O
+spring B-TIME
+of I-TIME
+2010 E-TIME
+saw O
+continued O
+PinchDuke S-MAL
+campaigns O
+against O
+Turkey S-LOC
+and O
+Georgia S-LOC
+, O
+but O
+also O
+numerous O
+campaigns O
+against O
+other O
+members O
+of O
+the O
+Commonwealth B-LOC
+of I-LOC
+Independent I-LOC
+States E-LOC
+such O
+as O
+Kazakhstan S-LOC
+, O
+Kyrgyzstan S-LOC
+, O
+Azerbaijan S-LOC
+and O
+Uzbekistan S-LOC
+. O
+
+Of O
+these O
+, O
+the O
+campaign O
+with O
+the O
+identifier O
+“ O
+kaz_2010_07_30 S-ACT
+” O
+, O
+which O
+possibly O
+targeted O
+Kazakhstan S-LOC
+, O
+is O
+of O
+note O
+because O
+it O
+is O
+the O
+last O
+PinchDuke S-MAL
+campaign O
+we O
+have O
+observed O
+. O
+
+We O
+believe O
+that O
+during O
+the O
+first B-TIME
+half I-TIME
+of I-TIME
+2010 E-TIME
+, O
+the O
+Dukes S-APT
+slowly O
+migrated O
+from O
+PinchDuke S-MAL
+and O
+started O
+using O
+a O
+new O
+infostealer O
+malware O
+toolset O
+that O
+we O
+call O
+CosmicDuke S-MAL
+. O
+
+The O
+first O
+known O
+sample O
+of O
+the O
+CosmicDuke S-MAL
+toolset O
+was O
+compiled O
+on O
+the O
+16th B-TIME
+of I-TIME
+January I-TIME
+2010 E-TIME
+. O
+
+Back O
+then O
+, O
+CosmicDuke S-MAL
+still O
+lacked O
+most O
+of O
+the O
+credential-stealing O
+functionality O
+found O
+in O
+later O
+samples O
+. O
+
+We O
+believe O
+that O
+during O
+the O
+spring B-TIME
+of I-TIME
+2010 E-TIME
+, O
+the O
+credential O
+and O
+file O
+stealing O
+capabilities O
+of O
+PinchDuke S-MAL
+were O
+slowly O
+ported O
+to O
+CosmicDuke S-MAL
+, O
+effectively O
+making O
+PinchDuke S-MAL
+obsolete O
+. O
+
+During O
+this O
+period O
+of O
+transition O
+, O
+CosmicDuke S-MAL
+would O
+often O
+embed O
+PinchDuke S-MAL
+so O
+that O
+, O
+upon O
+execution O
+, O
+CosmicDuke S-MAL
+would O
+write O
+to O
+disk O
+and O
+execute O
+PinchDuke S-MAL
+. O
+
+Both O
+PinchDuke S-MAL
+and O
+CosmicDuke S-MAL
+would O
+then O
+operate O
+independently O
+on O
+the O
+same O
+compromised O
+host O
+, O
+including O
+performing O
+separate O
+information O
+gathering O
+, O
+data O
+Exfiltration S-ACT
+and O
+communication O
+with O
+a O
+command B-TOOL
+and I-TOOL
+control E-TOOL
+( O
+C&C S-TOOL
+) O
+server O
+- O
+although O
+both O
+malware O
+would O
+often O
+use O
+the O
+same O
+C&C S-TOOL
+server O
+. O
+
+We O
+believe O
+the O
+purpose O
+of O
+this O
+parallel O
+use O
+was O
+to O
+‘ O
+fieldtest O
+’ O
+the O
+new O
+CosmicDuke S-MAL
+tool O
+, O
+while O
+at O
+the O
+same O
+time O
+ensuring O
+operational O
+success O
+with O
+the O
+tried-and-tested O
+PinchDuke S-MAL
+. O
+
+During O
+this O
+period O
+of O
+CosmicDuke S-MAL
+testing O
+and O
+development O
+, O
+the O
+Duke S-APT
+authors O
+also O
+started O
+experimenting O
+with O
+the O
+use O
+of O
+privilege O
+escalation O
+vulnerabilities O
+. O
+
+Specifically O
+, O
+on O
+the O
+19th B-TIME
+of I-TIME
+January I-TIME
+2010 E-TIME
+security O
+researcher O
+Tavis O
+Ormandy O
+disclosed O
+a O
+local O
+privilege O
+escalation O
+vulnerability O
+( O
+CVE-2010-0232 S-VULID
+) O
+affecting O
+Microsoft S-IDTY
+Windows S-OS
+. O
+
+As O
+part O
+of O
+the O
+disclosure O
+, O
+Ormandy O
+also O
+included O
+the O
+source O
+code O
+for O
+a O
+proof-of- O
+concept O
+exploit O
+for O
+the O
+vulnerability O
+. O
+
+Just O
+7 O
+days O
+later O
+, O
+on O
+the O
+26th B-TIME
+of I-TIME
+January E-TIME
+, O
+a O
+component O
+for O
+CosmicDuke S-MAL
+was O
+compiled O
+that O
+exploited O
+the O
+vulnerability O
+and O
+allowed O
+the O
+tool O
+to O
+operate O
+with O
+higher O
+privileges O
+. O
+
+During O
+2011 S-TIME
+, O
+the O
+Dukes S-APT
+appear O
+to O
+have O
+significantly O
+expanded O
+both O
+their O
+arsenal O
+of O
+malware O
+toolsets O
+and O
+their O
+C&C S-TOOL
+infrastructure O
+. O
+
+While O
+the O
+Dukes S-APT
+employed O
+both O
+hacked O
+websites O
+and O
+purposely O
+rented O
+servers O
+for O
+their O
+C&C S-TOOL
+infrastructure O
+, O
+the O
+group O
+rarely O
+registered O
+their O
+own O
+domain O
+names O
+, O
+preferring O
+instead O
+to O
+connect O
+to O
+their O
+self- O
+operated O
+servers O
+via O
+IP O
+addresses O
+. O
+
+The O
+beginning B-TIME
+of I-TIME
+2011 E-TIME
+however O
+saw O
+a O
+significant O
+break O
+from O
+that O
+routine O
+, O
+when O
+a O
+large O
+grouping O
+of O
+domain O
+names O
+was O
+registered O
+by O
+the O
+Dukes S-APT
+in O
+two O
+batches O
+; O
+the O
+first O
+batch O
+was O
+registered O
+on O
+the O
+29th B-TIME
+of I-TIME
+January E-TIME
+and O
+the O
+second O
+on O
+the O
+13th B-TIME
+of I-TIME
+February E-TIME
+. O
+
+All O
+the O
+domains O
+in O
+both O
+batches O
+were O
+initially O
+registered O
+with O
+the O
+same O
+alias O
+: O
+“ O
+John O
+Kasai O
+of O
+Klagenfurt S-LOC
+, O
+Austria S-LOC
+” O
+. O
+
+These O
+domains O
+were O
+used O
+by O
+the O
+Dukes S-APT
+in O
+campaigns O
+involving O
+many O
+of O
+their O
+different O
+malware O
+toolsets O
+all O
+the O
+way O
+until O
+2014 S-TIME
+. O
+
+Like O
+the O
+“ O
+MiniDuke S-MAL
+loader O
+” O
+, O
+these O
+“ O
+John O
+Kasai O
+” O
+domains O
+also O
+provide O
+a O
+common O
+thread O
+tying O
+together O
+much O
+of O
+the O
+tools O
+and O
+infrastructure O
+of O
+the O
+Dukes S-APT
+. O
+
+By O
+2011 S-TIME
+, O
+the O
+Dukes S-APT
+had O
+already O
+developed O
+at O
+least O
+3 O
+distinct O
+malware O
+toolsets O
+, O
+including O
+a O
+plethora O
+of O
+supporting O
+components O
+such O
+as O
+loaders O
+and O
+persistence O
+modules O
+. O
+
+In O
+fact O
+, O
+as O
+a O
+sign O
+of O
+their O
+arsenal O
+’s O
+breadth O
+, O
+they O
+had O
+already O
+decided O
+to O
+retire O
+one O
+of O
+these O
+malware O
+toolsets O
+as O
+obsolete O
+after O
+developing O
+a O
+replacement O
+for O
+it O
+, O
+seemingly O
+from O
+scratch O
+. O
+
+The O
+Dukes S-APT
+continued O
+the O
+expansion O
+of O
+their O
+arsenal O
+in O
+2011 S-TIME
+with O
+the O
+addition O
+of O
+two O
+more O
+toolsets O
+: O
+MiniDuke S-MAL
+and O
+CozyDuke S-MAL
+. O
+
+While O
+all O
+of O
+the O
+earlier O
+toolsets O
+– O
+GeminiDuke S-MAL
+, O
+PinchDuke S-MAL
+, O
+and O
+CosmicDuke S-MAL
+– O
+were O
+designed O
+around O
+a O
+core O
+infostealer O
+component O
+, O
+MiniDuke S-MAL
+is O
+centered O
+on O
+a O
+simplistic O
+backdoor O
+component O
+whose O
+purpose O
+is O
+to O
+enable O
+the O
+remote O
+execution O
+of O
+commands O
+on O
+the O
+compromised O
+system O
+. O
+
+The O
+first O
+observed O
+samples O
+of O
+the O
+MiniDuke B-MAL
+backdoor E-MAL
+component O
+are O
+from O
+May B-TIME
+2011 E-TIME
+. O
+
+This O
+backdoor O
+component O
+however O
+is O
+technically O
+very O
+closely O
+related O
+to O
+GeminiDuke S-MAL
+, O
+to O
+the O
+extent O
+that O
+we O
+believe O
+them O
+to O
+share O
+parts O
+of O
+their O
+source O
+code O
+. O
+
+The O
+origins O
+of O
+MiniDuke S-MAL
+can O
+thus O
+be O
+traced O
+back O
+to O
+the O
+origins O
+of O
+GeminiDuke S-MAL
+, O
+of O
+which O
+the O
+earliest O
+observed O
+sample O
+was O
+compiled O
+in O
+January B-TIME
+of I-TIME
+2009 E-TIME
+. O
+
+Unlike O
+the O
+simplistic O
+MiniDuke S-MAL
+toolset O
+, O
+CozyDuke S-MAL
+is O
+a O
+highly O
+versatile O
+, O
+modular O
+, O
+malware O
+“ O
+platform O
+” O
+whose O
+functionality O
+lies O
+not O
+in O
+a O
+single O
+core O
+component O
+but O
+in O
+an O
+array O
+of O
+modules O
+that O
+it O
+may O
+be O
+instructed O
+to O
+download O
+from O
+its O
+C&C S-TOOL
+server O
+. O
+
+These O
+modules O
+are O
+used O
+to O
+selectively O
+provide O
+CozyDuke S-MAL
+with O
+just O
+the O
+functionality O
+deemed O
+necessary O
+for O
+the O
+mission O
+at O
+hand O
+. O
+
+CozyDuke S-MAL
+’s O
+modular O
+platform O
+approach O
+is O
+a O
+clear O
+break O
+from O
+the O
+designs O
+of O
+the O
+previous O
+Duke S-APT
+toolsets O
+. O
+
+The O
+stylistic O
+differences O
+between O
+CozyDuke S-MAL
+and O
+its O
+older O
+siblings O
+are O
+further O
+exemplified O
+by O
+the O
+way O
+it O
+was O
+coded O
+. O
+
+All O
+of O
+the O
+4 O
+previously O
+mentioned O
+toolsets O
+were O
+written O
+in O
+a O
+minimalistic O
+style O
+commonly O
+seen O
+with O
+malware O
+; O
+MiniDuke S-MAL
+even O
+goes O
+as O
+far O
+as O
+having O
+many O
+components O
+written O
+in O
+Assembly O
+language O
+. O
+
+CozyDuke S-MAL
+however O
+represents O
+the O
+complete O
+opposite O
+. O
+
+Instead O
+of O
+being O
+written O
+in O
+Assembly O
+or O
+C S-TOOL
+, O
+it O
+was O
+written O
+in O
+C++ S-TOOL
+, O
+which O
+provides O
+added O
+layers O
+of O
+abstraction O
+for O
+the O
+developer O
+’s O
+perusal O
+, O
+at O
+the O
+cost O
+of O
+added O
+complexity O
+. O
+
+Contrary O
+to O
+what O
+might O
+be O
+expected O
+from O
+malware O
+, O
+early O
+CozyDuke S-MAL
+versions O
+also O
+lacked O
+any O
+attempt O
+at O
+obfuscating O
+or O
+hiding O
+their O
+true O
+nature O
+. O
+
+In O
+fact O
+, O
+they O
+were O
+extremely O
+open O
+and O
+verbose O
+about O
+their O
+functionality O
+- O
+for O
+example O
+, O
+early O
+samples O
+contained O
+a O
+plethora O
+of O
+logging O
+messages O
+in O
+unencrypted O
+form O
+. O
+
+In O
+comparison O
+, O
+even O
+the O
+earliest O
+known O
+GeminiDuke S-MAL
+samples O
+encrypted O
+any O
+strings O
+that O
+might O
+have O
+given O
+away O
+the O
+malware O
+’s O
+true O
+nature O
+. O
+
+Finally O
+, O
+early O
+CozyDuke S-MAL
+versions O
+also O
+featured O
+other O
+elements O
+that O
+one O
+would O
+associate O
+more O
+with O
+a O
+traditional O
+software O
+development O
+project O
+than O
+with O
+malware O
+. O
+
+For O
+instance O
+, O
+the O
+earliest O
+known O
+CozyDuke S-MAL
+version O
+utilized O
+a O
+feature O
+of O
+the O
+Microsoft S-IDTY
+Visual S-TOOL
+C++ S-TOOL
+compiler O
+known O
+as O
+run-time O
+error O
+checking O
+. O
+
+This O
+feature O
+added O
+automatic O
+error O
+checking O
+to O
+critical O
+parts O
+of O
+the O
+program O
+’s O
+execution O
+at O
+the O
+cost O
+, O
+from O
+a O
+malware O
+perspective O
+, O
+of O
+providing O
+additional O
+hints O
+that O
+make O
+the O
+malware O
+’s O
+functionality O
+easier O
+for O
+reverse O
+engineers O
+to O
+understand O
+. O
+
+Based O
+on O
+these O
+and O
+other O
+similar O
+stylistic O
+differences O
+observed O
+between O
+CozyDuke S-MAL
+and O
+its O
+older O
+siblings O
+, O
+we O
+speculate O
+that O
+while O
+the O
+older O
+Duke S-APT
+families O
+appear O
+to O
+be O
+the O
+work O
+of O
+someone O
+with O
+a O
+background O
+in O
+malware O
+writing O
+( O
+or O
+at O
+the O
+least O
+in O
+hacking O
+) O
+, O
+CozyDuke S-MAL
+’s O
+author O
+or O
+authors O
+more O
+likely O
+came O
+from O
+a O
+software O
+development O
+background O
+. O
+
+We O
+still O
+know O
+surprisingly O
+few O
+specifics O
+about O
+the O
+Dukes S-APT
+group O
+’s O
+activities O
+during O
+2012 S-TIME
+. O
+
+Based O
+on O
+samples O
+of O
+Duke S-APT
+malware O
+from O
+2012 S-TIME
+, O
+the O
+Dukes S-APT
+do O
+appear O
+to O
+have O
+continued O
+actively O
+using O
+and O
+developing O
+all O
+of O
+their O
+tools O
+. O
+
+Of O
+these O
+, O
+CosmicDuke S-MAL
+and O
+MiniDuke S-MAL
+appear O
+to O
+have O
+been O
+in O
+more O
+active O
+use O
+, O
+while O
+receiving O
+only O
+minor O
+updates O
+. O
+
+GeminiDuke S-MAL
+and O
+CozyDuke S-MAL
+on O
+the O
+other O
+hand O
+appear O
+to O
+have O
+been O
+less O
+used O
+in O
+actual O
+operations O
+, O
+but O
+did O
+undergo O
+much O
+more O
+significant O
+development O
+. O
+
+On O
+the O
+12th B-TIME
+of I-TIME
+February I-TIME
+2013 E-TIME
+, O
+FireEye S-SECTEAM
+published O
+a O
+blogpost O
+alerting O
+readers O
+to O
+a O
+combination O
+of O
+new O
+Adobe B-TOOL
+Reader E-TOOL
+0-day S-VULNAME
+vulnerabilities O
+, O
+CVE-2013-0640 S-VULID
+and O
+CVE-2013-0641 S-VULID
+, O
+that O
+were O
+being O
+actively O
+exploited O
+in O
+the O
+wild O
+. O
+8 O
+days O
+after O
+FireEye S-SECTEAM
+’s O
+initial O
+alert O
+, O
+Kaspersky S-SECTEAM
+spotted O
+the O
+same O
+exploit O
+being O
+used O
+to O
+spread O
+an O
+entirely O
+different O
+malware O
+family O
+from O
+the O
+one O
+mentioned O
+in O
+the O
+original O
+report O
+. O
+
+On O
+27th B-TIME
+February E-TIME
+, O
+Kaspersky S-SECTEAM
+and O
+CrySyS B-SECTEAM
+Lab E-SECTEAM
+published O
+research O
+on O
+this O
+previously O
+unidentified O
+malware O
+family O
+, O
+dubbing O
+it O
+MiniDuke S-MAL
+. O
+
+As O
+we O
+now O
+know O
+, O
+by O
+February B-TIME
+2013 E-TIME
+the O
+Dukes S-APT
+group O
+had O
+been O
+operating O
+MiniDuke S-MAL
+and O
+other O
+toolsets O
+for O
+at O
+least O
+4 B-TIME
+and I-TIME
+a I-TIME
+half I-TIME
+years E-TIME
+. O
+
+Their O
+malware O
+had O
+not O
+stayed O
+undetected O
+for O
+those O
+4 B-TIME
+and I-TIME
+a I-TIME
+half I-TIME
+years E-TIME
+. O
+
+In O
+fact O
+, O
+in O
+2009 S-TIME
+a O
+PinchDuke S-MAL
+sample O
+had O
+been O
+included O
+in O
+the O
+malware O
+set O
+used O
+by O
+the O
+AV-Test S-SECTEAM
+security O
+product O
+testing O
+organization O
+to O
+perform O
+anti-virus O
+product O
+comparison O
+reviews O
+. O
+
+Until O
+2013 S-TIME
+however O
+, O
+earlier O
+Duke S-APT
+toolsets O
+had O
+not O
+been O
+put O
+in O
+a O
+proper O
+context O
+. O
+
+That O
+finally O
+started O
+to O
+change O
+in O
+2013 S-TIME
+. O
+
+The O
+MiniDuke S-MAL
+samples O
+that O
+were O
+spread O
+using O
+these O
+exploits O
+were O
+compiled O
+on O
+the O
+20th B-TIME
+of I-TIME
+February E-TIME
+, O
+after O
+the O
+exploit O
+was O
+already O
+publicly O
+known O
+. O
+
+One O
+might O
+argue O
+that O
+since O
+this O
+took O
+place O
+after O
+the O
+exploits O
+were O
+publicly O
+mentioned O
+, O
+the O
+Dukes S-APT
+simply O
+copied O
+them O
+. O
+
+We O
+however O
+do O
+not O
+believe O
+so O
+. O
+
+As O
+mentioned O
+by O
+Kaspersky S-SECTEAM
+, O
+even O
+though O
+the O
+exploits O
+used O
+for O
+these O
+MiniDuke S-MAL
+campaigns O
+were O
+near-identical O
+to O
+those O
+described O
+by O
+FireEye S-SECTEAM
+, O
+there O
+were O
+nevertheless O
+small O
+differences O
+. O
+
+Of O
+these O
+, O
+the O
+crucial O
+one O
+is O
+the O
+presence O
+of O
+PDB S-TOOL
+strings O
+in O
+the O
+MiniDuke S-MAL
+exploits O
+. O
+
+These O
+strings O
+, O
+which O
+are O
+generated O
+by O
+the O
+compiler O
+when O
+using O
+specific O
+compilation O
+settings O
+, O
+means O
+that O
+the O
+components O
+of O
+the O
+exploits O
+used O
+with O
+MiniDuke S-MAL
+had O
+to O
+have O
+been O
+compiled O
+independently O
+from O
+those O
+described O
+by O
+FireEye S-SECTEAM
+. O
+
+We O
+do O
+not O
+know O
+whether O
+the O
+Dukes S-APT
+compiled O
+the O
+components O
+themselves O
+or O
+whether O
+someone O
+else O
+compiled O
+the O
+components O
+before O
+handing O
+them O
+to O
+the O
+group O
+. O
+
+This O
+does O
+however O
+still O
+rule O
+out O
+the O
+possibility O
+that O
+the O
+Dukes S-APT
+simply O
+obtained O
+copies O
+of O
+the O
+exploit O
+binaries O
+described O
+by O
+FireEye S-SECTEAM
+and O
+repurposed O
+them O
+. O
+
+In O
+our O
+opinion O
+, O
+this O
+insistence O
+on O
+using O
+exploits O
+that O
+are O
+already O
+under O
+heightened O
+scrutiny O
+suggests O
+the O
+existence O
+of O
+at O
+least O
+one O
+of O
+three O
+circumstances O
+. O
+
+Firstly O
+, O
+the O
+Dukes S-APT
+may O
+have O
+been O
+confident O
+enough O
+in O
+their O
+own O
+abilities O
+( O
+and O
+in O
+the O
+slowness O
+of O
+their O
+opponents O
+to O
+react O
+to O
+new O
+threats O
+) O
+that O
+they O
+did O
+not O
+care O
+if O
+their O
+targets O
+may O
+already O
+be O
+on O
+the O
+lookout O
+for O
+anyone O
+exploiting O
+these O
+vulnerabilities O
+. O
+
+Secondly O
+, O
+the O
+value O
+the O
+Dukes S-APT
+intended O
+to O
+gain O
+from O
+these O
+MiniDuke S-MAL
+campaigns O
+may O
+have O
+been O
+so O
+great O
+that O
+they O
+deemed O
+it O
+worth O
+the O
+risk O
+of O
+getting O
+noticed O
+. O
+
+Or O
+thirdly O
+, O
+the O
+Dukes S-APT
+may O
+have O
+invested O
+so O
+much O
+into O
+these O
+campaigns O
+that O
+by O
+the O
+time O
+FireEye S-SECTEAM
+published O
+their O
+alert O
+, O
+the O
+Dukes S-APT
+felt O
+they O
+could O
+not O
+afford O
+to O
+halt O
+the O
+campaigns O
+. O
+
+We O
+believe O
+all O
+three O
+circumstances O
+to O
+have O
+coexisted O
+at O
+least O
+to O
+some O
+extent O
+. O
+
+As O
+will O
+become O
+evident O
+in O
+this O
+report O
+, O
+this O
+was O
+not O
+a O
+one-off O
+case O
+but O
+a O
+recurring O
+theme O
+with O
+the O
+Dukes S-APT
+, O
+in O
+that O
+they O
+would O
+rather O
+continue O
+with O
+their O
+operations O
+as O
+planned O
+than O
+retreat O
+from O
+operating O
+under O
+the O
+spotlight O
+. O
+
+As O
+originally O
+detailed O
+in O
+Kaspersky S-SECTEAM
+’s O
+whitepaper O
+, O
+the O
+MiniDuke S-MAL
+campaigns O
+from O
+February B-TIME
+2013 E-TIME
+employed O
+spear-phishing S-ACT
+emails S-TOOL
+with O
+malicious O
+PDF S-TOOL
+file O
+attachments O
+. O
+
+These O
+PDFs S-TOOL
+would O
+attempt O
+to O
+silently O
+infect O
+the O
+recipient O
+with O
+MiniDuke S-MAL
+, O
+while O
+distracting O
+them O
+by O
+displaying O
+a O
+decoy O
+document O
+. O
+
+The O
+headings O
+of O
+these O
+documents O
+included O
+“ O
+Ukraine S-LOC
+’s O
+NATO S-IDTY
+Membership O
+Action O
+Plan O
+( O
+MAP O
+) O
+Debates O
+” O
+, O
+“ O
+The O
+Informal O
+Asia-Europe O
+Meeting O
+( O
+ASEM O
+) O
+Seminar O
+on O
+Human O
+Rights O
+” O
+, O
+and O
+“ O
+Ukraine S-LOC
+’s O
+Search O
+for O
+a O
+Regional O
+Foreign O
+Policy O
+” O
+. O
+
+The O
+targets O
+of O
+these O
+campaigns O
+, O
+according O
+to O
+Kaspersky S-SECTEAM
+, O
+were O
+located O
+variously O
+in O
+Belgium S-LOC
+, O
+Hungary S-LOC
+, O
+Luxembourg S-LOC
+and O
+Spain S-LOC
+. O
+
+Kaspersky S-SECTEAM
+goes O
+on O
+to O
+state O
+that O
+by O
+obtaining O
+log O
+files O
+from O
+the O
+MiniDuke S-MAL
+command B-TOOL
+and I-TOOL
+control E-TOOL
+servers O
+, O
+they O
+were O
+able O
+to O
+identify O
+high-profile O
+victims O
+from O
+Ukraine S-LOC
+, O
+Belgium S-LOC
+, O
+Portugal S-LOC
+, O
+Romania S-LOC
+, O
+the O
+Czech B-LOC
+Republic E-LOC
+, O
+Ireland S-LOC
+, O
+the O
+United B-LOC
+States E-LOC
+and O
+Hungary S-LOC
+. O
+
+After O
+the O
+February S-TIME
+campaigns O
+, O
+MiniDuke S-MAL
+activity O
+appeared O
+to O
+quiet O
+down O
+, O
+although O
+it O
+did O
+not O
+fully O
+stop O
+, O
+for O
+the O
+rest B-TIME
+of I-TIME
+2013 E-TIME
+. O
+
+The O
+Dukes S-APT
+group O
+as O
+a O
+whole O
+however O
+showed O
+no O
+sign O
+of O
+slowing O
+down O
+. O
+
+In O
+fact O
+, O
+we O
+saw O
+yet O
+another O
+Duke S-APT
+malware O
+toolset O
+, O
+OnionDuke S-MAL
+, O
+appear O
+first O
+in O
+2013 S-TIME
+. O
+
+Like O
+CozyDuke S-MAL
+, O
+OnionDuke S-MAL
+appears O
+to O
+have O
+been O
+designed O
+with O
+versatility O
+in O
+mind O
+, O
+and O
+takes O
+a O
+similarly O
+modular O
+platform O
+approach O
+. O
+
+The O
+OnionDuke S-MAL
+toolset O
+includes O
+various O
+modules O
+for O
+purposes O
+such O
+as O
+password O
+stealing O
+, O
+information O
+gathering O
+, O
+denial B-TOOL
+of I-TOOL
+service E-TOOL
+( O
+DoS S-TOOL
+) O
+attacks O
+, O
+and O
+even O
+posting O
+spam O
+to O
+the O
+Russian O
+social O
+media O
+network O
+, O
+VKontakte S-TOOL
+. O
+
+The O
+OnionDuke S-MAL
+toolset O
+also O
+includes O
+a O
+dropper O
+, O
+an O
+information O
+stealer O
+variant O
+and O
+multiple O
+distinct O
+versions O
+of O
+the O
+core O
+component O
+that O
+is O
+responsible O
+for O
+interacting O
+with O
+the O
+various O
+modules O
+. O
+
+What O
+makes O
+OnionDuke S-MAL
+especially O
+curious O
+is O
+an O
+infection O
+vector O
+it O
+began O
+using O
+during O
+the O
+summer B-TIME
+of I-TIME
+2013 E-TIME
+. O
+
+To O
+spread O
+the O
+toolset O
+, O
+the O
+Dukes S-APT
+used O
+a O
+wrapper O
+to O
+combine O
+OnionDuke S-MAL
+with O
+legitimate O
+applications O
+, O
+created O
+torrent O
+files O
+containing O
+these O
+trojanized O
+applications O
+, O
+then O
+uploaded O
+them O
+to O
+websites O
+hosting O
+torrent O
+files O
+. O
+
+Victims O
+who O
+used O
+the O
+torrent O
+files O
+to O
+download O
+the O
+applications O
+would O
+end O
+up O
+getting O
+infected O
+with O
+OnionDuke S-MAL
+. O
+
+For O
+most O
+of O
+the O
+OnionDuke S-MAL
+components O
+we O
+observed O
+, O
+the O
+first O
+versions O
+that O
+we O
+are O
+aware O
+of O
+were O
+compiled O
+during O
+the O
+summer B-TIME
+of I-TIME
+2013 E-TIME
+, O
+suggesting O
+that O
+this O
+was O
+a O
+period O
+of O
+active O
+development O
+around O
+this O
+toolset O
+. O
+
+Critically O
+however O
+, O
+the O
+first O
+sample O
+of O
+the O
+OnionDuke S-MAL
+dropper O
+, O
+which O
+we O
+have O
+observed O
+being O
+used O
+only O
+with O
+components O
+of O
+this O
+toolset O
+, O
+was O
+compiled O
+on O
+the O
+17th B-TIME
+of I-TIME
+February I-TIME
+2013 E-TIME
+. O
+
+This O
+is O
+significant O
+because O
+it O
+suggests O
+that O
+OnionDuke S-MAL
+was O
+under O
+development O
+before O
+any O
+part O
+of O
+the O
+Duke S-APT
+operation O
+became O
+public O
+. O
+
+OnionDuke S-MAL
+’s O
+development O
+therefore O
+could O
+not O
+have O
+been O
+simply O
+a O
+response O
+to O
+the O
+outing O
+of O
+one O
+of O
+the O
+other O
+Duke S-APT
+malware O
+, O
+but O
+was O
+instead O
+intended O
+for O
+use O
+alongside O
+the O
+other O
+toolsets O
+. O
+
+This O
+indication O
+that O
+the O
+Dukes S-APT
+planned O
+to O
+use O
+an O
+arsenal O
+of O
+5 O
+malware O
+toolsets O
+in O
+parallel O
+suggests O
+that O
+they O
+were O
+operating O
+with O
+both O
+significant O
+resources O
+and O
+capacity O
+. O
+
+In O
+2013 S-TIME
+, O
+many O
+of O
+the O
+decoy O
+documents O
+employed O
+by O
+the O
+Dukes S-APT
+in O
+their O
+campaigns O
+were O
+related O
+to O
+Ukraine S-LOC
+; O
+examples O
+include O
+a O
+letter O
+undersigned O
+by O
+the O
+First O
+Deputy O
+Minister O
+for O
+Foreign B-IDTY
+Affairs E-IDTY
+of O
+Ukraine S-LOC
+, O
+a O
+letter O
+from O
+the O
+embassy O
+of O
+the O
+Netherlands S-LOC
+in O
+Ukraine S-LOC
+to O
+the O
+Ukrainian B-IDTY
+Ministry E-IDTY
+of O
+Foreign B-IDTY
+affairs E-IDTY
+and O
+a O
+document O
+titled O
+“ O
+Ukraine S-LOC
+’s O
+Search O
+for O
+a O
+Regional O
+Foreign O
+Policy O
+” O
+. O
+
+These O
+decoy O
+documents O
+however O
+were O
+written O
+before O
+the O
+start B-TIME
+of I-TIME
+the I-TIME
+November I-TIME
+2013 E-TIME
+Euromaidan S-ACT
+protests O
+in O
+Ukraine S-APT
+and O
+the O
+subsequent O
+upheaval O
+. O
+
+It O
+is O
+therefore O
+important O
+to O
+note O
+that O
+, O
+contrary O
+to O
+what O
+might O
+be O
+assumed O
+, O
+we O
+have O
+actually O
+observed O
+a O
+drop O
+instead O
+of O
+an O
+increase O
+in O
+Ukraine S-LOC
+related O
+campaigns O
+from O
+the O
+Dukes S-APT
+following O
+the O
+country O
+’s O
+political O
+crisis O
+. O
+
+This O
+is O
+in O
+stark O
+contrast O
+to O
+some O
+other O
+suspected O
+Russian O
+threat O
+actors O
+( O
+such O
+as O
+Operation B-ACT
+Pawn I-ACT
+Storm E-ACT
+) O
+who O
+appear O
+to O
+have O
+increased O
+their O
+targeting O
+of O
+Ukraine O
+following O
+the O
+crisis O
+. O
+
+This O
+supports O
+our O
+analysis O
+that O
+the O
+overarching O
+theme O
+in O
+the O
+Dukes S-APT
+’ O
+targeting O
+is O
+the O
+collection O
+of O
+intelligence O
+to O
+support O
+diplomatic O
+efforts O
+. O
+
+The O
+Dukes S-APT
+actively O
+targeted O
+Ukraine S-LOC
+before O
+the O
+crisis O
+, O
+at O
+a O
+time O
+when O
+Russia S-LOC
+was O
+still O
+weighing O
+her O
+options O
+, O
+but O
+once O
+Russia S-LOC
+moved O
+from O
+diplomacy O
+to O
+direct O
+action O
+, O
+Ukraine S-LOC
+was O
+no O
+longer O
+relevant O
+to O
+the O
+Dukes S-APT
+in O
+the O
+same O
+way O
+. O
+
+In O
+a O
+surprising O
+turn O
+of O
+events O
+, O
+in O
+September B-TIME
+2013 E-TIME
+a O
+CosmicDuke S-MAL
+campaign O
+was O
+observed O
+targeting O
+Russian O
+speakers O
+involved O
+in O
+the O
+trade O
+of O
+illegal O
+and O
+controlled O
+substances O
+. O
+
+Kaspersky B-SECTEAM
+Labs E-SECTEAM
+, O
+who O
+sometimes O
+refer O
+to O
+CosmicDuke S-MAL
+as O
+‘ O
+Bot O
+Gen O
+Studio O
+’ O
+, O
+speculated O
+that O
+“ O
+one O
+possibility O
+is O
+that O
+‘ O
+Bot O
+Gen O
+Studio O
+’ O
+is O
+a O
+malware O
+platform O
+also O
+available O
+as O
+a O
+so-called O
+‘ O
+legal O
+spyware O
+’ O
+tool O
+” O
+; O
+
+therefore O
+, O
+those O
+using O
+CosmicDuke S-MAL
+to O
+target O
+drug O
+dealers O
+and O
+those O
+targeting O
+governments O
+are O
+two O
+separate O
+entities O
+. O
+
+We O
+however O
+feel O
+it O
+is O
+unlikely O
+that O
+the O
+CosmicDuke S-MAL
+operators O
+targeting O
+drug O
+dealers O
+and O
+those O
+targeting O
+governments O
+could O
+be O
+two O
+entirely O
+independent O
+entities O
+. O
+
+A O
+shared O
+supplier O
+of O
+malware O
+would O
+explain O
+the O
+overlap O
+in O
+tools O
+, O
+but O
+it O
+would O
+not O
+explain O
+the O
+significant O
+overlap O
+we O
+have O
+also O
+observed O
+in O
+operational O
+techniques O
+related O
+to O
+command O
+and O
+control O
+infrastructure O
+. O
+
+Instead O
+, O
+we O
+feel O
+the O
+targeting O
+of O
+drug O
+dealers O
+was O
+a O
+new O
+task O
+for O
+a O
+subset O
+of O
+the O
+Dukes S-APT
+group O
+, O
+possibly O
+due O
+to O
+the O
+drug O
+trade O
+’s O
+relevance O
+to O
+security O
+policy O
+issues O
+. O
+
+We O
+also O
+believe O
+the O
+tasking O
+to O
+have O
+been O
+temporary O
+, O
+because O
+we O
+have O
+not O
+observed O
+any O
+further O
+similar O
+targeting O
+from O
+the O
+Dukes S-APT
+after O
+the O
+spring B-TIME
+of I-TIME
+2014 E-TIME
+. O
+
+While O
+MiniDuke S-MAL
+activity O
+decreased O
+significantly O
+during O
+the O
+rest B-TIME
+of I-TIME
+2013 E-TIME
+following O
+the O
+attention O
+it O
+garnered O
+from O
+researchers O
+, O
+the O
+beginning B-TIME
+of I-TIME
+2014 E-TIME
+saw O
+the O
+toolset O
+back O
+in O
+full O
+force O
+. O
+
+All O
+MiniDuke S-MAL
+components O
+, O
+from O
+the O
+loader O
+and O
+downloader O
+to O
+the O
+backdoor O
+, O
+had O
+been O
+slightly O
+updated O
+and O
+modified O
+during O
+the O
+downtime O
+. O
+
+Interestingly O
+, O
+the O
+nature O
+of O
+these O
+modifications O
+suggests O
+that O
+their O
+primary O
+purpose O
+was O
+to O
+regain O
+the O
+element O
+of O
+stealth O
+and O
+undetectability O
+that O
+had O
+been O
+lost O
+almost O
+a O
+year O
+earlier O
+. O
+
+Of O
+these O
+modifications O
+, O
+arguably O
+the O
+most O
+important O
+were O
+the O
+ones O
+done O
+to O
+the O
+loader O
+. O
+
+These O
+resulted O
+in O
+a O
+loader O
+version O
+that O
+would O
+later O
+become O
+known O
+as O
+the O
+“ O
+Nemesis B-MAL
+Gemina I-MAL
+loader E-MAL
+” O
+due O
+to O
+PDB S-TOOL
+strings O
+found O
+in O
+many O
+of O
+the O
+samples O
+. O
+
+It O
+is O
+however O
+still O
+only O
+an O
+iteration O
+on O
+earlier O
+versions O
+of O
+the O
+MiniDuke S-MAL
+loader O
+. O
+
+The O
+first O
+observed O
+samples O
+of O
+the O
+Nemesis B-MAL
+Gemina I-MAL
+loader E-MAL
+( O
+compiled O
+on O
+14th B-TIME
+December I-TIME
+2013 E-TIME
+) O
+were O
+used O
+to O
+load O
+the O
+updated O
+MiniDuke B-MAL
+backdoor E-MAL
+, O
+but O
+by O
+the O
+spring B-TIME
+of I-TIME
+2014 E-TIME
+the O
+Nemesis B-MAL
+Gemina I-MAL
+loader E-MAL
+was O
+also O
+observed O
+in O
+use O
+with O
+CosmicDuke S-MAL
+. O
+
+Following O
+the O
+MiniDuke S-MAL
+expose O
+, O
+CosmicDuke S-MAL
+in O
+turn O
+got O
+its O
+moment O
+of O
+fame O
+when O
+F-Secure S-SECTEAM
+published O
+a O
+whitepaper O
+about O
+it O
+on O
+2nd B-TIME
+July I-TIME
+2014 E-TIME
+. O
+
+The O
+next O
+day O
+, O
+Kaspersky S-SECTEAM
+also O
+published O
+their O
+own O
+research O
+on O
+the O
+malware O
+. O
+
+It O
+should O
+be O
+noted O
+that O
+until O
+this O
+point O
+, O
+even O
+though O
+CosmicDuke S-MAL
+had O
+been O
+in O
+active O
+use O
+for O
+over O
+4 O
+years O
+, O
+and O
+had O
+undergone O
+minor O
+modifications O
+and O
+updates O
+during O
+that O
+time O
+, O
+even O
+the O
+most O
+recent O
+CosmicDuke S-MAL
+samples O
+would O
+often O
+embed O
+persistence O
+components O
+that O
+date O
+back O
+to O
+2012 S-TIME
+. O
+
+These O
+samples O
+would O
+also O
+contain O
+artefacts O
+of O
+functionality O
+from O
+the O
+earliest O
+CosmicDuke S-MAL
+samples O
+from O
+2010 S-TIME
+. O
+
+It O
+is O
+therefore O
+valuable O
+to O
+observe O
+how O
+the O
+Dukes O
+reacted O
+to O
+CosmicDuke S-MAL
+’s O
+outing O
+at O
+the O
+beginning O
+of O
+July O
+. O
+
+By O
+the O
+end O
+of O
+that O
+month O
+, O
+CosmicDuke S-MAL
+samples O
+we O
+found O
+that O
+had O
+been O
+compiled O
+on O
+the O
+30th B-TIME
+of I-TIME
+July E-TIME
+had O
+shed O
+unused O
+parts O
+of O
+their O
+code O
+that O
+had O
+essentially O
+just O
+been O
+relics O
+of O
+the O
+past O
+. O
+
+Similarly O
+, O
+some O
+of O
+the O
+hardcoded O
+values O
+that O
+had O
+remained O
+unaltered O
+in O
+CosmicDuke S-MAL
+samples O
+for O
+many O
+years O
+had O
+been O
+changed O
+. O
+
+We O
+believe O
+these O
+edits O
+were O
+an O
+attempt O
+at O
+evading O
+detection O
+by O
+modifying O
+or O
+removing O
+parts O
+of O
+the O
+toolset O
+that O
+the O
+authors O
+believed O
+might O
+be O
+helpful O
+in O
+identifying O
+and O
+detecting O
+it O
+. O
+
+Concurrently O
+with O
+the O
+alterations O
+to O
+CosmicDuke S-MAL
+, O
+the O
+Dukes S-APT
+were O
+also O
+hard O
+at O
+work O
+modifying O
+their O
+trusted O
+loader O
+. O
+
+Much O
+like O
+the O
+CosmicDuke S-MAL
+toolset O
+, O
+the O
+loader O
+used O
+by O
+both O
+MiniDuke S-MAL
+and O
+CosmicDuke S-MAL
+had O
+previously O
+only O
+undergone O
+one O
+major O
+update O
+( O
+the O
+Nemesis B-MAL
+Gemina E-MAL
+upgrade O
+) O
+since O
+the O
+first O
+known O
+samples O
+from O
+2010 S-TIME
+. O
+
+Again O
+, O
+much O
+of O
+the O
+modification O
+work O
+focused O
+on O
+removing O
+redundant O
+code O
+in O
+an O
+attempt O
+to O
+appear O
+different O
+from O
+earlier O
+versions O
+of O
+the O
+loader O
+. O
+
+Interestingly O
+however O
+, O
+another O
+apparent O
+evasion O
+trick O
+was O
+also O
+attempted O
+- O
+forging O
+of O
+the O
+loaders O
+’ O
+compilation O
+timestamps O
+. O
+
+The O
+first O
+CosmicDuke S-MAL
+sample O
+we O
+observed O
+after O
+the O
+initial O
+research O
+on O
+CosmicDuke S-MAL
+was O
+a O
+sample O
+compiled O
+on O
+the O
+30th B-TIME
+of I-TIME
+July I-TIME
+2014 E-TIME
+. O
+
+The O
+loader O
+used O
+by O
+the O
+sample O
+purported O
+to O
+have O
+been O
+compiled O
+on O
+the O
+25th B-TIME
+of I-TIME
+March I-TIME
+2010 E-TIME
+. O
+
+Due O
+to O
+artefacts O
+left O
+in O
+the O
+loader O
+during O
+compilation O
+time O
+however O
+, O
+we O
+know O
+that O
+it O
+used O
+a O
+specific O
+version O
+of O
+the O
+Boost S-TOOL
+library O
+, O
+1.54.0 O
+, O
+that O
+was O
+only O
+published O
+on O
+the O
+1st B-TIME
+of I-TIME
+July I-TIME
+2013 E-TIME
+. O
+
+The O
+compilation O
+timestamp O
+therefore O
+had O
+to O
+have O
+been O
+faked O
+. O
+
+F-Secure S-SECTEAM
+’s O
+whitepaper O
+on O
+CosmicDuke S-MAL
+includes O
+a O
+timeline O
+of O
+the O
+loader O
+’s O
+usage O
+, O
+based O
+on O
+compilation O
+timestamps O
+. O
+
+Perhaps O
+the O
+Dukes S-APT
+group O
+thought O
+that O
+by O
+faking O
+a O
+timestamp O
+from O
+before O
+the O
+earliest O
+one O
+cited O
+in O
+the O
+whitepaper O
+, O
+they O
+might O
+be O
+able O
+to O
+confuse O
+researchers O
+. O
+
+During O
+the O
+rest B-TIME
+of I-TIME
+2014 E-TIME
+and O
+the O
+spring B-TIME
+of I-TIME
+2015 E-TIME
+, O
+the O
+Dukes S-APT
+continued O
+making O
+similar O
+evasionfocused O
+modifications O
+to O
+CosmicDuke S-MAL
+, O
+as O
+well O
+as O
+experimenting O
+with O
+ways O
+to O
+obfuscate O
+the O
+loader O
+. O
+
+In O
+the O
+latter O
+case O
+however O
+, O
+the O
+group O
+appear O
+to O
+have O
+also O
+simultaneously O
+developed O
+an O
+entirely O
+new O
+loader O
+, O
+which O
+we O
+first O
+observed O
+being O
+used O
+in O
+conjunction O
+with O
+CosmicDuke S-MAL
+during O
+the O
+spring B-TIME
+of I-TIME
+2015 E-TIME
+. O
+
+While O
+it O
+is O
+not O
+surprising O
+that O
+the O
+Dukes S-APT
+reacted O
+to O
+multiple O
+companies O
+publishing O
+extensive O
+reports O
+on O
+one O
+of O
+their O
+key O
+toolsets O
+, O
+it O
+is O
+valuable O
+to O
+note O
+the O
+manner O
+in O
+which O
+they O
+responded O
+. O
+
+Much O
+like O
+the O
+MiniDuke S-MAL
+expose O
+in O
+February B-TIME
+2013 E-TIME
+, O
+the O
+Dukes S-APT
+again O
+appeared O
+to O
+prioritize O
+continuing O
+operations O
+over O
+staying O
+hidden O
+. O
+
+They O
+could O
+have O
+ceased O
+all O
+use O
+of O
+CosmicDuke S-MAL
+( O
+at O
+least O
+until O
+they O
+had O
+developed O
+a O
+new O
+loader O
+) O
+or O
+retired O
+it O
+entirely O
+, O
+since O
+they O
+still O
+had O
+other O
+toolsets O
+available O
+. O
+
+Instead O
+, O
+they O
+opted O
+for O
+minimal O
+downtime O
+and O
+attempted O
+to O
+continue O
+operations O
+, O
+with O
+only O
+minor O
+modifications O
+to O
+the O
+toolset O
+. O
+
+While O
+we O
+now O
+know O
+that O
+CozyDuke S-MAL
+had O
+been O
+under O
+development O
+since O
+at O
+least O
+the O
+end B-TIME
+of I-TIME
+2011 E-TIME
+, O
+it O
+was O
+not O
+until O
+the O
+early O
+days O
+of O
+July B-TIME
+2014 E-TIME
+that O
+the O
+first O
+large-scale O
+CozyDuke S-MAL
+campaign O
+that O
+we O
+are O
+aware O
+of O
+took O
+place O
+. O
+
+This O
+campaign O
+, O
+like O
+later O
+CozyDuke S-MAL
+campaigns O
+, O
+began O
+with O
+spear-phishing S-ACT
+emails S-TOOL
+that O
+tried O
+to O
+impersonate O
+commonly O
+seen O
+spam O
+emails S-TOOL
+. O
+
+These O
+spear-phishing S-ACT
+emails S-TOOL
+would O
+contain O
+links O
+that O
+eventually O
+lead O
+the O
+victim O
+to O
+becoming O
+infected O
+with O
+CozyDuke S-MAL
+. O
+
+Some O
+of O
+the O
+CozyDuke S-MAL
+spear-phishing S-ACT
+emails S-TOOL
+from O
+early O
+July S-TIME
+posed O
+as O
+e-fax S-TOOL
+arrival O
+notifications O
+, O
+a O
+popular O
+theme O
+for O
+spam O
+emails S-TOOL
+, O
+and O
+used O
+the O
+same O
+“ O
+US S-LOC
+letter O
+fax S-TOOL
+test O
+page O
+” O
+decoy O
+document O
+that O
+was O
+used O
+a O
+year O
+later O
+by O
+CloudDuke S-MAL
+. O
+
+In O
+at O
+least O
+one O
+case O
+however O
+, O
+the O
+email S-TOOL
+instead O
+contained O
+a O
+link O
+to O
+a O
+zip S-TOOL
+archive O
+file O
+named O
+“ O
+Office B-FILE
+Monkeys I-FILE
+LOL I-FILE
+Video.zip E-FILE
+” O
+, O
+which O
+was O
+hosted O
+on O
+the O
+DropBox S-TOOL
+cloud O
+storage O
+service O
+. O
+
+What O
+made O
+this O
+particular O
+case O
+interesting O
+was O
+that O
+instead O
+of O
+the O
+usual O
+dull O
+PDF S-TOOL
+file O
+, O
+the O
+decoy O
+was O
+a O
+Flash S-TOOL
+video O
+file O
+, O
+more O
+specifically O
+a O
+Super O
+Bowl O
+advertisement O
+from O
+2007 S-TIME
+purporting O
+to O
+show O
+monkeys O
+at O
+an O
+office O
+. O
+
+
+THE O
+DUKES S-APT
+7 O
+YEARS O
+OF O
+RUSSIAN O
+CYBERESPIONAGE O
+. O
+
+Release_Time O
+: O
+2015-09 O
+
+Report_URL O
+: O
+https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf O
+
+2014 S-TIME
+: O
+OnionDuke S-MAL
+gets O
+caught O
+using O
+a O
+malicious O
+Tor S-TOOL
+node O
+. O
+
+On O
+the O
+23rd B-TIME
+of I-TIME
+October I-TIME
+2014 E-TIME
+, O
+Leviathan B-SECTEAM
+Security I-SECTEAM
+Group E-SECTEAM
+published O
+a O
+blog O
+post O
+describing O
+a O
+malicious O
+Tor S-TOOL
+exit O
+node O
+they O
+had O
+found O
+. O
+
+They O
+noted O
+that O
+this O
+node O
+appeared O
+to O
+be O
+maliciously O
+modifying O
+any O
+executables O
+that O
+were O
+downloaded O
+through O
+it O
+over O
+a O
+HTTP S-PROT
+connection O
+. O
+
+Executing O
+the O
+modified O
+applications O
+obtained O
+this O
+way O
+would O
+result O
+in O
+the O
+victim O
+being O
+infected O
+with O
+unidentified O
+malware O
+. O
+
+On O
+the O
+14th B-TIME
+of I-TIME
+November E-TIME
+, O
+F-Secure S-SECTEAM
+published O
+a O
+blog O
+post O
+naming O
+the O
+malware O
+OnionDuke S-MAL
+and O
+associating O
+it O
+with O
+MiniDuke S-MAL
+and O
+CosmicDuke S-MAL
+, O
+the O
+other O
+Duke S-APT
+toolsets O
+known O
+at O
+the O
+time O
+. O
+
+Based O
+on O
+our O
+investigations O
+into O
+OnionDuke S-MAL
+, O
+we O
+believe O
+that O
+for O
+about O
+7 O
+months O
+, O
+from O
+April B-TIME
+2014 E-TIME
+to O
+when O
+Leviathan S-SECTEAM
+published O
+their O
+blog O
+post O
+in O
+October B-TIME
+2014 E-TIME
+, O
+the O
+Tor S-TOOL
+exit O
+node O
+identified O
+by O
+the O
+researchers O
+was O
+being O
+used O
+to O
+wrap O
+executables O
+on-the-fly O
+with O
+OnionDuke S-MAL
+( O
+image O
+7 O
+, O
+page O
+13 O
+) O
+. O
+
+This O
+is O
+similar O
+to O
+the O
+way O
+in O
+which O
+the O
+toolset O
+was O
+being O
+spread O
+via O
+trojanized O
+applications O
+in O
+torrent O
+files O
+during O
+the O
+summer B-TIME
+of I-TIME
+2013 E-TIME
+. O
+
+While O
+investigating O
+the O
+OnionDuke S-MAL
+variant O
+being O
+spread O
+by O
+the O
+malicious O
+Tor S-TOOL
+node O
+, O
+we O
+also O
+identified O
+another O
+OnionDuke S-MAL
+variant O
+that O
+appeared O
+to O
+have O
+successfully O
+compromised O
+multiple O
+victims O
+in O
+the O
+ministry O
+of O
+foreign O
+affairs O
+of O
+an O
+Eastern O
+European O
+country O
+during O
+the O
+spring B-TIME
+of I-TIME
+2014 E-TIME
+. O
+
+This O
+variant O
+differed O
+significantly O
+in O
+functionality O
+from O
+the O
+one O
+being O
+spread O
+via O
+the O
+Tor S-TOOL
+node O
+, O
+further O
+suggesting O
+that O
+different O
+OnionDuke S-MAL
+variants O
+are O
+intended O
+for O
+different O
+kinds O
+of O
+victims O
+. O
+
+We O
+believe O
+that O
+, O
+unusually O
+, O
+the O
+purpose O
+of O
+the O
+OnionDuke S-MAL
+variant O
+spread O
+via O
+the O
+Tor S-TOOL
+node O
+was O
+not O
+to O
+pursue O
+targeted O
+attacks O
+but O
+instead O
+to O
+form O
+a O
+small O
+botnet O
+for O
+later O
+use O
+. O
+
+This O
+OnionDuke S-MAL
+variant O
+is O
+related O
+to O
+the O
+one O
+seen O
+during O
+the O
+summer B-TIME
+of I-TIME
+2013 E-TIME
+being O
+spread O
+via O
+torrent O
+files O
+. O
+
+Both O
+of O
+these O
+infection O
+vectors O
+are O
+highly O
+indiscriminate O
+and O
+untargeted O
+when O
+compared O
+to O
+spearphishing S-ACT
+, O
+the O
+usual O
+infection O
+vector O
+of O
+choice O
+for O
+the O
+Dukes S-APT
+. O
+
+Further O
+, O
+the O
+functionality O
+of O
+the O
+OnionDuke S-MAL
+variant O
+is O
+derived O
+from O
+a O
+number O
+of O
+modules O
+. O
+
+While O
+one O
+of O
+these O
+modules O
+gathers O
+system O
+information O
+and O
+another O
+attempts O
+to O
+steal O
+the O
+victim O
+’s O
+usernames O
+and O
+passwords O
+, O
+as O
+one O
+would O
+expect O
+from O
+a O
+malware O
+used O
+for O
+a O
+targeted O
+attack O
+, O
+the O
+other O
+two O
+known O
+OnionDuke S-MAL
+modules O
+are O
+quite O
+the O
+opposite O
+; O
+one O
+is O
+designed O
+for O
+use O
+in O
+DoS S-TOOL B-ACT
+attacks E-ACT
+and O
+the O
+other O
+for O
+posting O
+predetermined O
+messages O
+to O
+the O
+Russian O
+VKontakte S-TOOL
+social O
+media O
+site O
+. O
+
+This O
+sort O
+of O
+functionality O
+is O
+more O
+common O
+in O
+criminality-oriented O
+botnets O
+, O
+not O
+statesponsored O
+targeted O
+attacks O
+. O
+
+We O
+have O
+since O
+been O
+able O
+to O
+identify O
+at O
+least O
+two O
+separate O
+OnionDuke S-MAL
+botnets O
+. O
+
+We O
+believe O
+the O
+formation O
+of O
+the O
+first O
+of O
+these O
+botnets O
+began O
+in O
+January B-TIME
+2014 E-TIME
+, O
+using O
+both O
+unidentified O
+infection O
+vectors O
+and O
+the O
+known O
+malicious O
+Tor S-TOOL
+node O
+, O
+and O
+continued O
+until O
+our O
+blogpost O
+was O
+published O
+in O
+November S-TIME
+. O
+
+We O
+believe O
+the O
+formation O
+of O
+the O
+second O
+botnet O
+began O
+in O
+August B-TIME
+2014 E-TIME
+and O
+continued O
+until O
+January B-TIME
+2015 E-TIME
+. O
+
+We O
+have O
+been O
+unable O
+to O
+identify O
+the O
+infection O
+vectors O
+used O
+for O
+this O
+second O
+botnet O
+, O
+but O
+the O
+C&C S-TOOL
+servers O
+it O
+used O
+had O
+open O
+directory O
+listings O
+, O
+allowing O
+us O
+to O
+retrieve O
+files O
+containing O
+listings O
+of O
+victim O
+IP O
+addresses O
+. O
+
+The O
+geographic O
+distribution O
+of O
+these O
+IP O
+addresses O
+( O
+image O
+8 O
+, O
+page O
+13 O
+) O
+further O
+supports O
+our O
+theory O
+that O
+the O
+purpose O
+of O
+this O
+OnionDuke S-MAL
+variant O
+was O
+not O
+targeted O
+attacks O
+against O
+high-profile O
+targets O
+. O
+
+One O
+theory O
+is O
+that O
+the O
+botnets O
+were O
+a O
+criminal O
+side O
+business O
+for O
+the O
+Dukes S-APT
+group O
+. O
+
+The O
+size O
+of O
+the O
+botnet O
+however O
+( O
+about O
+1400 O
+bots O
+) O
+is O
+very O
+small O
+if O
+its O
+intended O
+use O
+is O
+for O
+commercial O
+DoS S-TOOL
+attacks O
+or O
+spam-sending O
+. O
+
+Alternatively O
+, O
+OnionDuke S-MAL
+also O
+steals O
+user O
+credentials O
+from O
+its O
+victims O
+, O
+providing O
+another O
+potential O
+revenue O
+source O
+. O
+
+The O
+counter O
+to O
+that O
+argument O
+however O
+is O
+that O
+the O
+value O
+of O
+stolen O
+credentials O
+from O
+users O
+in O
+the O
+countries O
+with O
+the O
+highest O
+percentage O
+of O
+OnionDuke S-MAL
+bots O
+( O
+Mongolia S-LOC
+and O
+India S-LOC
+) O
+are O
+among O
+the O
+lowest O
+on O
+underground O
+markets O
+. O
+2015 S-TIME
+: O
+The O
+Dukes S-APT
+up O
+the O
+ante O
+. O
+
+The O
+end B-TIME
+of I-TIME
+January I-TIME
+2015 E-TIME
+saw O
+the O
+start O
+of O
+the O
+most O
+high- O
+volume O
+Duke S-APT
+campaign O
+seen O
+thus O
+far O
+, O
+with O
+thousands O
+of O
+recipients O
+being O
+sent O
+spear-phishing S-ACT
+emails S-TOOL
+that O
+contained O
+links O
+to O
+compromised O
+websites O
+hosting O
+CozyDuke S-MAL
+. O
+
+Curiously O
+, O
+the O
+spear-phishing S-ACT
+emails S-TOOL
+were O
+strikingly O
+similar O
+to O
+the O
+e-fax O
+themed O
+spam O
+usually O
+seen O
+spreading O
+ransomware O
+and O
+other O
+common O
+crimeware O
+. O
+
+Due O
+to O
+the O
+sheer O
+number O
+of O
+recipients O
+, O
+it O
+may O
+not O
+have O
+been O
+possible O
+to O
+customize O
+the O
+emails S-TOOL
+in O
+the O
+same O
+way O
+as O
+was O
+possible O
+with O
+lower-volume O
+campaigns O
+. O
+
+The O
+similarity O
+to O
+common O
+spam O
+may O
+however O
+also O
+serve O
+a O
+more O
+devious O
+purpose O
+. O
+
+It O
+is O
+easy O
+to O
+imagine O
+a O
+security O
+analyst O
+, O
+burdened O
+by O
+the O
+amount O
+of O
+attacks O
+against O
+their O
+network O
+, O
+dismissing O
+such O
+common-looking O
+spam O
+as O
+“ O
+just O
+another O
+crimeware O
+spam O
+run O
+” O
+, O
+allowing O
+the O
+campaign O
+to O
+, O
+in O
+essence O
+, O
+hide O
+in O
+the O
+masses O
+. O
+
+The O
+CozyDuke S-MAL
+activity O
+continues O
+one O
+of O
+the O
+long-running O
+trends O
+of O
+the O
+Dukes S-APT
+operations O
+, O
+the O
+use O
+of O
+multiple O
+malware O
+toolsets O
+against O
+a O
+single O
+target O
+. O
+
+In O
+this O
+case O
+, O
+the O
+Dukes S-APT
+first O
+attempted O
+to O
+infect O
+large O
+numbers O
+of O
+potential O
+targets O
+with O
+CozyDuke S-MAL
+( O
+and O
+in O
+a O
+more O
+obvious O
+manner O
+than O
+previously O
+seen O
+) O
+. O
+
+They O
+would O
+then O
+use O
+the O
+toolset O
+to O
+gather O
+initial O
+information O
+on O
+the O
+victims O
+, O
+before O
+deciding O
+which O
+ones O
+to O
+pursue O
+further O
+. O
+
+For O
+the O
+victims O
+deemed O
+interesting O
+enough O
+, O
+the O
+Dukes S-APT
+would O
+then O
+deploy O
+a O
+different O
+toolset O
+. O
+
+We O
+believe O
+the O
+primary O
+purpose O
+of O
+this O
+tactic O
+is O
+an O
+attempt O
+at O
+evading O
+detection O
+in O
+the O
+targeted O
+network O
+. O
+
+Even O
+if O
+the O
+noisy O
+initial O
+CozyDuke S-MAL
+campaign O
+is O
+noticed O
+by O
+the O
+victim O
+organization O
+, O
+or O
+by O
+someone O
+else O
+who O
+then O
+makes O
+it O
+publicly O
+known O
+, O
+defenders O
+will O
+begin O
+by O
+first O
+looking O
+for O
+indicators B-TOOL
+of I-TOOL
+compromise E-TOOL
+( O
+IOCs S-TOOL
+) O
+related O
+to O
+the O
+CozyDuke S-MAL
+toolset O
+. O
+
+If O
+however O
+by O
+that O
+time O
+the O
+Dukes S-APT
+are O
+already O
+operating O
+within O
+the O
+victim O
+’s O
+network O
+, O
+using O
+an O
+another O
+toolset O
+with O
+different O
+IOCs S-TOOL
+, O
+then O
+it O
+is O
+reasonable O
+to O
+assume O
+that O
+it O
+will O
+take O
+much O
+longer O
+for O
+the O
+victim O
+organization O
+to O
+notice O
+the O
+infiltration O
+. O
+
+In O
+previous O
+cases O
+, O
+the O
+group O
+used O
+their O
+malware O
+toolsets O
+interchangeably O
+, O
+as O
+either O
+the O
+initial O
+or O
+a O
+later-stage O
+toolset O
+in O
+a O
+campaign O
+. O
+
+For O
+these O
+CozyDuke S-MAL
+campaigns O
+however O
+, O
+the O
+Dukes S-APT
+appear O
+to O
+have O
+employed O
+two O
+particular O
+later-stage O
+toolsets O
+, O
+SeaDuke S-MAL
+and O
+HammerDuke S-MAL
+, O
+that O
+were O
+purposely O
+designed O
+to O
+leave O
+a O
+persistent O
+backdoor O
+on O
+the O
+compromised O
+network O
+. O
+
+HammerDuke S-MAL
+is O
+a O
+set O
+of O
+backdoors O
+that O
+was O
+first O
+seen O
+in O
+the O
+wild O
+in O
+February B-TIME
+2015 E-TIME
+, O
+while O
+SeaDuke S-MAL
+is O
+a O
+crossplatform O
+backdoor O
+that O
+was O
+, O
+according O
+to O
+Symantec S-SECTEAM
+, O
+first O
+spotted O
+in O
+the O
+wild O
+in O
+October B-TIME
+2014 E-TIME
+. O
+
+Both O
+toolsets O
+were O
+originally O
+spotted O
+being O
+deployed O
+by O
+CozyDuke S-MAL
+to O
+its O
+victims O
+. O
+
+What O
+makes O
+SeaDuke S-MAL
+special O
+is O
+that O
+it O
+was O
+written O
+in O
+Python S-TOOL
+and O
+designed O
+to O
+work O
+on O
+both O
+Windows S-OS
+and O
+Linux S-OS
+systems O
+; O
+it O
+is O
+the O
+first O
+cross-platform O
+tool O
+we O
+have O
+seen O
+from O
+the O
+Dukes S-APT
+. O
+
+One O
+plausible O
+reason O
+for O
+developing O
+such O
+a O
+flexible O
+malware O
+might O
+be O
+that O
+the O
+group O
+were O
+increasingly O
+encountering O
+victim O
+environments O
+where O
+users O
+were O
+using O
+Linux S-OS
+as O
+their O
+desktop O
+operating O
+system O
+. O
+
+Meanwhile O
+, O
+HammerDuke S-MAL
+is O
+a O
+Windows S-OS
+only O
+malware O
+( O
+written O
+in O
+.NET S-TOOL
+) O
+and O
+comes O
+in O
+two O
+variants O
+. O
+
+The O
+simpler O
+one O
+will O
+connect O
+to O
+a O
+hardcoded O
+C&C S-TOOL
+server O
+over O
+HTTP S-PROT
+or O
+HTTPS S-PROT
+to O
+download O
+commands O
+to O
+execute O
+. O
+
+The O
+more O
+advanced O
+variant O
+, O
+on O
+the O
+other O
+hand O
+, O
+will O
+use O
+an O
+algorithm O
+to O
+generate O
+a O
+periodically-changing O
+Twitter S-TOOL
+account O
+name O
+and O
+will O
+then O
+attempt O
+to O
+find O
+tweets O
+from O
+that O
+account O
+containing O
+links O
+to O
+the O
+actual O
+download O
+location O
+of O
+the O
+commands O
+to O
+execute O
+. O
+
+In O
+this O
+way O
+, O
+the O
+advanced O
+HammerDuke S-MAL
+variant O
+attempts O
+to O
+hide O
+its O
+network O
+traffic O
+in O
+more O
+legitimate O
+use O
+of O
+Twitter S-TOOL
+. O
+
+This O
+method O
+is O
+not O
+unique O
+to O
+HammerDuke S-MAL
+, O
+as O
+MiniDuke S-MAL
+, O
+OnionDuke S-MAL
+, O
+and O
+CozyDuke S-MAL
+all O
+support O
+similar O
+use O
+of O
+Twitter S-TOOL
+( O
+image O
+9 O
+, O
+page O
+18 O
+) O
+to O
+retrieve O
+links O
+to O
+additional O
+payloads O
+or O
+commands O
+. O
+2015 S-TIME
+: O
+CloudDuke S-MAL
+. O
+
+In O
+the O
+beginning B-TIME
+of I-TIME
+July I-TIME
+2015 E-TIME
+, O
+the O
+Dukes S-APT
+embarked O
+on O
+yet O
+another O
+large-scale O
+phishing S-ACT
+campaign O
+. O
+
+The O
+malware O
+toolset O
+used O
+for O
+this O
+campaign O
+was O
+the O
+previously O
+unseen O
+CloudDuke S-MAL
+and O
+we O
+believe O
+that O
+the O
+July S-TIME
+campaign O
+marks O
+the O
+first O
+time O
+that O
+this O
+toolset O
+was O
+deployed O
+by O
+the O
+Dukes S-APT
+, O
+other O
+than O
+possible O
+small-scale O
+testing O
+. O
+
+The O
+CloudDuke S-MAL
+toolset O
+consists O
+of O
+at O
+least O
+a O
+loader S-MAL
+, O
+a O
+downloader S-MAL
+, O
+and O
+two O
+backdoor O
+variants O
+. O
+
+Both O
+backdoors O
+( O
+internally O
+referred O
+to O
+by O
+their O
+authors O
+as O
+“ O
+BastionSolution S-MAL
+” O
+and O
+“ O
+OneDriveSolution S-MAL
+” O
+) O
+essentially O
+allow O
+the O
+operator O
+to O
+remotely O
+execute O
+commands O
+on O
+the O
+compromised O
+machine O
+. O
+
+The O
+way O
+in O
+which O
+each O
+backdoor O
+does O
+so O
+however O
+is O
+significantly O
+different O
+. O
+
+While O
+the O
+BastionSolution S-MAL
+variant O
+simply O
+retrieves O
+commands O
+from O
+a O
+hard-coded O
+C&C S-TOOL
+server O
+controlled O
+by O
+the O
+Dukes S-APT
+, O
+the O
+OneDriveSolution S-MAL
+utilizes O
+Microsoft S-IDTY
+’s O
+OneDrive S-TOOL
+cloud O
+storage O
+service O
+for O
+communicating O
+with O
+its O
+masters O
+, O
+making O
+it O
+significantly O
+harder O
+for O
+defenders O
+to O
+notice O
+the O
+traffic O
+and O
+block O
+the O
+communication O
+channel O
+. O
+
+What O
+is O
+most O
+significant O
+about O
+the O
+July B-TIME
+2015 E-TIME
+CloudDuke S-MAL
+campaign O
+is O
+the O
+timeline O
+. O
+
+The O
+campaign O
+appeared O
+to O
+consist O
+of O
+two O
+distinct O
+waves O
+of O
+spear-phishing S-ACT
+, O
+one O
+during O
+the O
+first B-TIME
+days I-TIME
+of I-TIME
+July E-TIME
+and O
+the O
+other O
+starting O
+from O
+the O
+20th B-TIME
+of I-TIME
+the I-TIME
+month E-TIME
+. O
+
+Details O
+of O
+the O
+first O
+wave O
+, O
+including O
+a O
+thorough O
+technical O
+analysis O
+of O
+CloudDuke S-MAL
+, O
+was O
+published O
+by O
+Palo B-SECTEAM
+Alto I-SECTEAM
+Networks E-SECTEAM
+on O
+14th B-TIME
+July E-TIME
+. O
+
+This O
+was O
+followed O
+by O
+additional O
+details O
+from O
+Kaspersky S-SECTEAM
+in O
+a O
+blog O
+post O
+published O
+on O
+16th B-TIME
+July E-TIME
+. O
+
+Both O
+publications O
+happened O
+before O
+the O
+second O
+wave O
+took O
+place O
+and O
+received O
+notable O
+publicity O
+. O
+
+Despite O
+the O
+attention O
+and O
+public O
+exposure O
+of O
+the O
+toolset O
+’s O
+technical O
+details O
+( O
+including O
+IOCs S-TOOL
+) O
+to O
+defenders O
+, O
+the O
+Dukes S-APT
+still O
+continued O
+with O
+their O
+second O
+wave O
+of O
+spear-phishing S-ACT
+, O
+including O
+the O
+continued O
+use O
+of O
+CloudDuke S-MAL
+. O
+
+The O
+group O
+did O
+change O
+the O
+contents O
+of O
+the O
+spear-phishing S-ACT
+emails S-TOOL
+they O
+sent O
+, O
+but O
+they O
+didn’t O
+switch O
+to O
+a O
+new O
+email S-TOOL
+format O
+; O
+instead O
+, O
+they O
+reverted O
+to O
+the O
+same O
+efaxthemed O
+format O
+that O
+they O
+had O
+previously O
+employed O
+, O
+even O
+to O
+the O
+point O
+of O
+reusing O
+the O
+exact O
+same O
+decoy O
+document O
+that O
+they O
+had O
+used O
+in O
+the O
+CozyDuke S-MAL
+campaign O
+a O
+year O
+earlier O
+( O
+July B-TIME
+2014 E-TIME
+) O
+. O
+
+This O
+once O
+more O
+highlights O
+two O
+crucial O
+behavioral O
+elements O
+of O
+the O
+Dukes S-APT
+group O
+. O
+
+Firstly O
+, O
+as O
+with O
+the O
+MiniDuke S-MAL
+campaigns O
+of O
+February B-TIME
+2013 E-TIME
+and O
+CosmicDuke S-MAL
+campaigns O
+in O
+the O
+summer B-TIME
+of I-TIME
+2014 E-TIME
+, O
+again O
+the O
+group O
+clearly O
+prioritized O
+the O
+continuation O
+of O
+their O
+operations O
+over O
+maintaining O
+stealth O
+. O
+
+Secondly O
+, O
+it O
+underlines O
+their O
+boldness O
+, O
+arrogance O
+and O
+self-confidence O
+; O
+they O
+are O
+clearly O
+confident O
+in O
+both O
+their O
+ability O
+to O
+compromise O
+their O
+targets O
+even O
+when O
+their O
+tools O
+and O
+techniques O
+are O
+already O
+publicly O
+known O
+, O
+and O
+critically O
+, O
+they O
+appear O
+to O
+be O
+extremely O
+confident O
+in O
+their O
+ability O
+to O
+act O
+with O
+impunity O
+. O
+2015 S-TIME
+: O
+Continuing O
+surgical O
+strikes O
+with O
+CosmicDuke S-MAL
+. O
+
+In O
+addition O
+to O
+the O
+notably O
+overt O
+and O
+large-scale O
+campaigns O
+with O
+CozyDuke S-MAL
+and O
+CloudDuke S-MAL
+, O
+the O
+Dukes S-APT
+also O
+continued O
+to O
+engage O
+in O
+more O
+covert O
+, O
+surgical O
+campaigns O
+using O
+CosmicDuke S-MAL
+. O
+
+The O
+latest O
+of O
+these O
+campaigns O
+that O
+we O
+are O
+aware O
+of O
+occurred O
+during O
+the O
+spring S-TIME
+and O
+early B-TIME
+summer I-TIME
+of I-TIME
+2015 E-TIME
+. O
+
+As O
+their O
+infection O
+vectors O
+, O
+these O
+campaigns O
+used O
+malicious O
+documents O
+exploiting O
+recently O
+fixed O
+vulnerabilities O
+. O
+
+Two O
+of O
+these O
+campaigns O
+were O
+detailed O
+in O
+separate O
+blog O
+posts O
+by O
+the O
+Polish O
+security O
+company O
+Prevenity S-SECTEAM
+, O
+who O
+said O
+that O
+both O
+campaigns O
+targeted O
+Polish O
+entities O
+with O
+spear- B-ACT
+phishing E-ACT
+emails S-TOOL
+containing O
+malicious O
+attachments O
+with O
+relevant O
+Polish O
+language O
+names O
+. O
+
+A O
+third O
+, O
+similar O
+, O
+CosmicDuke S-MAL
+campaign O
+was O
+observed O
+presumably O
+targeting O
+Georgian S-LOC
+entities O
+since O
+it O
+used O
+an O
+attachment O
+with O
+a O
+Georgian-language O
+name O
+that O
+translates O
+to O
+“ O
+NATO B-FILE
+consolidates I-FILE
+control I-FILE
+of I-FILE
+the I-FILE
+Black I-FILE
+Sea.docx E-FILE
+” O
+. O
+
+Based O
+on O
+this O
+, O
+we O
+do O
+not O
+believe O
+that O
+the O
+Dukes S-APT
+are O
+replacing O
+their O
+covert O
+and O
+targeted O
+campaigns O
+with O
+the O
+overt O
+and O
+opportunistic O
+CozyDuke S-MAL
+and O
+CloudDuke S-MAL
+style O
+of O
+campaigns O
+. O
+
+Instead O
+, O
+we O
+believe O
+that O
+they O
+are O
+simply O
+expanding O
+their O
+activities O
+by O
+adding O
+new O
+tools O
+and O
+techniques O
+. O
+
+
+A O
+XENOTIME S-APT
+to O
+Remember O
+: O
+Veles S-TOOL
+in O
+the O
+Wild O
+. O
+
+FireEye S-SECTEAM
+recently O
+published O
+a O
+blog O
+covering O
+the O
+tactics O
+, O
+techniques O
+, O
+and O
+procedures O
+( O
+TTPs O
+) O
+for O
+the O
+“ O
+TRITON S-MAL
+actor O
+” O
+when O
+preparing O
+to O
+deploy O
+the O
+TRITON S-MAL
+/ O
+TRISIS S-MAL
+malware O
+framework O
+in O
+2017 S-TIME
+. O
+
+Overall O
+, O
+the O
+post O
+does O
+a O
+commendable O
+job O
+in O
+making O
+public O
+findings O
+previously O
+only O
+privately O
+shared O
+( O
+presumably O
+by O
+FireEye S-SECTEAM
+, O
+and O
+in O
+several O
+reports O
+I O
+authored O
+for O
+my O
+employer O
+, O
+Dragos S-SECTEAM
+) O
+to O
+threat O
+intelligence O
+customers O
+. O
+
+As O
+such O
+, O
+the O
+blog O
+continues O
+to O
+push O
+forward O
+the O
+narrative O
+of O
+how O
+ICS S-TOOL
+attacks O
+are O
+enabled O
+through O
+prepositioning O
+and O
+initial O
+intrusion O
+operations O
+– O
+an O
+item O
+I O
+have O
+discussed O
+at O
+length O
+. O
+
+Yet O
+one O
+point O
+of O
+confusion O
+in O
+the O
+blog O
+comes O
+at O
+the O
+very O
+start O
+: O
+referring O
+to O
+the O
+entity O
+responsible O
+for O
+TRITON S-MAL
+as O
+the O
+“ O
+TRITON S-MAL
+actor O
+” O
+. O
+
+This O
+seems O
+confusing O
+as O
+FireEye S-SECTEAM
+earlier O
+publicly O
+declared O
+the O
+“ O
+TRITON S-MAL
+actor O
+” O
+as O
+a O
+discrete O
+entity O
+, O
+linked O
+to O
+a O
+Russian O
+research O
+institution O
+, O
+and O
+christened O
+it O
+as O
+“ O
+TEMP.Veles S-APT
+” O
+. O
+
+In O
+the O
+2018 S-TIME
+public O
+posting O
+announcing O
+TEMP.Veles S-APT
+, O
+FireEye S-SECTEAM
+researchers O
+noted O
+that O
+the O
+institute O
+in O
+question O
+at O
+least O
+supported O
+TEMP.Veles S-APT
+activity O
+in O
+deploying O
+TRITON S-MAL
+, O
+with O
+subsequent O
+public O
+presentations O
+at O
+Cyberwarcon S-SECTEAM
+and O
+the O
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+sponsored O
+Security B-SECTEAM
+Analyst I-SECTEAM
+Summit E-SECTEAM
+essentially O
+linking O
+TRITON S-MAL
+and O
+the O
+research O
+institute O
+( O
+and O
+therefore O
+TEMP.Veles S-MAL
+) O
+as O
+one O
+in O
+the O
+same O
+. O
+
+Yet O
+the O
+most-recent O
+posting O
+covering O
+TTPs O
+from O
+initial O
+access O
+through O
+prerequisites O
+to O
+enable O
+final O
+delivery O
+of O
+effects O
+on O
+target O
+( O
+deploying O
+TRITON S-MAL
+/ O
+TRISIS S-MAL
+) O
+avoids O
+the O
+use O
+of O
+the O
+TEMP.Veles S-APT
+term O
+entirely O
+. O
+
+In O
+subsequent O
+discussion O
+, O
+FireEye S-SECTEAM
+personnel O
+indicate O
+that O
+there O
+was O
+not O
+“ O
+an O
+avalanche O
+of O
+evidence O
+to O
+substantiate O
+” O
+anything O
+more O
+than O
+“ O
+TRITON S-MAL
+actor O
+” O
+– O
+summing O
+matters O
+by O
+indicating O
+this O
+term O
+“ O
+is O
+the O
+best O
+we O
+’ve O
+got O
+for O
+the O
+public O
+for O
+now O
+” O
+. O
+
+Meanwhile O
+, O
+parallel O
+work O
+at O
+Dragos S-SECTEAM
+( O
+my O
+employer O
+, O
+where O
+I O
+have O
+performed O
+significant O
+work O
+on O
+the O
+activity O
+described O
+above O
+) O
+uncovered O
+similar O
+conclusions O
+concerning O
+TTPs O
+and O
+behaviors O
+, O
+for O
+both O
+the O
+2017 S-TIME
+event O
+and O
+subsequent O
+activity O
+in O
+other O
+industrial O
+sectors O
+. O
+
+Utilizing O
+Diamond B-TOOL
+Model E-TOOL
+methodology O
+for O
+characterizing O
+activity O
+by O
+behaviors O
+attached O
+to O
+victims O
+, O
+we O
+began O
+tracking O
+TRITON S-MAL
+/ O
+TRISIS S-MAL
+and O
+immediate O
+enabling O
+activity O
+as O
+a O
+distinct O
+activity O
+group O
+( O
+collection O
+of O
+behaviors O
+, O
+infrastructure O
+, O
+and O
+victimology O
+) O
+designated O
+XENOTIME S-APT
+. O
+
+Based O
+on O
+information O
+gained O
+from O
+discussion O
+with O
+the O
+initial O
+TRITON S-MAL
+/ O
+TRISIS S-MAL
+responders O
+and O
+subsequent O
+work O
+on O
+follow-on O
+activity O
+by O
+this O
+entity O
+, O
+Dragos S-SECTEAM
+developed O
+a O
+comprehensive O
+( O
+public O
+) O
+picture O
+of O
+adversary O
+activity O
+roughly O
+matching O
+FireEye S-SECTEAM
+’s O
+analysis O
+published O
+in O
+April B-TIME
+2019 E-TIME
+, O
+described O
+in O
+various O
+media O
+. O
+
+At O
+this O
+stage O
+, O
+we O
+have O
+two O
+similar O
+, O
+parallel O
+constructions O
+of O
+events O
+– O
+the O
+how O
+behind O
+the O
+immediate O
+deployment O
+and O
+execution O
+of O
+TRITON S-MAL
+/ O
+TRISIS S-MAL
+– O
+yet O
+dramatically O
+different O
+responses O
+in O
+terms O
+of O
+attribution O
+and O
+labeling O
+. O
+
+Since O
+late B-TIME
+2018 E-TIME
+, O
+based O
+upon O
+the O
+most-recent O
+posting O
+, O
+FireEye S-SECTEAM
+appears O
+to O
+have O
+“ O
+walked O
+back O
+” O
+the O
+previously-used O
+terminology O
+of O
+TEMP.Veles S-APT
+and O
+instead O
+refers O
+rather O
+cryptically O
+to O
+the O
+“ O
+TRITON S-MAL
+actor O
+” O
+, O
+while O
+Dragos S-SECTEAM
+leveraged O
+identified O
+behaviors O
+to O
+consistently O
+refer O
+to O
+an O
+activity O
+group O
+, O
+XENOTIME S-APT
+. O
+
+Given O
+that O
+both O
+organizations O
+appear O
+to O
+describe O
+similar O
+( O
+if O
+not O
+identical O
+) O
+activity O
+, O
+any O
+reasonable O
+person O
+could O
+( O
+and O
+should O
+) O
+ask O
+– O
+why O
+the O
+inconsistency O
+in O
+naming O
+and O
+identification O
+. O
+
+Aside O
+from O
+the O
+competitive O
+vendor O
+naming O
+landscape O
+( O
+which O
+I O
+am O
+not O
+a O
+fan O
+of O
+in O
+cases O
+on O
+direct O
+overlap O
+, O
+but O
+which O
+has O
+more O
+to O
+say O
+for O
+itself O
+when O
+different O
+methodologies O
+are O
+employed O
+around O
+similar O
+observations O
+) O
+, O
+the O
+distinction O
+between O
+FireEye S-SECTEAM
+and O
+Dragos S-SECTEAM
+’ O
+approaches O
+with O
+respect O
+to O
+the O
+“ O
+TRITON S-MAL
+actor O
+” O
+comes O
+down O
+to O
+fundamental O
+philosophical O
+differences O
+in O
+methodology O
+. O
+
+As O
+wonderfully O
+described O
+in O
+a O
+recent O
+public O
+posting O
+, O
+FireEye S-SECTEAM
+adheres O
+to O
+a O
+naming O
+convention O
+based O
+upon O
+extensive O
+data O
+collection O
+and O
+activity O
+comparison O
+, O
+designed O
+to O
+yield O
+the O
+identification O
+of O
+a O
+discrete O
+, O
+identifiable O
+entity O
+responsible O
+for O
+a O
+given O
+collection O
+of O
+activity O
+. O
+
+This O
+technique O
+is O
+precise O
+and O
+praiseworthy O
+– O
+yet O
+at O
+the O
+same O
+time O
+, O
+appears O
+so O
+rigorous O
+as O
+to O
+impose O
+limitations O
+on O
+the O
+ability O
+to O
+dynamically O
+adjust O
+and O
+adapt O
+to O
+emerging O
+adversary O
+activity O
+. O
+( O
+Or O
+for O
+that O
+matter O
+, O
+even O
+categorize O
+otherwise O
+well-known O
+historical O
+actors O
+operating O
+to O
+the O
+present O
+day O
+, O
+such O
+as O
+Turla S-APT
+. O
+) O
+FireEye S-SECTEAM
+’s O
+methodology O
+may O
+have O
+particular O
+limitations O
+in O
+instances O
+where O
+adversaries O
+( O
+such O
+as O
+XENOTIME S-APT
+and O
+presumably O
+TEMP.Veles S-APT
+) O
+rely O
+upon O
+extensive O
+use O
+of O
+publicly-available O
+, O
+commonly-used O
+tools O
+with O
+limited O
+amounts O
+of O
+customization O
+. O
+
+In O
+such O
+cases O
+, O
+utilizing O
+purely O
+technical O
+approaches O
+for O
+differentiation O
+( O
+an O
+issue O
+I O
+lightly O
+touched O
+on O
+in O
+a O
+recent O
+post O
+) O
+becomes O
+problematic O
+, O
+especially O
+when O
+trying O
+to O
+define O
+attribution O
+to O
+specific O
+, O
+“ O
+who-based O
+” O
+entities O
+( O
+such O
+as O
+a O
+Russian O
+research O
+institute O
+) O
+. O
+
+My O
+understanding O
+is O
+FireEye S-SECTEAM
+labels O
+entities O
+where O
+definitive O
+attribution O
+is O
+not O
+yet O
+possible O
+with O
+the O
+“ O
+TEMP O
+” O
+moniker O
+( O
+hence O
+, O
+TEMP.Veles S-APT
+) O
+– O
+yet O
+in O
+this O
+case O
+FireEye S-SECTEAM
+developed O
+and O
+deployed O
+the O
+label O
+, O
+then O
+appeared O
+to O
+move O
+away O
+from O
+it O
+in O
+subsequent O
+reporting O
+. O
+
+Based O
+on O
+the O
+public O
+blog O
+post O
+– O
+which O
+also O
+indicated O
+that O
+FireEye S-SECTEAM
+is O
+responding O
+to O
+an O
+intrusion O
+at O
+a O
+second O
+facility O
+featuring O
+the O
+same O
+or O
+similar O
+observations O
+– O
+this O
+is O
+presumably O
+not O
+for O
+lack O
+of O
+evidence O
+, O
+yet O
+the O
+“ O
+downgrade O
+” O
+occurs O
+all O
+the O
+same O
+. O
+
+In O
+comparison O
+, O
+XENOTIME S-APT
+was O
+defined O
+based O
+on O
+principles O
+of O
+infrastructure O
+( O
+compromised O
+third-party O
+infrastructure O
+and O
+various O
+networks O
+associated O
+with O
+several O
+Russian O
+research O
+institutions O
+) O
+, O
+capabilities O
+( O
+publicly- O
+and O
+commercially-available O
+tools O
+with O
+varying O
+levels O
+of O
+customization O
+) O
+and O
+targeting O
+( O
+an O
+issue O
+not O
+meant O
+for O
+discussion O
+in O
+this O
+blog O
+) O
+. O
+
+In O
+personally O
+responding O
+to O
+several O
+incidents O
+across O
+multiple O
+industry O
+sectors O
+since O
+early B-TIME
+2018 E-TIME
+matching O
+TTPs O
+from O
+the O
+TRITON S-MAL
+/ O
+TRISIS S-MAL
+event O
+, O
+these O
+items O
+proved O
+consistent O
+and O
+supported O
+the O
+creation O
+of O
+the O
+XENOTIME S-APT
+activity O
+group O
+. O
+
+This O
+naming O
+decision O
+was O
+founded O
+upon O
+the O
+underlying O
+methodology O
+described O
+in O
+the O
+Diamond B-TOOL
+Model E-TOOL
+of O
+intrusion O
+analysis O
+. O
+
+As O
+such O
+, O
+this O
+decision O
+does O
+not O
+necessarily O
+refer O
+to O
+a O
+specific O
+institution O
+, O
+but O
+rather O
+a O
+collection O
+of O
+observations O
+and O
+behaviors O
+observed O
+across O
+multiple O
+, O
+similarly-situated O
+victims O
+. O
+
+Of O
+note O
+, O
+this O
+methodology O
+of O
+naming O
+abstracts O
+away O
+the O
+“ O
+who O
+” O
+element O
+– O
+XENOTIME S-APT
+may O
+represent O
+a O
+single O
+discrete O
+entity O
+( O
+such O
+as O
+a O
+Russian O
+research O
+institution O
+) O
+or O
+several O
+entities O
+working O
+in O
+coordination O
+in O
+a O
+roughly O
+repeatable O
+, O
+similar O
+manner O
+across O
+multiple O
+events O
+. O
+
+Ultimately O
+, O
+the O
+epistemic O
+foundation O
+of O
+the O
+behavior-based O
+naming O
+approach O
+makes O
+this O
+irrelevant O
+for O
+tracking O
+( O
+and O
+labeling O
+for O
+convenience O
+sake O
+) O
+observations O
+. O
+
+Much O
+like O
+the O
+observers O
+watching O
+the O
+shadows O
+of O
+objects O
+cast O
+upon O
+the O
+wall O
+of O
+the O
+cave O
+, O
+these O
+two O
+definitions O
+( O
+XENOTIME S-APT
+and O
+TEMP.Veles S-APT
+, O
+both O
+presumably O
+referring O
+to O
+“ O
+the O
+TRITON S-MAL
+actor O
+” O
+) O
+describe O
+the O
+same O
+phenomena O
+, O
+yet O
+at O
+the O
+same O
+time O
+appear O
+different O
+. O
+
+This O
+question O
+of O
+perception O
+and O
+accuracy O
+rests O
+upon O
+the O
+underlying O
+epistemic O
+framework O
+and O
+the O
+goal O
+conceived O
+for O
+that O
+framework O
+in O
+defining O
+an O
+adversary O
+: O
+FireEye S-SECTEAM
+’s O
+methodology O
+follows O
+a O
+deductive O
+approach O
+requiring O
+the O
+collection O
+of O
+significant O
+evidence O
+over O
+time O
+to O
+yield O
+a O
+conclusion O
+that O
+will O
+be O
+necessary O
+given O
+the O
+premises O
+( O
+the O
+totality O
+of O
+evidence O
+suggests O
+APTxx O
+) O
+; O
+the O
+Dragos S-SECTEAM
+approach O
+instead O
+seeks O
+an O
+inductive O
+approach O
+, O
+where O
+premises O
+may O
+all O
+be O
+true O
+but O
+the O
+conclusion O
+need O
+not O
+necessarily O
+follow O
+from O
+them O
+given O
+changes O
+in O
+premises O
+over O
+time O
+or O
+other O
+observations O
+not O
+contained O
+within O
+the O
+set O
+( O
+thus O
+, O
+identified O
+behaviors O
+strongly O
+suggests O
+an O
+activity O
+group O
+, O
+defined O
+as O
+X O
+) O
+. O
+
+From O
+an O
+external O
+analysts O
+’ O
+point O
+of O
+view O
+, O
+the O
+wonder O
+is O
+, O
+which O
+is O
+superior O
+to O
+the O
+other O
+. O
+
+And O
+my O
+answer O
+for O
+this O
+is O
+: O
+neither O
+is O
+perfect O
+, O
+but O
+both O
+are O
+useful O
+– O
+depending O
+upon O
+your O
+goals O
+and O
+objectives O
+. O
+
+But O
+rather O
+than O
+trying O
+to O
+pursue O
+some O
+comparison O
+between O
+the O
+two O
+for O
+identification O
+of O
+superiority O
+( O
+an O
+approach O
+that O
+will O
+result O
+in O
+unproductive O
+argument O
+and O
+social O
+media O
+warring O
+) O
+, O
+the O
+point O
+of O
+this O
+post O
+is O
+to O
+highlight O
+the O
+distinctions O
+between O
+these O
+approaches O
+and O
+how O
+– O
+in O
+the O
+case O
+of O
+“ O
+the O
+TRITON S-MAL
+actor O
+” O
+– O
+they O
+result O
+in O
+noticeably O
+different O
+conclusions O
+from O
+similar O
+datasets O
+. O
+
+One O
+reason O
+for O
+the O
+distinction O
+may O
+be O
+differences O
+in O
+evidence O
+, O
+as O
+FireEye S-SECTEAM
+’s O
+public O
+reporting O
+notes O
+two O
+distinct O
+events O
+of O
+which O
+they O
+are O
+aware O
+of O
+and O
+have O
+responded O
+to O
+related O
+to O
+“ O
+the O
+TRITON S-MAL
+actor O
+” O
+while O
+Dragos S-SECTEAM
+has O
+been O
+engaged O
+several O
+instances O
+– O
+thus O
+, O
+Dragos S-SECTEAM
+would O
+possess O
+more O
+evidence O
+to O
+cement O
+the O
+definition O
+of O
+an O
+activity O
+group O
+, O
+while O
+FireEye S-SECTEAM
+’s O
+data O
+collection-centric O
+approach O
+would O
+require O
+far O
+more O
+observations O
+to O
+yield O
+an O
+“ O
+APT O
+” O
+. O
+
+Yet O
+irrespective O
+of O
+this O
+, O
+it O
+is O
+confusing O
+why O
+the O
+previously-declared O
+“ O
+TEMP O
+” O
+category O
+was O
+walked O
+back O
+as O
+this O
+has O
+led O
+to O
+not O
+small O
+amount O
+of O
+confusion O
+– O
+in O
+both O
+technical O
+and O
+non-technical O
+audiences O
+– O
+as O
+to O
+just O
+what O
+FireEye S-SECTEAM
+’s O
+blog O
+post O
+refers O
+. O
+
+Thus O
+respected O
+journalists O
+( O
+at O
+least O
+by O
+me O
+) O
+conflate O
+the O
+“ O
+TRITON S-MAL
+actor O
+is O
+active O
+at O
+another O
+site O
+” O
+with O
+“ O
+TRITON S-MAL
+malware O
+was O
+identified O
+at O
+another O
+site O
+” O
+. O
+
+In O
+this O
+case O
+, O
+we O
+’re O
+seeing O
+a O
+definite O
+problem O
+with O
+the O
+overly-conservative O
+naming O
+approach O
+used O
+as O
+it O
+engenders O
+confusion O
+in O
+a O
+significant O
+subset O
+of O
+the O
+intended O
+audience O
+. O
+
+While O
+some O
+may O
+dismiss O
+adversary O
+or O
+activity O
+naming O
+as O
+so O
+much O
+marketing O
+, O
+having O
+a O
+distinct O
+label O
+for O
+something O
+allows O
+for O
+clearer O
+communication O
+and O
+more O
+accurate O
+discussion O
+. O
+
+Furthermore O
+, O
+conflating O
+adversaries O
+with O
+tools O
+, O
+since O
+tools O
+can O
+be O
+repurposed O
+or O
+used O
+by O
+other O
+entities O
+than O
+those O
+first O
+observed O
+deploying O
+them O
+, O
+leads O
+to O
+further O
+potential O
+confusion O
+as O
+the O
+“ O
+X O
+actor O
+” O
+is O
+quickly O
+compressed O
+in O
+the O
+minds O
+of O
+some O
+to O
+refer O
+to O
+any O
+and O
+all O
+instantiations O
+of O
+tool O
+“ O
+X O
+” O
+. O
+
+Overall O
+, O
+the O
+discussion O
+above O
+may O
+appear O
+so O
+much O
+splitting O
+of O
+hairs O
+or O
+determining O
+how O
+many O
+angels O
+can O
+dance O
+on O
+the O
+head O
+of O
+a O
+pin O
+– O
+yet O
+given O
+the O
+communicative O
+impacts O
+behind O
+different O
+naming O
+and O
+labeling O
+conventions O
+, O
+this O
+exploration O
+seems O
+not O
+merely O
+useful O
+but O
+necessary O
+. O
+
+Understanding O
+the O
+“ O
+how O
+” O
+and O
+“ O
+why O
+” O
+behind O
+different O
+entity O
+classifications O
+of O
+similar O
+( O
+or O
+even O
+the O
+same O
+) O
+activity O
+allows O
+us O
+to O
+move O
+beyond O
+the O
+dismissive O
+approach O
+of O
+“ O
+everyone O
+has O
+their O
+names O
+for O
+marketing O
+purposes O
+” O
+to O
+a O
+more O
+productive O
+mindset O
+that O
+grasps O
+the O
+fundamental O
+methodologies O
+that O
+( O
+should O
+) O
+drive O
+these O
+decisions O
+. O
+
+
+TRITON S-MAL
+Attribution O
+: O
+Russian O
+Government-Owned O
+Lab O
+Most O
+Likely O
+Built O
+Custom O
+Intrusion O
+Tools O
+for O
+TRITON S-MAL
+Attackers O
+. O
+
+In O
+a O
+previous O
+blog O
+post O
+we O
+detailed O
+the O
+TRITON S-MAL
+intrusion O
+that O
+impacted O
+industrial B-TOOL
+control I-TOOL
+systems E-TOOL
+( O
+ICS S-TOOL
+) O
+at O
+a O
+critical O
+infrastructure O
+facility O
+. O
+
+We O
+now O
+track O
+this O
+activity O
+set O
+as O
+TEMP.Veles S-APT
+. O
+
+In O
+this O
+blog O
+post O
+we O
+provide O
+additional O
+information O
+linking O
+TEMP.Veles S-APT
+and O
+their O
+activity O
+surrounding O
+the O
+TRITON S-MAL
+intrusion O
+to O
+a O
+Russian O
+government-owned O
+research O
+institute O
+. O
+
+FireEye S-SECTEAM
+Intelligence O
+assesses O
+with O
+high O
+confidence O
+that O
+intrusion O
+activity O
+that O
+led O
+to O
+deployment O
+of O
+TRITON S-MAL
+was O
+supported O
+by O
+the O
+Central B-IDTY
+Scientific I-IDTY
+Research I-IDTY
+Institute I-IDTY
+of I-IDTY
+Chemistry I-IDTY
+and I-IDTY
+Mechanics E-IDTY
+( O
+CNIIHM S-IDTY
+; O
+a.k.a. O
+ЦНИИХМ S-IDTY
+) O
+, O
+a O
+Russian O
+government-owned O
+technical O
+research O
+institution O
+located O
+in O
+Moscow S-LOC
+. O
+
+The O
+following O
+factors O
+supporting O
+this O
+assessment O
+are O
+further O
+detailed O
+in O
+this O
+post O
+. O
+
+We O
+present O
+as O
+much O
+public O
+information O
+as O
+possible O
+to O
+support O
+this O
+assessment O
+, O
+but O
+withheld O
+sensitive O
+information O
+that O
+further O
+contributes O
+to O
+our O
+high O
+confidence O
+assessment O
+. O
+
+FireEye S-SECTEAM
+uncovered O
+malware O
+development O
+activity O
+that O
+is O
+very O
+likely O
+supporting O
+TEMP.Veles S-APT
+activity O
+. O
+
+This O
+includes O
+testing O
+multiple O
+versions O
+of O
+malicious O
+software O
+, O
+some O
+of O
+which O
+were O
+used O
+by O
+TEMP.Veles S-APT
+during O
+the O
+TRITON S-MAL
+intrusion O
+. O
+
+Investigation O
+of O
+this O
+testing O
+activity O
+reveals O
+multiple O
+independent O
+ties O
+to O
+Russia S-LOC
+, O
+CNIIHM S-IDTY
+, O
+and O
+a O
+specific O
+person O
+in O
+Moscow S-LOC
+. O
+
+This O
+person O
+’s O
+online O
+activity O
+shows O
+significant O
+links O
+to O
+CNIIHM S-IDTY
+. O
+
+An O
+IP O
+address O
+registered O
+to O
+CNIIHM S-IDTY
+has O
+been O
+employed O
+by O
+TEMP.Veles S-APT
+for O
+multiple O
+purposes O
+, O
+including O
+monitoring O
+open-source O
+coverage O
+of O
+TRITON S-MAL
+, O
+network O
+reconnaissance O
+, O
+and O
+malicious O
+activity O
+in O
+support O
+of O
+the O
+TRITON S-MAL
+intrusion O
+. O
+
+Behavior O
+patterns O
+observed O
+in O
+TEMP.Veles S-APT
+activity O
+are O
+consistent O
+with O
+the O
+Moscow S-LOC
+time O
+zone O
+, O
+where O
+CNIIHM S-IDTY
+is O
+located O
+. O
+
+We O
+judge O
+that O
+CNIIHM S-IDTY
+likely O
+possesses O
+the O
+necessary O
+institutional O
+knowledge O
+and O
+personnel O
+to O
+assist O
+in O
+the O
+orchestration O
+and O
+development O
+of O
+TRITON S-MAL
+and O
+TEMP.Veles S-APT
+operations O
+. O
+
+While O
+we O
+cannot O
+rule O
+out O
+the O
+possibility O
+that O
+one O
+or O
+more O
+CNIIHM S-IDTY
+employees O
+could O
+have O
+conducted O
+TEMP.Veles S-APT
+activity O
+without O
+their O
+employer O
+’s O
+approval O
+, O
+the O
+details O
+shared O
+in O
+this O
+post O
+demonstrate O
+that O
+this O
+explanation O
+is O
+less O
+plausible O
+than O
+TEMP.Veles S-APT
+operating O
+with O
+the O
+support O
+of O
+the O
+institute O
+. O
+
+During O
+our O
+investigation O
+of O
+TEMP.Veles S-APT
+activity O
+, O
+we O
+found O
+multiple O
+unique O
+tools O
+that O
+the O
+group O
+deployed O
+in O
+the O
+target O
+environment O
+. O
+
+Some O
+of O
+these O
+same O
+tools O
+, O
+identified O
+by O
+hash O
+, O
+were O
+evaluated O
+in O
+a O
+malware O
+testing O
+environment O
+by O
+a O
+single O
+user O
+. O
+
+Malware O
+Testing O
+Environment O
+Tied O
+to O
+TEMP.Veles S-APT
+. O
+
+We O
+identified O
+a O
+malware O
+testing O
+environment O
+that O
+we O
+assess O
+with O
+high O
+confidence O
+was O
+used O
+to O
+refine O
+some O
+TEMP.Veles S-APT
+tools O
+. O
+
+At O
+times O
+, O
+the O
+use O
+of O
+this O
+malware O
+testing O
+environment O
+correlates O
+to O
+in-network O
+activities O
+of O
+TEMP.Veles S-APT
+, O
+demonstrating O
+direct O
+operational O
+support O
+for O
+intrusion O
+activity O
+. O
+
+Four O
+files O
+tested O
+in O
+2014 S-TIME
+are O
+based O
+on O
+the O
+open-source O
+project O
+, O
+cryptcat O
+. O
+
+Analysis O
+of O
+these O
+cryptcat O
+binaries O
+indicates O
+that O
+the O
+actor O
+continually O
+modified O
+them O
+to O
+decrease O
+AV O
+detection O
+rates O
+. O
+
+One O
+of O
+these O
+files O
+was O
+deployed O
+in O
+a O
+TEMP.Veles S-APT
+target O
+’s O
+network O
+. O
+
+The O
+compiled O
+version O
+with O
+the O
+least O
+detections O
+was O
+later O
+re-tested O
+in O
+2017 S-TIME
+and O
+deployed O
+less O
+than O
+a O
+week O
+later O
+during O
+TEMP.Veles S-APT
+activities O
+in O
+the O
+target O
+environment O
+. O
+
+TEMP.Veles S-APT
+’ O
+lateral O
+movement O
+activities O
+used O
+a O
+publicly-available O
+PowerShell S-TOOL
+based O
+tool O
+, O
+WMImplant S-TOOL
+. O
+
+On O
+multiple O
+dates O
+in O
+2017 S-TIME
+, O
+TEMP.Veles S-APT
+struggled O
+to O
+execute O
+this O
+utility O
+on O
+multiple O
+victim O
+systems O
+, O
+potentially O
+due O
+to O
+AV O
+detection O
+. O
+
+Soon O
+after O
+, O
+the O
+customized O
+utility O
+was O
+again O
+evaluated O
+in O
+the O
+malware O
+testing O
+environment O
+. O
+
+The O
+following O
+day O
+, O
+TEMP.Veles S-APT
+again O
+tried O
+the O
+utility O
+on O
+a O
+compromised O
+system O
+. O
+
+The O
+user O
+has O
+been O
+active O
+in O
+the O
+malware O
+testing O
+environment O
+since O
+at O
+least O
+2013 S-TIME
+, O
+testing O
+customized O
+versions O
+of O
+multiple O
+open-source O
+frameworks O
+, O
+including O
+Metasploit S-TOOL
+, O
+Cobalt B-TOOL
+Strike E-TOOL
+, O
+PowerSploit S-TOOL
+, O
+and O
+other O
+projects O
+. O
+
+The O
+user O
+’s O
+development O
+patterns O
+appear O
+to O
+pay O
+particular O
+attention O
+to O
+AV O
+evasion O
+and O
+alternative O
+code O
+execution O
+techniques O
+. O
+
+Custom O
+payloads O
+utilized O
+by O
+TEMP.Veles S-APT
+in O
+investigations O
+conducted O
+by O
+Mandiant S-SECTEAM
+are O
+typically O
+weaponized O
+versions O
+of O
+legitimate O
+open-source O
+software O
+, O
+retrofitted O
+with O
+code O
+used O
+for O
+command O
+and O
+control O
+. O
+
+Testing O
+, O
+Malware O
+Artifacts O
+, O
+and O
+Malicious O
+Activity O
+Suggests O
+Tie O
+to O
+CNIIHM S-IDTY
+. O
+
+Multiple O
+factors O
+suggest O
+that O
+this O
+activity O
+is O
+Russian O
+in O
+origin O
+and O
+associated O
+with O
+CNIIHM S-IDTY
+. O
+
+A O
+PDB S-TOOL
+path O
+contained O
+in O
+a O
+tested O
+file O
+contained O
+a O
+string O
+that O
+appears O
+to O
+be O
+a O
+unique O
+handle O
+or O
+user O
+name O
+. O
+
+This O
+moniker O
+is O
+linked O
+to O
+a O
+Russia S-LOC
+based O
+person O
+active O
+in O
+Russian O
+information O
+security O
+communities O
+since O
+at O
+least O
+2011 S-TIME
+. O
+
+The O
+handle O
+has O
+been O
+credited O
+with O
+vulnerability O
+research O
+contributions O
+to O
+the O
+Russian O
+version O
+of O
+Hacker O
+Magazine O
+( O
+хакер O
+) O
+. O
+
+According O
+to O
+a O
+now-defunct O
+social O
+media O
+profile O
+, O
+the O
+same O
+individual O
+was O
+a O
+professor O
+at O
+CNIIHM S-IDTY
+, O
+which O
+is O
+located O
+near O
+Nagatinskaya B-LOC
+Street E-LOC
+in O
+the O
+Nagatino-Sadovniki S-LOC
+district O
+of O
+Moscow S-LOC
+. O
+
+Another O
+profile O
+using O
+the O
+handle O
+on O
+a O
+Russian O
+social O
+network O
+currently O
+shows O
+multiple O
+photos O
+of O
+the O
+user O
+in O
+proximity O
+to O
+Moscow S-LOC
+for O
+the O
+entire O
+history O
+of O
+the O
+profile O
+. O
+
+Suspected O
+TEMP.Veles S-APT
+incidents O
+include O
+malicious O
+activity O
+originating O
+from O
+87.245.143.140 S-IP
+, O
+which O
+is O
+registered O
+to O
+CNIIHM S-IDTY
+. O
+
+This O
+IP O
+address O
+has O
+been O
+used O
+to O
+monitor O
+open-source O
+coverage O
+of O
+TRITON S-MAL
+, O
+heightening O
+the O
+probability O
+of O
+an O
+interest O
+by O
+unknown O
+subjects O
+, O
+originating O
+from O
+this O
+network O
+, O
+in O
+TEMP.Veles S-APT
+related O
+activities O
+. O
+
+It O
+also O
+has O
+engaged O
+in O
+network O
+reconnaissance O
+against O
+targets O
+of O
+interest O
+to O
+TEMP.Veles S-APT
+. O
+
+The O
+IP O
+address O
+has O
+been O
+tied O
+to O
+additional O
+malicious O
+activity O
+in O
+support O
+of O
+the O
+TRITON S-MAL
+intrusion O
+. O
+
+Multiple O
+files O
+have O
+Cyrillic O
+names O
+and O
+artifacts O
+. O
+
+Adversary O
+behavioral O
+artifacts O
+further O
+suggest O
+the O
+TEMP.Veles S-APT
+operators O
+are O
+based O
+in O
+Moscow S-LOC
+, O
+lending O
+some O
+further O
+support O
+to O
+the O
+scenario O
+that O
+CNIIHM S-IDTY
+, O
+a O
+Russian O
+research O
+organization O
+in O
+Moscow S-LOC
+, O
+has O
+been O
+involved O
+in O
+TEMP.Veles S-APT
+activity O
+. O
+
+We O
+identified O
+file O
+creation O
+times O
+for O
+numerous O
+files O
+that O
+TEMP.Veles O
+created O
+during O
+lateral O
+movement O
+on O
+a O
+target O
+’s O
+network O
+. O
+
+These O
+file O
+creation O
+times O
+conform O
+to O
+a O
+work O
+schedule O
+typical O
+of O
+an O
+actor O
+operating O
+within O
+a O
+UTC+3 O
+time O
+zone O
+supporting O
+a O
+proximity O
+to O
+Moscow S-LOC
+. O
+
+Additional O
+language O
+artifacts O
+recovered O
+from O
+TEMP.Veles S-APT
+toolsets O
+are O
+also O
+consistent O
+with O
+such O
+a O
+regional O
+nexus O
+. O
+
+A O
+ZIP S-TOOL
+archive O
+recovered O
+during O
+our O
+investigations O
+, O
+schtasks.zip S-FILE
+, O
+contained O
+an O
+installer O
+and O
+uninstaller O
+of O
+CATRUNNER S-MAL
+that O
+includes O
+two O
+versions O
+of O
+an O
+XML S-TOOL
+scheduled O
+task O
+definitions O
+for O
+a O
+masquerading O
+service O
+‘ O
+ProgramDataUpdater S-TOOL
+. O
+’ O
+The O
+malicious O
+installation O
+version O
+has O
+a O
+task O
+name O
+and O
+description O
+in O
+English O
+, O
+and O
+the O
+clean O
+uninstall O
+version O
+has O
+a O
+task O
+name O
+and O
+description O
+in O
+Cyrillic O
+. O
+
+The O
+timeline O
+of O
+modification O
+dates O
+within O
+the O
+ZIP S-TOOL
+also O
+suggest O
+the O
+actor O
+changed O
+the O
+Russian O
+version O
+to O
+English O
+in O
+sequential O
+order O
+, O
+heightening O
+the O
+possibility O
+of O
+a O
+deliberate O
+effort O
+to O
+mask O
+its O
+origins O
+. O
+
+While O
+we O
+know O
+that O
+TEMP.Veles S-APT
+deployed O
+the O
+TRITON S-MAL
+attack O
+framework O
+, O
+we O
+do O
+not O
+have O
+specific O
+evidence O
+to O
+prove O
+that O
+CNIIHM S-IDTY
+did O
+( O
+or O
+did O
+not O
+) O
+develop O
+the O
+tool O
+. O
+
+We O
+infer O
+that O
+CNIIHM S-IDTY
+likely O
+maintains O
+the O
+institutional O
+expertise O
+needed O
+to O
+develop O
+and O
+prototype O
+TRITON S-MAL
+based O
+on O
+the O
+institute O
+’s O
+self-described O
+mission O
+and O
+other O
+public O
+information O
+. O
+
+CNIIHM S-IDTY
+has O
+at O
+least O
+two O
+research O
+divisions O
+that O
+are O
+experienced O
+in O
+critical O
+infrastructure O
+, O
+enterprise O
+safety O
+, O
+and O
+the O
+development O
+of O
+weapons/military O
+equipment O
+: O
+
+The B-IDTY
+Center I-IDTY
+for I-IDTY
+Applied I-IDTY
+Research E-IDTY
+creates O
+means O
+and O
+methods O
+for O
+protecting O
+critical O
+infrastructure O
+from O
+destructive O
+information O
+and O
+technological O
+impacts O
+. O
+
+The B-IDTY
+Center I-IDTY
+for I-IDTY
+Experimental I-IDTY
+Mechanical I-IDTY
+Engineering E-IDTY
+develops O
+weapons O
+as O
+well O
+as O
+military O
+and O
+special O
+equipment O
+. O
+
+It O
+also O
+researches O
+methods O
+for O
+enabling O
+enterprise O
+safety O
+in O
+emergency O
+situations O
+. O
+
+CNIIHM S-IDTY
+officially O
+collaborates O
+with O
+other O
+national O
+technology O
+and O
+development O
+organizations O
+, O
+including O
+: O
+
+The O
+Moscow S-LOC
+Institute O
+of O
+Physics B-IDTY
+and I-IDTY
+Technology E-IDTY
+( O
+PsyTech S-IDTY
+) O
+, O
+which O
+specializes O
+in O
+applied O
+physics O
+, O
+computing O
+science O
+, O
+chemistry O
+, O
+and O
+biology O
+. O
+
+The B-IDTY
+Association I-IDTY
+of I-IDTY
+State I-IDTY
+Scientific I-IDTY
+Centers E-IDTY
+“ O
+Nauka S-IDTY
+, O
+” O
+which O
+coordinates O
+43 O
+Scientific B-IDTY
+Centers E-IDTY
+of O
+the O
+Russian B-IDTY
+Federation E-IDTY
+( O
+SSC S-IDTY
+RF S-IDTY
+) O
+. O
+
+Some O
+of O
+its O
+main O
+areas O
+of O
+interest O
+include O
+nuclear O
+physics O
+, O
+computer O
+science O
+and O
+instrumentation O
+, O
+robotics O
+and O
+engineering O
+, O
+and O
+electrical O
+engineering O
+, O
+among O
+others O
+. O
+
+The O
+Federal B-IDTY
+Service I-IDTY
+for I-IDTY
+Technical I-IDTY
+and I-IDTY
+Export I-IDTY
+Control E-IDTY
+( O
+FTEC S-IDTY
+) O
+which O
+is O
+responsible O
+for O
+export O
+control O
+, O
+intellectual O
+property O
+, O
+and O
+protecting O
+confidential O
+information O
+. O
+
+The O
+Russian B-IDTY
+Academy I-IDTY
+of I-IDTY
+Missile I-IDTY
+and I-IDTY
+Artillery I-IDTY
+Sciences E-IDTY
+( O
+PAPAH S-IDTY
+) O
+which O
+specializes O
+in O
+research O
+and O
+development O
+for O
+strengthening O
+Russia S-LOC
+’s O
+defense O
+industrial O
+complex O
+. O
+
+Information O
+from O
+a O
+Russian O
+recruitment O
+website O
+, O
+linked O
+to O
+CNIIHM S-IDTY
+’s O
+official O
+domain O
+, O
+indicates O
+that O
+CNIIHM S-IDTY
+is O
+also O
+dedicated O
+to O
+the O
+development O
+of O
+intelligent O
+systems O
+for O
+computer-aided O
+design O
+and O
+control O
+, O
+and O
+the O
+creation O
+of O
+new O
+information O
+technologies O
+. O
+
+Some O
+possibility O
+remains O
+that O
+one O
+or O
+more O
+CNIIHM S-IDTY
+employees O
+could O
+have O
+conducted O
+the O
+activity O
+linking O
+TEMP.Veles S-APT
+to O
+CNIIHM S-IDTY
+without O
+their O
+employer O
+’s O
+approval O
+. O
+
+However O
+, O
+this O
+scenario O
+is O
+highly O
+unlikely O
+. O
+
+In O
+this O
+scenario O
+, O
+one O
+or O
+more O
+persons O
+– O
+likely O
+including O
+at O
+least O
+one O
+CNIIHM S-IDTY
+employee O
+, O
+based O
+on O
+the O
+moniker O
+discussed O
+above O
+– O
+would O
+have O
+had O
+to O
+conduct O
+extensive O
+, O
+high-risk O
+malware O
+development O
+and O
+intrusion O
+activity O
+from O
+CNIIHM S-IDTY
+’s O
+address O
+space O
+without O
+CNIIHM S-IDTY
+’s O
+knowledge O
+and O
+approval O
+over O
+multiple O
+years O
+. O
+
+CNIIHM S-IDTY
+’s O
+characteristics O
+are O
+consistent O
+with O
+what O
+we O
+might O
+expect O
+of O
+an O
+organization O
+responsible O
+for O
+TEMP.Veles S-APT
+activity O
+. O
+
+TRITON S-MAL
+is O
+a O
+highly O
+specialized O
+framework O
+whose O
+development O
+would O
+be O
+within O
+the O
+capability O
+of O
+a O
+low O
+percentage O
+of O
+intrusion O
+operators O
+. O
+
+
+Xenotime S-APT
+. O
+
+Release_Time O
+: O
+unknown O
+
+Report_URL O
+: O
+https://dragos.com/resource/xenotime/ O
+
+XENOTIME S-APT
+is O
+easily O
+the O
+most O
+dangerous O
+threat O
+activity O
+publicly O
+known O
+. O
+
+It O
+is O
+the O
+only O
+activity O
+group O
+intentionally O
+compromising O
+and O
+disrupting O
+industrial O
+safety O
+instrumented O
+systems O
+, O
+which O
+can O
+lead O
+to O
+scenarios O
+involving O
+loss O
+of O
+life O
+and O
+environmental O
+damage O
+. O
+
+Dragos S-SECTEAM
+identified O
+several O
+compromises O
+of O
+ICS S-TOOL
+vendors O
+and O
+manufacturers O
+in O
+2018 S-TIME
+by O
+activity O
+associated O
+with O
+XENOTIME S-APT
+, O
+providing O
+potential O
+supply O
+chain O
+threat O
+opportunities O
+and O
+vendor-enabled O
+access O
+to O
+asset O
+owner O
+and O
+operator O
+ICS S-TOOL
+networks O
+. O
+
+XENOTIME S-APT
+rose O
+to O
+prominence O
+in O
+December B-TIME
+2017 E-TIME
+when O
+Dragos S-SECTEAM
+and O
+FireEye S-SECTEAM
+jointly O
+published O
+details O
+of O
+TRISIS S-MAL
+destructive O
+malware O
+targeting O
+Schneider B-IDTY
+Electric E-IDTY
+’s O
+Triconex S-TOOL
+safety O
+instrumented O
+system O
+. O
+
+The O
+multi-step O
+malware O
+framework O
+caused O
+industrial O
+systems O
+in O
+a O
+Middle O
+Eastern O
+industrial O
+facility O
+to O
+shut O
+down O
+. O
+
+The O
+incident O
+represented O
+a O
+shift O
+in O
+the O
+capabilities O
+and O
+consequences O
+of O
+ICS S-TOOL
+malware O
+. O
+
+TRISIS S-MAL
+was O
+an O
+escalation O
+of O
+the O
+type O
+of O
+attacks O
+historically O
+targeting O
+ICS S-TOOL
+systems O
+. O
+
+Targeting O
+a O
+safety O
+system O
+indicates O
+significant O
+damage O
+and O
+loss O
+of O
+human O
+life O
+were O
+either O
+intentional O
+or O
+acceptable O
+goals O
+of O
+the O
+attack O
+, O
+a O
+consequence O
+not O
+seen O
+in O
+previous O
+disruptive O
+attacks O
+such O
+as O
+the O
+2016 S-TIME
+CRASHOVERRIDE S-MAL
+malware O
+that O
+caused O
+a O
+power O
+loss O
+in O
+Ukraine S-LOC
+. O
+
+Note O
+: O
+Industrial O
+safety O
+instrumented O
+systems O
+comprise O
+part O
+of O
+a O
+multi-layer O
+engineered O
+process O
+control O
+framework O
+to O
+protect O
+life O
+and O
+environment O
+. O
+
+Industrial O
+safety O
+systems O
+are O
+highly O
+redundant O
+and O
+separate O
+controls O
+which O
+override O
+and O
+manage O
+industrial O
+processes O
+if O
+they O
+approach O
+unsafe O
+conditions O
+such O
+as O
+over-pressurization O
+, O
+overspeed O
+, O
+or O
+over-heating O
+. O
+
+They O
+enable O
+engineers O
+and O
+operators O
+to O
+safely O
+control O
+and O
+possibly O
+shutdown O
+processes O
+before O
+a O
+major O
+incident O
+occurs O
+. O
+
+They O
+’re O
+a O
+critical O
+component O
+of O
+many O
+dangerous O
+industrial O
+environments O
+such O
+as O
+electric O
+power O
+generation O
+and O
+oil O
+and O
+gas O
+processing O
+. O
+
+XENOTIME S-APT
+configured O
+TRISIS S-MAL
+based O
+on O
+the O
+specifics O
+and O
+functions O
+of O
+the O
+Triconex S-TOOL
+system O
+within O
+the O
+industrial B-TOOL
+control E-TOOL
+( O
+ICS S-TOOL
+) O
+environment O
+. O
+
+XENOTIME S-APT
+used O
+credential O
+capture O
+and O
+replay O
+to O
+move O
+between O
+networks O
+, O
+Windows S-OS
+commands O
+, O
+standard O
+command-line O
+tools O
+such O
+as O
+PSExec S-TOOL
+, O
+and O
+proprietary O
+tools O
+for O
+operations O
+on O
+victim O
+hosts O
+. O
+( O
+Full O
+reports O
+detailing O
+XENOTIME S-APT
+’s O
+tool O
+techniques O
+, O
+and O
+procedures O
+are O
+available O
+to O
+Dragos S-SECTEAM
+WorldView S-TOOL
+customers O
+. O
+) O
+Because O
+the O
+TRISIS S-MAL
+malware O
+framework O
+was O
+highly O
+tailored O
+, O
+it O
+would O
+have O
+required O
+specific O
+knowledge O
+of O
+the O
+Triconex S-TOOL
+’s O
+infrastructure O
+and O
+processes O
+within O
+a O
+specific O
+plant O
+. O
+
+This O
+means O
+it O
+’s O
+not O
+easy O
+to O
+scale—however O
+, O
+the O
+malware O
+provides O
+a O
+blueprint O
+of O
+how O
+to O
+target O
+safety O
+instrumented O
+systems O
+. O
+
+This O
+tradecraft O
+is O
+thus O
+scalable O
+and O
+available O
+to O
+others O
+even O
+if O
+the O
+malware O
+itself O
+changes O
+. O
+
+Dragos S-SECTEAM
+’ O
+data O
+indicates O
+XENOTIME S-APT
+remains O
+active O
+. O
+
+Furthermore O
+, O
+Dragos S-SECTEAM
+’ O
+analysis O
+of O
+the O
+TRISIS S-MAL
+event O
+continues O
+as O
+we O
+recover O
+additional O
+data O
+surrounding O
+the O
+incident O
+. O
+
+Dragos S-SECTEAM
+assesses O
+with O
+moderate O
+confidence O
+that O
+XENOTIME S-APT
+intends O
+to O
+establish O
+required O
+access O
+and O
+capability O
+to O
+cause O
+a O
+potential O
+, O
+future O
+disruptive—or O
+even O
+destructive—event O
+. O
+
+Compromising O
+safety O
+systems O
+provides O
+little O
+value O
+outside O
+of O
+disrupting O
+operations O
+. O
+
+The O
+group O
+created O
+a O
+custom O
+malware O
+framework O
+and O
+tailormade O
+credential O
+gathering O
+tools O
+, O
+but O
+an O
+apparent O
+misconfiguration O
+prevented O
+the O
+attack O
+from O
+executing O
+properly O
+. O
+
+As O
+XENOTIME S-APT
+matures O
+, O
+it O
+is O
+less O
+likely O
+that O
+the O
+group O
+will O
+make O
+this O
+mistake O
+in O
+the O
+future O
+. O
+
+XENOTIME S-APT
+operates O
+globally O
+, O
+impacting O
+regions O
+far O
+outside O
+of O
+the O
+Middle B-LOC
+East E-LOC
+, O
+their O
+initial O
+target O
+. O
+
+Intelligence O
+suggests O
+the O
+group O
+has O
+been O
+active O
+since O
+at O
+least O
+2014 S-TIME
+and O
+is O
+presently O
+operating O
+in O
+multiple O
+facilities O
+targeting O
+safety O
+systems O
+beyond O
+Triconex S-TOOL
+. O
+
+This O
+group O
+has O
+no O
+known O
+associations O
+to O
+other O
+activity O
+groups O
+. O
+
+Dragos S-SECTEAM
+threat O
+intelligence O
+leverages O
+the O
+Dragos S-SECTEAM
+Platform O
+, O
+our O
+threat O
+operations O
+center O
+, O
+and O
+other O
+sources O
+to O
+provide O
+comprehensive O
+insight O
+into O
+threats O
+affecting O
+industrial O
+control O
+security O
+and O
+safety O
+worldwide O
+. O
+
+Dragos S-SECTEAM
+does O
+not O
+corroborate O
+nor O
+conduct O
+political O
+attribution O
+to O
+threat O
+activity O
+. O
+
+Dragos S-SECTEAM
+instead O
+focuses O
+on O
+threat O
+behaviors O
+and O
+appropriate O
+detection O
+and O
+response O
+. O
+
+Read O
+more O
+about O
+Dragos S-SECTEAM
+’ O
+approach O
+to O
+categorizing O
+threat O
+activity O
+and O
+attribution O
+. O
+
+Dragos S-SECTEAM
+does O
+not O
+publicly O
+describe O
+ICS S-TOOL
+activity O
+group O
+technical O
+details O
+except O
+in O
+extraordinary O
+circumstances O
+in O
+order O
+to O
+limit O
+tradecraft O
+proliferation O
+. O
+
+However O
+, O
+full O
+details O
+on O
+XENOTIME S-APT
+and O
+other O
+group O
+tools O
+, O
+techniques O
+, O
+procedures O
+, O
+and O
+infrastructure O
+is O
+available O
+to O
+network O
+defenders O
+via O
+Dragos S-SECTEAM
+WorldView S-TOOL
+. O
+
+
+Threat B-APT
+Group I-APT
+3390 E-APT
+Cyberespionage O
+. O
+
+Dell S-IDTY
+SecureWorks B-SECTEAM
+Counter I-SECTEAM
+Threat I-SECTEAM
+Unit E-SECTEAM
+(TM O
+) O
+( O
+CTU S-SECTEAM
+) O
+researchers O
+investigated O
+activities O
+associated O
+with O
+Threat B-APT
+Group-3390 E-APT
+( O
+TG-3390 O
+) O
+. O
+
+Analysis O
+of O
+TG-3390 S-APT
+'s O
+operations O
+, O
+targeting O
+, O
+and O
+tools O
+led O
+CTU S-SECTEAM
+researchers O
+to O
+assess O
+with O
+moderate O
+confidence O
+the O
+group O
+is O
+located O
+in O
+the O
+People's B-IDTY
+Republic E-IDTY
+of O
+China S-LOC
+. O
+
+The O
+threat O
+actors O
+target O
+a O
+wide O
+range O
+of O
+organizations O
+: O
+CTU S-SECTEAM
+researchers O
+have O
+observed O
+TG-3390 S-APT
+actors O
+obtaining O
+confidential O
+data O
+on O
+defense O
+manufacturing O
+projects O
+, O
+but O
+also O
+targeting O
+other O
+industry O
+verticals O
+and O
+attacking O
+organizations O
+involved O
+in O
+international O
+relations O
+. O
+
+The O
+group O
+extensively O
+uses O
+long-running O
+strategic O
+web O
+compromises O
+( O
+SWCs O
+) O
+, O
+and O
+relies O
+on O
+whitelists O
+to O
+deliver O
+payloads O
+to O
+select O
+victims O
+. O
+
+In O
+comparison O
+to O
+other O
+threat O
+groups O
+, O
+TG-3390 S-APT
+is O
+notable O
+for O
+its O
+tendency O
+to O
+compromise O
+Microsoft S-IDTY
+Exchange S-TOOL
+servers O
+using O
+a O
+custom O
+backdoor O
+and O
+credential O
+logger O
+. O
+
+CTU S-SECTEAM
+researchers O
+divided O
+the O
+threat O
+intelligence O
+about O
+TG-3390 S-APT
+into O
+two O
+sections O
+: O
+strategic O
+and O
+tactical O
+. O
+
+Strategic O
+threat O
+intelligence O
+includes O
+an O
+assessment O
+of O
+the O
+ongoing O
+threat O
+posed O
+by O
+the O
+threat O
+group O
+. O
+
+Executives O
+can O
+use O
+this O
+assessment O
+to O
+determine O
+how O
+to O
+reduce O
+risk O
+to O
+their O
+organization's O
+mission O
+and O
+critical O
+assets O
+. O
+
+Tactical O
+threat O
+intelligence O
+is O
+based O
+on O
+incident O
+response O
+investigations O
+and O
+research O
+, O
+and O
+is O
+mapped O
+to O
+the O
+kill O
+chain O
+. O
+
+Computer O
+network O
+defenders O
+can O
+use O
+this O
+information O
+to O
+reduce O
+the O
+time O
+and O
+effort O
+associated O
+with O
+responding O
+to O
+TG-3390 S-APT
+. O
+
+CTU S-SECTEAM
+researchers O
+assess O
+with O
+moderate O
+confidence O
+that O
+TG-3390 S-APT
+is O
+based O
+in O
+the O
+People's B-IDTY
+Republic E-IDTY
+of O
+China S-LOC
+. O
+
+CTU S-SECTEAM
+researchers O
+have O
+evidence O
+that O
+the O
+threat O
+group O
+compromised O
+U.S. S-LOC
+and O
+UK S-LOC
+organizations O
+in O
+the O
+following O
+verticals O
+: O
+manufacturing O
+( O
+specifically O
+aerospace O
+( O
+including O
+defense O
+contractors O
+) O
+, O
+automotive O
+, O
+technology O
+, O
+energy O
+, O
+and O
+pharmaceuticals O
+) O
+, O
+education O
+, O
+and O
+legal O
+, O
+as O
+well O
+as O
+organizations O
+focused O
+on O
+international O
+relations O
+. O
+
+Based O
+on O
+analysis O
+of O
+the O
+group's O
+SWCs S-TOOL
+, O
+TG-3390 S-APT
+operations O
+likely O
+affect O
+organizations O
+in O
+other O
+countries O
+and O
+verticals O
+. O
+
+TG-3390 S-APT
+operates O
+a O
+broad O
+and O
+long-running O
+campaign O
+of O
+SWCs S-TOOL
+and O
+has O
+compromised O
+approximately O
+100 O
+websites O
+as O
+of O
+this O
+publication O
+. O
+
+Through O
+an O
+IP O
+address O
+whitelisting O
+process O
+, O
+the O
+threat O
+group O
+selectively O
+targets O
+visitors O
+to O
+these O
+websites O
+. O
+
+After O
+the O
+initial O
+compromise O
+, O
+TG-3390 S-APT
+delivers O
+the O
+HttpBrowser B-MAL
+backdoor E-MAL
+to O
+its O
+victims O
+. O
+
+The O
+threat O
+actors O
+then O
+move O
+quickly O
+to O
+compromise O
+Microsoft S-IDTY
+Exchange S-TOOL
+servers O
+and O
+to O
+gain O
+complete O
+control O
+of O
+the O
+target O
+environment O
+. O
+
+The O
+threat O
+actors O
+are O
+adept O
+at O
+identifying O
+key O
+data O
+stores O
+and O
+selectively O
+exfiltrating O
+all O
+of O
+the O
+high-value O
+information O
+associated O
+with O
+their O
+goal O
+. O
+
+CTU S-SECTEAM
+researchers O
+recommend O
+the O
+following O
+practices O
+to O
+prevent O
+or O
+detect O
+TG-3390 S-APT
+intrusions O
+: O
+
+Search O
+web O
+log O
+files O
+for O
+evidence O
+of O
+web O
+server O
+scanning O
+using O
+the O
+URIs O
+listed O
+in O
+the O
+Exploitation O
+section O
+and O
+evidence O
+of O
+Exfiltration S-ACT
+using O
+the O
+User-Agent S-TOOL
+in O
+the O
+Actions O
+on O
+objective O
+section O
+. O
+
+Require O
+two-factor O
+authentication O
+for O
+all O
+remote O
+access O
+solutions O
+, O
+including O
+OWA S-TOOL
+. O
+
+Audit O
+ISAPI S-TOOL
+filters O
+and O
+search O
+for O
+web O
+shells O
+on O
+Microsoft S-IDTY
+Exchange S-TOOL
+servers O
+. O
+
+CTU S-SECTEAM
+researchers O
+infer O
+intent O
+by O
+aggregating O
+observations O
+, O
+analyzing O
+a O
+threat O
+group's O
+activity O
+, O
+and O
+placing O
+the O
+information O
+in O
+a O
+wider O
+context O
+. O
+
+Like O
+many O
+threat O
+groups O
+, O
+TG-3390 S-APT
+conducts O
+strategic B-TOOL
+web I-TOOL
+compromises E-TOOL
+( O
+SWCs S-TOOL
+) O
+, O
+also O
+known O
+as O
+watering B-ACT
+hole E-ACT
+attacks O
+, O
+on O
+websites O
+associated O
+with O
+the O
+target O
+organization's O
+vertical O
+or O
+demographic O
+to O
+increase O
+the O
+likelihood O
+of O
+finding O
+victims O
+with O
+relevant O
+information O
+. O
+
+CTU S-SECTEAM
+researchers O
+assess O
+with O
+high O
+confidence O
+that O
+TG-3390 S-APT
+uses O
+information O
+gathered O
+from O
+prior O
+reconnaissance O
+activities O
+to O
+selectively O
+compromise O
+users O
+who O
+visit O
+websites O
+under O
+its O
+control O
+. O
+
+Most O
+websites O
+compromised O
+by O
+TG-3390 S-APT
+actors O
+are O
+affiliated O
+with O
+five O
+types O
+of O
+organizations O
+around O
+the O
+world O
+: O
+
+large O
+manufacturing O
+companies O
+, O
+particularly O
+those O
+supplying O
+defense O
+organizations O
+, O
+energy O
+companies O
+, O
+embassies O
+in O
+Washington S-LOC
+, O
+DC S-IDTY
+representing O
+countries O
+in O
+the O
+Middle B-LOC
+East E-LOC
+, O
+Europe S-LOC
+, O
+and O
+Asia S-LOC
+, O
+likely O
+to O
+target O
+U.S. S-LOC
+based O
+users O
+involved O
+in O
+international O
+relations O
+, O
+non-governmental O
+organizations O
+( O
+NGOs O
+) O
+, O
+particularly O
+those O
+focused O
+on O
+international O
+relations O
+and O
+defense O
+, O
+government O
+organizations O
+. O
+
+Based O
+on O
+this O
+information O
+, O
+CTU S-SECTEAM
+researchers O
+assess O
+that O
+TG-3390 S-APT
+aims O
+to O
+collect O
+defense O
+technology O
+and O
+capability O
+intelligence O
+, O
+other O
+industrial O
+intelligence O
+, O
+and O
+political O
+intelligence O
+from O
+governments O
+and O
+NGOs O
+. O
+
+To O
+assess O
+attribution O
+, O
+CTU S-SECTEAM
+researchers O
+analyze O
+observed O
+activity O
+, O
+third-party O
+reporting O
+, O
+and O
+contextual O
+intelligence O
+. O
+
+For O
+the O
+following O
+reasons O
+, O
+CTU S-SECTEAM
+researchers O
+assess O
+with O
+moderate O
+confidence O
+that O
+TG-3390 S-APT
+has O
+a O
+Chinese O
+nexus O
+: O
+
+The O
+SWC S-TOOL
+of O
+a O
+Uyghur O
+cultural O
+website O
+suggests O
+intent O
+to O
+target O
+the O
+Uyghur O
+ethnic O
+group O
+, O
+a O
+Muslim O
+minority O
+group O
+primarily O
+found O
+in O
+the O
+Xinjiang S-LOC
+region O
+of O
+China S-LOC
+. O
+
+Threat O
+groups O
+outside O
+of O
+China S-LOC
+are O
+unlikely O
+to O
+target O
+the O
+Uyghur O
+people O
+. O
+
+TG-3390 S-APT
+uses O
+the O
+PlugX S-MAL
+remote O
+access O
+tool O
+. O
+
+The O
+menus O
+for O
+PlugX S-MAL
+'s O
+server-side O
+component O
+are O
+written O
+exclusively O
+in O
+Standard B-TOOL
+Chinese E-TOOL
+( O
+Mandarin S-TOOL
+) O
+, O
+suggesting O
+that O
+PlugX S-MAL
+operators O
+are O
+familiar O
+with O
+this O
+language O
+. O
+
+CTU S-SECTEAM
+researchers O
+have O
+observed O
+TG-3390 S-APT
+activity O
+between O
+04:00 S-TIME
+and O
+09:00 S-TIME
+UTC O
+, O
+which O
+is O
+12:00 S-TIME
+to O
+17:00 S-TIME
+local O
+time O
+in O
+China S-LOC
+( O
+UTC O
++8 O
+) O
+. O
+
+The O
+timeframe O
+maps O
+to O
+the O
+second O
+half O
+of O
+the O
+workday O
+in O
+China S-LOC
+. O
+
+The O
+threat O
+actors O
+have O
+used O
+the O
+Baidu S-TOOL
+search O
+engine O
+, O
+which O
+is O
+only O
+available O
+in O
+Chinese O
+, O
+to O
+conduct O
+reconnaissance O
+activities O
+. O
+
+CTU S-SECTEAM
+researchers O
+have O
+observed O
+the O
+threat O
+group O
+obtaining O
+information O
+about O
+specific O
+U.S. S-LOC
+defense O
+projects O
+that O
+would O
+be O
+desirable O
+to O
+those O
+operating O
+within O
+a O
+country O
+with O
+a O
+manufacturing O
+base O
+, O
+an O
+interest O
+in O
+U.S. S-LOC
+military O
+capability O
+, O
+or O
+both O
+. O
+
+CTU S-SECTEAM
+researchers O
+recognize O
+that O
+the O
+evidence O
+supporting O
+this O
+attribution O
+is O
+circumstantial O
+. O
+
+It O
+is O
+possible O
+that O
+TG-3390 S-APT
+is O
+false-flag O
+operation O
+by O
+a O
+threat O
+group O
+outside O
+of O
+China S-LOC
+that O
+is O
+deliberately O
+planting O
+indications O
+of O
+a O
+Chinese O
+origin O
+. O
+
+TG-3390 S-APT
+has O
+access O
+to O
+proprietary O
+tools O
+, O
+some O
+of O
+which O
+are O
+used O
+exclusively O
+by O
+TG-3390 S-APT
+and O
+others O
+that O
+are O
+shared O
+among O
+a O
+few O
+Chinese O
+threat O
+groups O
+. O
+
+The O
+complexity O
+and O
+continual O
+development O
+of O
+these O
+tools O
+indicates O
+a O
+mature O
+development O
+process O
+. O
+
+TG-3390 S-APT
+can O
+quickly O
+leverage O
+compromised O
+network O
+infrastructure O
+during O
+an O
+operation O
+and O
+can O
+conduct O
+simultaneous O
+intrusions O
+into O
+multiple O
+environments O
+. O
+
+This O
+ability O
+is O
+further O
+demonstrated O
+by O
+analysis O
+of O
+interactions O
+between O
+TG-3390 S-APT
+operators O
+and O
+a O
+target O
+environment O
+. O
+
+CTU S-SECTEAM
+researchers O
+found O
+no O
+evidence O
+of O
+multiple O
+operators O
+working O
+simultaneously O
+against O
+a O
+single O
+organization O
+. O
+
+This O
+efficiency O
+of O
+operation O
+( O
+a O
+1:1 O
+ratio O
+of O
+operator O
+to O
+observed O
+activity O
+) O
+suggests O
+that O
+TG-3390 S-APT
+can O
+scale O
+to O
+conduct O
+the O
+maximum O
+number O
+of O
+simultaneous O
+operations O
+. O
+
+These O
+characteristics O
+suggest O
+that O
+the O
+threat O
+group O
+is O
+well O
+resourced O
+and O
+has O
+access O
+to O
+a O
+tools O
+development O
+team O
+and O
+a O
+team O
+focused O
+on O
+SWCs S-TOOL
+. O
+
+TG-3390 S-APT
+'s O
+obfuscation O
+techniques O
+in O
+SWCs S-TOOL
+complicate O
+detection O
+of O
+malicious O
+web O
+traffic O
+redirects O
+. O
+
+Malware O
+used O
+by O
+the O
+threat O
+group O
+can O
+be O
+configured O
+to O
+bypass O
+network-based O
+detection O
+; O
+however O
+, O
+the O
+threat O
+actors O
+rarely O
+modify O
+host-based O
+configuration O
+settings O
+when O
+deploying O
+payloads O
+. O
+
+CTU S-SECTEAM
+researchers O
+have O
+observed O
+the O
+threat O
+actors O
+installing O
+a O
+credential O
+logger O
+and O
+backdoor O
+on O
+Microsoft S-IDTY
+Exchange S-TOOL
+servers O
+, O
+which O
+requires O
+a O
+technical O
+grasp O
+of O
+Internet B-TOOL
+Information I-TOOL
+Services E-TOOL
+( O
+IIS S-TOOL
+) O
+. O
+
+TG-3390 S-APT
+uses O
+older O
+exploits O
+to O
+compromise O
+targets O
+, O
+and O
+CTU S-SECTEAM
+researchers O
+have O
+not O
+observed O
+the O
+threat O
+actors O
+using O
+zero-day S-VULNAME
+exploits O
+as O
+of O
+this O
+publication O
+. O
+
+The O
+threat O
+actors O
+demonstrated O
+the O
+ability O
+to O
+adapt O
+when O
+reentering O
+a O
+network O
+after O
+an O
+eviction O
+, O
+overcoming O
+technical O
+barriers O
+constructed O
+by O
+network O
+defenders O
+. O
+
+In O
+addition O
+to O
+using O
+SWCs S-TOOL
+to O
+target O
+specific O
+types O
+of O
+organizations O
+, O
+TG-3390 S-APT
+uses O
+spearphishing S-ACT
+emails S-TOOL
+to O
+target O
+specific O
+victims O
+. O
+
+CTU S-SECTEAM
+researchers O
+assess O
+with O
+high O
+confidence O
+that O
+the O
+threat O
+actors O
+follow O
+an O
+established O
+playbook O
+during O
+an O
+intrusion O
+. O
+
+They O
+quickly O
+move O
+away O
+from O
+their O
+initial O
+access O
+vector O
+to O
+hide O
+their O
+entry O
+point O
+and O
+then O
+target O
+Exchange O
+servers O
+as O
+a O
+new O
+access O
+vector O
+. O
+
+As O
+of O
+this O
+publication O
+, O
+CTU S-SECTEAM
+researchers O
+have O
+not O
+discovered O
+how O
+TG-3390 S-APT
+keeps O
+track O
+of O
+the O
+details O
+associated O
+with O
+its O
+compromised O
+assets O
+and O
+credentials O
+. O
+
+However O
+, O
+the O
+threat O
+actors' O
+ability O
+to O
+reuse O
+these O
+assets O
+and O
+credentials O
+, O
+sometimes O
+weeks O
+or O
+months O
+after O
+the O
+initial O
+compromise O
+, O
+indicates O
+the O
+group O
+is O
+disciplined O
+and O
+well O
+organized O
+. O
+
+After O
+gaining O
+access O
+to O
+a O
+target O
+network O
+in O
+one O
+intrusion O
+analyzed O
+by O
+CTU S-SECTEAM
+researchers O
+, O
+TG-3390 S-APT
+actors O
+identified O
+and O
+exfiltrated O
+data O
+for O
+specific O
+projects O
+run O
+by O
+the O
+target O
+organization O
+, O
+indicating O
+that O
+they O
+successfully O
+obtained O
+the O
+information O
+they O
+sought O
+. O
+
+TG-3390 S-APT
+: O
+american.blackcmd.com S-DOM
+. O
+
+TG-3390 S-APT
+: O
+api.apigmail.com S-DOM
+. O
+
+TG-3390 S-APT
+: O
+apigmail.com S-DOM
+. O
+
+TG-3390 S-APT
+: O
+backup.darkhero.org S-DOM
+. O
+
+TG-3390 S-APT
+: O
+bel.updatawindows.com S-DOM
+. O
+
+TG-3390 S-APT
+: O
+binary.update-onlines.org S-DOM
+. O
+
+TG-3390 S-APT
+: O
+blackcmd.com S-DOM
+. O
+
+TG-3390 S-APT
+: O
+castle.blackcmd.com S-DOM
+. O
+
+TG-3390 S-APT
+: O
+ctcb.blackcmd.com S-DOM
+. O
+
+TG-3390 S-APT
+: O
+darkhero.org S-DOM
+. O
+
+TG-3390 S-APT
+: O
+208.115.242.36 S-IP
+. O
+
+TG-3390 S-APT
+: O
+208.115.242.37 S-IP
+. O
+
+TG-3390 S-APT
+: O
+208.115.242.38 S-IP
+. O
+
+TG-3390 S-APT
+: O
+66.63.178.142 S-IP
+. O
+
+TG-3390 S-APT
+: O
+72.11.148.220 S-IP
+. O
+
+TG-3390 S-APT
+: O
+72.11.141.133 S-IP
+. O
+
+TG-3390 S-APT
+: O
+74.63.195.236 S-IP
+. O
+
+TG-3390 S-APT
+: O
+74.63.195.237 S-IP
+. O
+1cb4b74e9d030afbb18accf6ee2bfca1 S-MD5
+MD5 S-ENCR
+hash O
+HttpBrowser S-MAL
+RAT O
+dropper O
+. O
+b333b5d541a0488f4e710ae97c46d9c2 S-MD5
+MD5 S-ENCR
+hash O
+HttpBrowser S-MAL
+RAT O
+dropper O
+. O
+86a05dcffe87caf7099dda44d9ec6b48 S-MD5
+MD5 S-ENCR
+hash O
+HttpBrowser S-MAL
+RAT O
+dropper O
+. O
+93e40da0bd78bebe5e1b98c6324e9b5b S-MD5
+MD5 S-ENCR
+hash O
+HttpBrowser S-MAL
+RAT O
+dropper O
+. O
+f43d9c3e17e8480a36a62ef869212419 S-MD5
+MD5 S-ENCR
+hash O
+HttpBrowser S-MAL
+RAT O
+dropper O
+. O
+57e85fc30502a925ffed16082718ec6c S-MD5
+MD5 S-ENCR
+hash O
+HttpBrowser S-MAL
+RAT O
+dropper O
+. O
+4251aaf38a485b08d5562c6066370f09 S-MD5
+MD5 S-ENCR
+hash O
+HttpBrowser S-MAL
+RAT O
+dropper O
+. O
+bbfd1e703f55ce779b536b5646a0cdc1 S-MD5
+MD5 S-ENCR
+hash O
+HttpBrowser S-MAL
+RAT O
+dropper O
+. O
+12a522cb96700c82dc964197adb57ddf S-MD5
+MD5 S-ENCR
+hash O
+HttpBrowser S-MAL
+RAT O
+dropper O
+. O
+728e5700a401498d91fb83159beec834 S-MD5
+MD5 S-ENCR
+hash O
+HttpBrowser S-MAL
+RAT O
+dropper O
+. O
+2bec1860499aae1dbcc92f48b276f998 S-MD5
+MD5 S-ENCR
+hash O
+HttpBrowser S-MAL
+RAT O
+dropper O
+. O
+014122d7851fa8bf4070a8fc2acd5dc5 S-MD5
+MD5 S-ENCR
+hash O
+HttpBrowser S-MAL
+RAT O
+. O
+0ae996b31a2c3ed3f0bc14c7a96bea38 S-MD5
+MD5 S-ENCR
+hash O
+HttpBrowser S-MAL
+RAT O
+. O
+1a76681986f99b216d5c0f17ccff2a12 S-MD5
+MD5 S-ENCR
+hash O
+HttpBrowser S-MAL
+RAT O
+. O
+380c02b1fd93eb22028862117a2f19e3 S-MD5
+MD5 S-ENCR
+hash O
+HttpBrowser S-MAL
+RAT O
+. O
+40a9a22da928cbb70df48d5a3106d887 S-MD5
+MD5 S-ENCR
+hash O
+HttpBrowser S-MAL
+RAT O
+. O
+46cf2f9b4a4c35b62a32f28ac847c575 S-MD5
+MD5 S-ENCR
+hash O
+HttpBrowser S-MAL
+RAT O
+. O
+5436c3469cb1d87ea404e8989b28758d S-MD5
+MD5 S-ENCR
+hash O
+HttpBrowser S-MAL
+RAT O
+. O
+692cecc94ac440ec673dc69f37bc0409 S-MD5
+MD5 S-ENCR
+hash O
+HttpBrowser S-MAL
+RAT O
+. O
+
+
+Living O
+Off O
+the O
+Land O
+. O
+
+Release_Time O
+: O
+2015-05-28 O
+
+Report_URL O
+: O
+https://www.secureworks.com/blog/living-off-the-land O
+
+In O
+over O
+half O
+of O
+the O
+targeted O
+threat O
+response O
+engagements O
+performed O
+by O
+the O
+Dell B-SECTEAM
+SecureWorks I-SECTEAM
+Counter I-SECTEAM
+Threat I-SECTEAM
+Unit I-SECTEAM
+Special I-SECTEAM
+Operations E-SECTEAM
+( O
+CTU-SO S-SECTEAM
+) O
+team O
+in O
+the O
+past O
+year O
+, O
+the O
+threat O
+actors O
+accessed O
+the O
+target O
+environment O
+using O
+compromised O
+credentials O
+and O
+the O
+companies' O
+own O
+virtual B-TOOL
+private I-TOOL
+network E-TOOL
+( O
+VPN S-TOOL
+) O
+or O
+other O
+remote O
+access O
+solutions O
+. O
+
+Detecting O
+threat O
+actors O
+who O
+are O
+" O
+living O
+off O
+the O
+land O
+, O
+" O
+using O
+credentials O
+, O
+systems O
+, O
+and O
+tools O
+they O
+collect O
+along O
+the O
+way O
+instead O
+of O
+backdoors O
+, O
+can O
+be O
+challenging O
+for O
+organizations O
+that O
+focus O
+their O
+instrumentation O
+and O
+controls O
+primarily O
+on O
+the O
+detection O
+of O
+malware O
+and O
+indicators O
+such O
+as O
+command O
+and O
+control O
+IP O
+addresses O
+, O
+domains O
+, O
+and O
+protocols O
+. O
+
+With O
+their O
+gaps O
+in O
+visibility O
+, O
+these O
+organizations O
+can O
+have O
+a O
+very O
+difficult O
+time O
+distinguishing O
+adversary O
+activity O
+from O
+that O
+of O
+legitimate O
+users O
+, O
+pushing O
+detection O
+times O
+out O
+to O
+weeks O
+, O
+months O
+, O
+or O
+even O
+years O
+. O
+
+Recently O
+, O
+CTU S-SECTEAM
+researchers O
+responded O
+to O
+an O
+intrusion O
+perpetrated O
+by O
+Threat B-APT
+Group-1314 E-APT
+( O
+TG-1314 S-APT
+) O
+, O
+one O
+of O
+numerous O
+threat O
+groups O
+that O
+employ O
+the O
+" O
+living O
+off O
+the O
+land O
+" O
+technique O
+to O
+conduct O
+their O
+intrusions O
+. O
+
+In O
+this O
+case O
+, O
+the O
+threat O
+actors O
+used O
+compromised O
+credentials O
+to O
+log O
+into O
+an O
+Internet-facing S-TOOL
+Citrix S-TOOL
+server O
+to O
+gain O
+access O
+to O
+the O
+network O
+. O
+
+CTU S-SECTEAM
+researchers O
+discovered O
+evidence O
+that O
+the O
+threat O
+actors O
+were O
+not O
+only O
+leveraging O
+the O
+company O
+'s O
+remote O
+access O
+infrastructure O
+, O
+but O
+were O
+also O
+using O
+the O
+company O
+'s O
+endpoint O
+management O
+platform O
+, O
+Altiris S-TOOL
+, O
+to O
+move O
+laterally O
+through O
+the O
+network O
+. O
+
+Memory O
+collection O
+and O
+analysis O
+can O
+be O
+an O
+extremely O
+valuable O
+component O
+of O
+an O
+incident O
+response O
+plan O
+and O
+in O
+this O
+case O
+proved O
+crucial O
+in O
+identifying O
+TG-1314 S-APT
+'s O
+actions O
+on O
+objective O
+. O
+
+Memory O
+collected O
+from O
+systems O
+involved O
+in O
+the O
+intrusion O
+was O
+analyzed O
+using O
+the O
+Volatility O
+framework O
+. O
+
+First O
+, O
+Volatility S-TOOL
+'s O
+pstree S-TOOL
+plugin S-TOOL
+, O
+which O
+lists O
+running O
+processes O
+in O
+a O
+tree O
+view O
+, O
+was O
+executed O
+. O
+
+The O
+result O
+immediately O
+revealed O
+signs O
+of O
+a O
+suspicious O
+cmd.exe S-FILE
+process O
+running O
+as O
+a O
+child O
+of O
+the O
+ACLIENT.EXE S-FILE
+process O
+. O
+
+CTU S-SECTEAM
+researchers O
+immediately O
+recognized O
+suspicious O
+commands O
+, O
+such O
+as O
+changing O
+the O
+working O
+directory O
+to O
+recycler O
+and O
+executing O
+commands O
+from O
+that O
+location O
+, O
+that O
+were O
+unlikely O
+to O
+have O
+been O
+connected O
+to O
+legitimate O
+system O
+administrator O
+operations O
+. O
+
+The O
+results O
+also O
+revealed O
+indications O
+that O
+PsExec S-TOOL
+, O
+a O
+popular O
+system O
+administration O
+tool O
+for O
+executing O
+commands O
+on O
+remote O
+systems O
+, O
+was O
+run O
+against O
+several O
+target O
+hosts O
+to O
+spawn O
+shells O
+on O
+them O
+. O
+
+To O
+better O
+understand O
+how O
+the O
+adversary O
+was O
+operating O
+and O
+what O
+other O
+actions O
+they O
+had O
+performed O
+, O
+CTU S-SECTEAM
+researchers O
+examined O
+cmd.exe S-FILE
+and O
+its O
+supporting O
+processes O
+to O
+uncover O
+additional O
+command O
+line O
+artifacts O
+. O
+
+While O
+cmd.exe S-FILE
+is O
+a O
+console O
+application O
+, O
+it O
+still O
+requires O
+GUI S-TOOL
+like O
+functionality O
+and O
+other O
+support O
+to O
+interact O
+with O
+the O
+operating O
+system O
+. O
+
+On O
+the O
+Windows B-OS
+XP E-OS
+platform O
+, O
+this O
+support O
+is O
+provided O
+by O
+the O
+csrss.exe S-FILE
+process O
+. O
+
+Because O
+commands O
+run O
+from O
+cmd.exe S-FILE
+are O
+acted O
+on O
+by O
+csrss.exe S-FILE
+, O
+additional O
+evidence O
+of O
+command O
+history O
+and O
+responses O
+sent O
+to O
+the O
+cmd O
+console O
+window O
+are O
+often O
+discoverable O
+by O
+analyzing O
+the O
+csrss.exe S-FILE
+process O
+'s O
+memory O
+. O
+
+The O
+output O
+in O
+Figure O
+3 O
+shows O
+the O
+Process B-TOOL
+ID E-TOOL
+( O
+PID S-TOOL
+) O
+of O
+the O
+csrss.exe S-FILE
+process O
+to O
+be O
+716 O
+. O
+
+Running O
+Volatility S-TOOL
+'s O
+vaddump S-TOOL
+plugin S-TOOL
+on O
+this O
+process O
+allowed O
+CTU S-SECTEAM
+researchers O
+to O
+obtain O
+the O
+Virtual B-TOOL
+Address I-TOOL
+Descriptor E-TOOL
+( O
+VAD S-TOOL
+) O
+sections O
+. O
+
+The O
+relevant O
+strings O
+inside O
+the O
+VAD S-TOOL
+sections O
+were O
+UTF-16 S-TOOL
+encoded O
+and O
+revealed O
+additional O
+insights O
+once O
+extracted O
+. O
+
+TG-1314 S-APT
+was O
+mapping O
+network O
+drives O
+using O
+a O
+compromised O
+Altiris S-TOOL
+account O
+to O
+connect O
+to O
+additional O
+systems O
+. O
+
+After O
+identifying O
+compromised O
+credentials O
+and O
+executed O
+commands O
+, O
+CTU S-SECTEAM
+researchers O
+shifted O
+focus O
+to O
+determine O
+how O
+the O
+threat O
+actors O
+were O
+obtaining O
+the O
+shell O
+and O
+executing O
+their O
+commands O
+on O
+the O
+compromised O
+host O
+. O
+
+This O
+exploration O
+required O
+a O
+look O
+at O
+the O
+suspect O
+cmd.exe S-FILE
+'s O
+parent O
+process O
+, O
+shown O
+earlier O
+in O
+the O
+investigation O
+to O
+be O
+ACLIENT.EXE S-FILE
+. O
+
+Volatility S-TOOL
+'s O
+procdump O
+command O
+was O
+used O
+to O
+dump O
+the O
+executable O
+from O
+memory O
+. O
+
+Running O
+the O
+strings O
+utility O
+against O
+the O
+dumped O
+ACLIENT.EXE S-FILE
+binary O
+revealed O
+evidence O
+that O
+the O
+file O
+was O
+the O
+Altiris S-TOOL
+agent O
+. O
+
+These O
+results O
+indicated O
+that O
+the O
+threat O
+actors O
+leveraged O
+the O
+Altiris S-TOOL
+management O
+platform O
+installed O
+at O
+the O
+client O
+site O
+, O
+along O
+with O
+compromised O
+domain O
+credentials O
+associated O
+with O
+the O
+Altiris S-TOOL
+system O
+, O
+to O
+move O
+laterally O
+within O
+the O
+compromised O
+environment O
+. O
+
+Threat O
+groups O
+often O
+follow O
+a O
+path O
+of O
+least O
+resistance O
+to O
+achieve O
+their O
+objective O
+. O
+
+They O
+will O
+leverage O
+legitimate O
+remote O
+access O
+solutions O
+for O
+entry O
+and O
+valid O
+system O
+administrator O
+tools O
+for O
+lateral O
+movement O
+, O
+if O
+possible O
+. O
+
+To O
+help O
+disrupt O
+this O
+tactic O
+, O
+it O
+is O
+important O
+that O
+organizations O
+implement O
+two-factor O
+authentication O
+for O
+all O
+remote O
+access O
+solutions O
+and O
+consider O
+doing O
+the O
+same O
+for O
+internal O
+, O
+high-value O
+assets O
+like O
+their O
+internal O
+system O
+management O
+consoles O
+. O
+
+CTU S-SECTEAM
+researchers O
+assess O
+with O
+high O
+confidence O
+that O
+threat O
+groups O
+like O
+TG-1314 S-SECTEAM
+will O
+continue O
+to O
+live O
+off O
+of O
+the O
+land O
+to O
+avoid O
+detection O
+and O
+conduct O
+their O
+operations O
+. O
+
+APT O
+Targets O
+Financial O
+Analysts O
+with O
+CVE-2017-0199 S-VULID
+. O
+
+On O
+April B-TIME
+20 E-TIME
+, O
+Proofpoint S-SECTEAM
+observed O
+a O
+targeted O
+campaign O
+focused O
+on O
+financial O
+analysts O
+working O
+at O
+top O
+global O
+financial O
+firms O
+operating O
+in O
+Russia S-LOC
+and O
+neighboring O
+countries O
+. O
+
+These O
+analysts O
+were O
+linked O
+by O
+their O
+coverage O
+of O
+the O
+telecommunications O
+industry O
+, O
+making O
+this O
+targeting O
+very O
+similar O
+to O
+, O
+and O
+likely O
+a O
+continuation O
+of O
+, O
+activity O
+described O
+in O
+our O
+“ O
+In O
+Pursuit O
+of O
+Optical O
+Fibers O
+and O
+Troop O
+Intel O
+” O
+blog O
+. O
+
+This O
+time O
+, O
+however O
+, O
+attackers O
+opportunistically O
+used O
+spear-phishing S-ACT
+emails S-TOOL
+with O
+a O
+Microsoft S-IDTY
+Word S-TOOL
+attachment O
+exploiting O
+the O
+recently O
+patched O
+CVE-2017-0199 S-VULID
+to O
+deploy O
+the O
+ZeroT S-MAL
+Trojan S-MAL
+, O
+which O
+in O
+turn O
+downloaded O
+the O
+PlugX S-MAL
+Remote B-TOOL
+Access I-TOOL
+Trojan E-TOOL
+( O
+RAT S-TOOL
+) O
+. O
+
+Proofpoint O
+is O
+tracking O
+this O
+attacker O
+, O
+believed O
+to O
+operate O
+out O
+of O
+China S-LOC
+, O
+as O
+TA459 S-APT
+. O
+
+The O
+actor O
+typically O
+targets O
+Central O
+Asian O
+countries O
+, O
+Russia S-LOC
+, O
+Belarus S-LOC
+, O
+Mongolia S-LOC
+, O
+and O
+others O
+. O
+
+TA549 S-APT
+possesses O
+a O
+diverse O
+malware O
+arsenal O
+including O
+PlugX S-MAL
+, O
+NetTraveler S-MAL
+, O
+and O
+ZeroT S-MAL
+. O
+
+In O
+this O
+blog O
+, O
+we O
+also O
+document O
+other O
+2017 S-TIME
+activity O
+so O
+far O
+by O
+this O
+attack O
+group O
+, O
+including O
+their O
+distribution O
+of O
+ZeroT S-MAL
+malware O
+and O
+secondary O
+payloads O
+PCrat S-VULNAME/Gh0st S-VULNAME
+. O
+
+In O
+this O
+campaign O
+, O
+attackers O
+used O
+a O
+Microsoft S-IDTY
+Word S-TOOL
+document O
+called O
+0721.doc S-FILE
+, O
+which O
+exploits O
+CVE-2017-0199 S-VULID
+. O
+
+This O
+vulnerability O
+was O
+disclosed O
+and O
+patched O
+days O
+prior O
+to O
+this O
+attack O
+. O
+
+The O
+document O
+uses O
+the O
+logic O
+flaw O
+to O
+first O
+download O
+the O
+file O
+power.rtf S-FILE
+from O
+http://122.9.52.215/news/power.rtf S-URL
+. O
+
+The O
+payload O
+is O
+actually O
+an O
+HTML S-TOOL
+Application O
+( O
+HTA S-TOOL
+) O
+file O
+, O
+not O
+an O
+RTF S-TOOL
+document O
+. O
+
+The O
+HTA S-TOOL
+’s O
+VBScript S-TOOL
+changes O
+the O
+window S-OS
+size O
+and O
+location O
+and O
+then O
+uses O
+PowerShell S-TOOL
+to O
+download O
+yet O
+another O
+script O
+: O
+power.ps1 S-FILE
+. O
+
+This O
+is O
+a O
+PowerShell S-TOOL
+script O
+that O
+downloads O
+and O
+runs O
+the O
+ZeroT S-MAL
+payload O
+cgi.exe S-FILE
+. O
+
+The O
+attack O
+group O
+has O
+made O
+incremental O
+changes O
+to O
+ZeroT S-MAL
+since O
+our O
+last O
+analysis O
+. O
+
+While O
+they O
+still O
+use O
+RAR S-TOOL
+SFX S-TOOL
+format O
+for O
+the O
+initial O
+payloads O
+, O
+ZeroT S-MAL
+now O
+uses O
+a O
+the O
+legitimate O
+McAfee S-IDTY
+utility O
+( O
+SHA256 S-ENCR
+3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe S-SHA2
+) O
+named O
+mcut.exe S-FILE
+instead O
+of O
+the O
+Norman B-SECTEAM
+Safeground I-SECTEAM
+AS E-SECTEAM
+for O
+sideloading O
+as O
+they O
+have O
+in O
+the O
+past O
+. O
+
+The O
+encrypted O
+ZeroT S-MAL
+payload O
+, O
+named O
+Mctl.mui S-FILE
+, O
+is O
+decoded O
+in O
+memory O
+revealing O
+a O
+similarly O
+tampered O
+PE S-TOOL
+header O
+and O
+only O
+slightly O
+modified O
+code O
+when O
+compared O
+to O
+ZeroT S-MAL
+payloads O
+we O
+analyzed O
+previously O
+. O
+
+Once O
+ZeroT S-MAL
+is O
+running O
+, O
+we O
+observed O
+that O
+the O
+fake O
+User-Agent O
+used O
+in O
+the O
+requests O
+changed O
+from O
+“ O
+Mozilla/6.0 O
+( O
+compatible O
+; O
+MSIE O
+10.0 O
+; O
+Windows S-OS
+NT O
+6.2 O
+; O
+Tzcdrnt/6.0 O
+) O
+” O
+to O
+“ O
+Mozilla/6.0 O
+( O
+compatible O
+; O
+MSIE O
+11.0 O
+; O
+Windows S-OS
+NT O
+6.2 O
+) O
+” O
+, O
+thus O
+removing O
+the O
+“ O
+Tzcdrnt O
+” O
+typo O
+observed O
+in O
+previous O
+versions O
+. O
+
+The O
+initial O
+beacon O
+to O
+index.php S-FILE
+changed O
+to O
+index.txt S-FILE
+but O
+ZeroT S-MAL
+still O
+expects O
+an O
+RC4 S-ENCR
+encrypted O
+response O
+using O
+a O
+static O
+key O
+: O
+“ O
+(*^GF O
+(9042&* O
+” O
+. O
+
+Next O
+, O
+ZeroT S-MAL
+uses O
+HTTP S-PROT
+beacons O
+to O
+transmit O
+information O
+about O
+the O
+infected O
+system O
+to O
+the O
+command B-TOOL
+and I-TOOL
+control E-TOOL
+( O
+C&C S-TOOL
+) O
+. O
+
+All O
+posts O
+are O
+encrypted O
+, O
+unlike O
+the O
+last O
+time O
+we O
+analyzed O
+a O
+sample O
+from O
+this O
+actor O
+, O
+when O
+the O
+first O
+POST O
+was O
+accidentally O
+not O
+encrypted O
+. O
+
+After O
+that O
+, O
+stage O
+2 O
+payloads O
+are O
+still O
+retrieved O
+as O
+Bitmap S-TOOL
+( O
+BMP S-TOOL
+) O
+images S-TOOL
+that O
+use O
+Least B-TOOL
+Significant I-TOOL
+Bit E-TOOL
+( O
+LSB S-TOOL
+) O
+Steganography S-TOOL
+to O
+hide O
+the O
+real O
+payloads O
+. O
+
+These O
+images S-TOOL
+appear O
+normal O
+in O
+image S-TOOL
+viewers O
+. O
+
+The O
+stage O
+2 O
+payload O
+was O
+PlugX S-MAL
+that O
+beaconed O
+to O
+C&C S-TOOL
+servers O
+www.icefirebest.com S-DOM
+and O
+www.icekkk.net S-DOM
+. O
+
+Throughout O
+2017 S-TIME
+we O
+observed O
+this O
+threat O
+actor O
+actively O
+attempting O
+to O
+compromise O
+victims O
+with O
+various O
+malware O
+payloads O
+. O
+
+ZeroT S-MAL
+remained O
+the O
+primary O
+stage O
+1 O
+payload O
+, O
+but O
+the O
+stage O
+2 O
+payloads O
+varied O
+. O
+
+One O
+such O
+interesting O
+example O
+was O
+“ O
+ПЛАН_РЕАЛИЗАЦИИ_ПРОЕКТА.rar S-FILE
+” O
+( O
+SHA256 S-ENCR
+b5c208e4fb8ba255883f771d384ca85566c7be8adcf5c87114a62efb53b73fda S-SHA2
+) O
+. O
+
+Translated O
+from O
+Russian O
+, O
+this O
+file O
+is O
+named O
+“ O
+PROJECT_REALIZATION_PLAN.rar S-FILE
+” O
+and O
+contains O
+a O
+compressed O
+.scr S-FILE
+executable O
+. O
+
+This O
+ZeroT S-MAL
+executable O
+communicated O
+with O
+the O
+C&C S-TOOL
+domain O
+www.kz-info.net S-DOM
+and O
+downloaded O
+PlugX S-MAL
+as O
+well O
+as O
+an O
+additional O
+PCRat S-VULNAME/Gh0st S-VULNAME
+Trojan S-MAL
+which O
+communicated O
+with O
+the O
+www.ruvim.net S-DOM
+C&C S-TOOL
+server O
+. O
+
+PCRat S-VULNAME/Gh0st S-VULNAME
+is O
+a O
+payload O
+that O
+we O
+do O
+not O
+see O
+this O
+group O
+using O
+frequently O
+. O
+
+Another O
+interesting O
+ZeroT S-MAL
+sample O
+( O
+SHA256 S-ENCR
+bc2246813d7267608e1a80a04dac32da9115a15b1550b0c4842b9d6e2e7de374 S-SHA2
+) O
+contained O
+the O
+executable O
+0228.exe S-FILE
+and O
+a O
+decoy O
+document O
+0228.doc S-FILE
+in O
+the O
+RAR S-TOOL
+SFX S-TOOL
+archive O
+. O
+
+Bundling O
+decoy O
+documents O
+is O
+a O
+common O
+tactic O
+by O
+this O
+group O
+. O
+
+RAR S-TOOL
+SFX S-TOOL
+directives O
+are O
+used O
+to O
+display O
+the O
+decoy O
+while O
+the O
+malicious O
+payload O
+is O
+executed O
+. O
+
+We O
+suspect O
+that O
+this O
+specific O
+lure O
+was O
+copied O
+from O
+the O
+news O
+article O
+http://www.cis.minsk.by/news.php?id=7557 S-URL
+. O
+
+TA459 S-APT
+is O
+well-known O
+for O
+targeting O
+organizations O
+in O
+Russia S-LOC
+and O
+neighboring O
+countries O
+. O
+
+However O
+, O
+their O
+strategy O
+, O
+tactics O
+, O
+techniques O
+, O
+and O
+procedures O
+in O
+this O
+particular O
+attack O
+emphasize O
+the O
+importance O
+of O
+rigorous O
+patching O
+regimens O
+for O
+all O
+organizations O
+. O
+
+Even O
+as O
+software O
+vulnerabilities O
+often O
+take O
+a O
+back O
+seat O
+to O
+human O
+exploits O
+and O
+social O
+engineering O
+, O
+robust O
+defenses O
+must O
+include O
+protection O
+at O
+the O
+email S-TOOL
+gateway O
+, O
+proactive O
+patch O
+management O
+, O
+and O
+thoughtful O
+end O
+user O
+education O
+. O
+
+Paying O
+attention O
+to O
+the O
+details O
+of O
+past O
+attacks O
+is O
+also O
+an O
+important O
+means O
+of O
+preparing O
+for O
+future O
+attacks O
+. O
+
+Noting O
+who O
+is O
+targeted O
+, O
+with O
+what O
+malware O
+, O
+and O
+with O
+what O
+types O
+of O
+lures O
+provide O
+clues O
+with O
+which O
+organizations O
+can O
+improve O
+their O
+security O
+posture O
+. O
+
+At O
+the O
+same O
+time O
+, O
+multinational O
+organizations O
+like O
+the O
+financial O
+services O
+firms O
+targeted O
+here O
+must O
+be O
+acutely O
+aware O
+of O
+the O
+threats O
+from O
+state-sponsored O
+actors O
+working O
+with O
+sophisticated O
+malware O
+to O
+compromise O
+users O
+and O
+networks O
+. O
+
+Ongoing O
+activity O
+from O
+attack O
+groups O
+like O
+TA459 S-APT
+who O
+consistently O
+target O
+individuals O
+specializing O
+in O
+particular O
+areas O
+of O
+research O
+and O
+expertise O
+further O
+complicate O
+an O
+already O
+difficult O
+security O
+situation O
+for O
+organizations O
+dealing O
+with O
+more O
+traditional O
+malware O
+threats O
+, O
+phishing S-ACT
+campaigns O
+, O
+and O
+socially O
+engineered O
+threats O
+every O
+day O
+. O
+
+
+Suckfly S-APT
+: O
+Revealing O
+the O
+secret O
+life O
+of O
+your O
+code O
+signing O
+certificates O
+. O
+
+Release_Time O
+: O
+2016-03-15 O
+Report_URL O
+: O
+https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=62e325ae-f551-4855-b9cf-28a7d52d1534&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments O
+
+In O
+late B-TIME
+2015 E-TIME
+, O
+Symantec S-SECTEAM
+identified O
+suspicious O
+activity O
+involving O
+a O
+hacking O
+tool O
+used O
+in O
+a O
+malicious O
+manner O
+against O
+one O
+of O
+our O
+customers O
+. O
+
+Normally O
+, O
+this O
+is O
+considered O
+a O
+low-level O
+alert O
+easily O
+defeated O
+by O
+security O
+software O
+. O
+
+In O
+this O
+case O
+, O
+however O
+, O
+the O
+hacktool O
+had O
+an O
+unusual O
+characteristic O
+not O
+typically O
+seen O
+with O
+this O
+type O
+of O
+file O
+; O
+it O
+was O
+signed O
+with O
+a O
+valid O
+code-signing O
+certificate O
+. O
+
+Many O
+hacktools O
+are O
+made O
+for O
+less O
+than O
+ethical O
+purposes O
+and O
+are O
+freely O
+available O
+, O
+so O
+this O
+was O
+an O
+initial O
+red O
+flag O
+, O
+which O
+led O
+us O
+to O
+investigate O
+further O
+. O
+
+As O
+our O
+investigation O
+continued O
+, O
+we O
+soon O
+realized O
+this O
+was O
+much O
+larger O
+than O
+a O
+few O
+hacktools O
+. O
+
+We O
+discovered O
+Suckfly S-APT
+, O
+an O
+advanced O
+threat O
+group O
+, O
+conducting O
+targeted O
+attacks O
+using O
+multiple O
+stolen O
+certificates O
+, O
+as O
+well O
+as O
+hacktools O
+and O
+custom O
+malware O
+. O
+
+The O
+group O
+had O
+obtained O
+the O
+certificates O
+through O
+pre-attack O
+operations O
+before O
+commencing O
+targeted O
+attacks O
+against O
+a O
+number O
+of O
+government O
+and O
+commercial O
+organizations O
+spread O
+across O
+multiple O
+continents O
+over O
+a O
+two-year O
+period O
+. O
+
+This O
+type O
+of O
+activity O
+and O
+the O
+malicious O
+use O
+of O
+stolen O
+certificates O
+emphasizes O
+the O
+importance O
+of O
+safeguarding O
+certificates O
+to O
+prevent O
+them O
+from O
+being O
+used O
+maliciously O
+. O
+
+Suckfly S-APT
+has O
+a O
+number O
+of O
+hacktools O
+and O
+malware O
+varieties O
+at O
+its O
+disposal O
+: O
+Back B-TOOL
+door E-TOOL
+, O
+Keylogger S-TOOL
+, O
+Port B-TOOL
+scanner E-TOOL
+, O
+Misc. S-TOOL
+tool O
+, O
+Exploit S-TOOL
+, O
+Credential O
+dumper S-TOOL
+, O
+Privilage B-VULNAME
+escalation E-VULNAME
+. O
+
+The O
+first O
+signed O
+hacktool O
+we O
+identified O
+in O
+late B-TIME
+2015 E-TIME
+was O
+a O
+digitally O
+signed O
+brute-force O
+server B-TOOL
+message I-TOOL
+block E-TOOL
+( O
+SMB S-TOOL
+) O
+scanner O
+. O
+
+The O
+organization O
+associated O
+with O
+this O
+certificate O
+is O
+a O
+South O
+Korean O
+mobile O
+software O
+developer O
+. O
+
+While O
+we O
+became O
+initially O
+curious O
+because O
+the O
+hacktool O
+was O
+signed O
+, O
+we O
+became O
+more O
+suspicious O
+when O
+we O
+realized O
+a O
+mobile O
+software O
+developer O
+had O
+signed O
+it O
+, O
+since O
+this O
+is O
+not O
+the O
+type O
+of O
+software O
+typically O
+associated O
+with O
+a O
+mobile O
+application O
+. O
+
+Based O
+on O
+this O
+discovery O
+, O
+we O
+began O
+to O
+look O
+for O
+other O
+binaries O
+signed O
+with O
+the O
+South O
+Korean O
+mobile O
+software O
+developer's O
+certificate O
+. O
+
+This O
+led O
+to O
+the O
+discovery O
+of O
+three O
+additional O
+hacktools O
+also O
+signed O
+using O
+this O
+certificate O
+. O
+
+In O
+addition O
+to O
+being O
+signed O
+with O
+a O
+stolen O
+certificate O
+, O
+the O
+identified O
+hacktools O
+had O
+been O
+used O
+in O
+suspicious O
+activity O
+against O
+a O
+US S-LOC
+based O
+health O
+provider O
+operating O
+in O
+India S-LOC
+. O
+
+This O
+evidence O
+indicates O
+that O
+the O
+certificate O
+’s O
+rightful O
+owner O
+either O
+misused O
+it O
+or O
+it O
+had O
+been O
+stolen O
+from O
+them O
+. O
+
+Symantec S-SECTEAM
+worked O
+with O
+the O
+certificate O
+owner O
+to O
+confirm O
+that O
+the O
+hacktool O
+was O
+not O
+associated O
+with O
+them O
+. O
+
+Following O
+the O
+trail O
+further O
+, O
+we O
+traced O
+malicious O
+traffic O
+back O
+to O
+where O
+it O
+originated O
+from O
+and O
+looked O
+for O
+additional O
+evidence O
+to O
+indicate O
+that O
+the O
+attacker O
+persistently O
+used O
+the O
+same O
+infrastructure O
+. O
+
+We O
+discovered O
+the O
+activity O
+originated O
+from O
+three O
+separate O
+IP S-PROT
+addresses O
+, O
+all O
+located O
+in O
+Chengdu S-LOC
+, O
+China S-LOC
+. O
+
+In O
+addition O
+to O
+the O
+traffic O
+originating O
+from O
+Chengdu S-LOC
+, O
+we O
+identified O
+a O
+selection O
+of O
+hacktools O
+and O
+malware O
+signed O
+using O
+nine O
+stolen O
+certificates O
+. O
+
+The O
+nine O
+stolen O
+certificates O
+originated O
+from O
+nine O
+different O
+companies O
+who O
+are O
+physically O
+located O
+close O
+together O
+around O
+the O
+central O
+districts O
+of O
+Seoul S-LOC
+, O
+South B-LOC
+Korea E-LOC
+. O
+
+We O
+don't O
+know O
+the O
+exact O
+date O
+Suckfly S-APT
+stole O
+the O
+certificates O
+from O
+the O
+South O
+Korean O
+organizations O
+. O
+
+However O
+, O
+by O
+analyzing O
+the O
+dates O
+when O
+we O
+first O
+saw O
+the O
+certificates O
+paired O
+with O
+hacktools O
+or O
+malware O
+, O
+we O
+can O
+gain O
+insight O
+into O
+when O
+the O
+certificates O
+may O
+have O
+been O
+stolen O
+. O
+
+Figure O
+4 O
+details O
+how O
+many O
+times O
+each O
+stolen O
+certificate O
+was O
+used O
+in O
+a O
+given O
+month O
+. O
+
+The O
+first O
+sighting O
+of O
+three O
+of O
+the O
+nine O
+stolen O
+certificates O
+being O
+used O
+maliciously O
+occurred O
+in O
+early B-TIME
+2014 E-TIME
+. O
+
+Those O
+three O
+certificates O
+were O
+the O
+only O
+ones O
+used O
+in O
+2014 S-TIME
+, O
+making O
+it O
+likely O
+that O
+the O
+other O
+six O
+were O
+not O
+compromised O
+until O
+2015 S-TIME
+. O
+
+All O
+nine O
+certificates O
+were O
+used O
+maliciously O
+in O
+2015 S-TIME
+. O
+
+As O
+noted O
+earlier O
+, O
+the O
+stolen O
+certificates O
+Symantec S-SECTEAM
+identified O
+in O
+this O
+investigation O
+were O
+used O
+to O
+sign O
+both O
+hacking O
+tools O
+and O
+malware O
+. O
+
+Further O
+analysis O
+of O
+the O
+malware O
+identified O
+what O
+looks O
+like O
+a O
+custom O
+back B-TOOL
+door E-TOOL
+. O
+
+We O
+believe O
+Suckfly S-APT
+specifically O
+developed O
+the O
+back B-TOOL
+door E-TOOL
+for O
+use O
+in O
+cyberespionage O
+campaigns O
+. O
+
+Symantec S-SECTEAM
+detects O
+this O
+threat O
+as O
+Backdoor.Nidiran S-MAL
+. O
+
+Analysis O
+of O
+Nidiran S-MAL
+samples O
+determined O
+that O
+the O
+back B-TOOL
+door E-TOOL
+had O
+been O
+updated O
+three O
+times O
+since O
+early B-TIME
+2014 E-TIME
+, O
+which O
+fits O
+the O
+timeline O
+outlined O
+in O
+Figure O
+4 O
+. O
+
+The O
+modifications O
+were O
+minor O
+and O
+likely O
+performed O
+to O
+add O
+capabilities O
+and O
+avoid O
+detection O
+. O
+
+While O
+the O
+malware O
+is O
+custom O
+, O
+it O
+only O
+provides O
+the O
+attackers O
+with O
+standard O
+back B-TOOL
+door E-TOOL
+capabilities O
+. O
+
+Suckfly S-APT
+delivered O
+Nidiran S-MAL
+through O
+a O
+strategic O
+web O
+compromise O
+. O
+
+Specifically O
+, O
+the O
+threat O
+group O
+used O
+a O
+specially O
+crafted O
+web O
+page O
+to O
+deliver O
+an O
+exploit O
+for O
+the O
+Microsoft S-IDTY
+Windows S-OS
+OLE B-TOOL
+Remote E-TOOL
+Code O
+Execution O
+Vulnerability O
+( O
+CVE-2014-6332 S-VULID
+) O
+, O
+which O
+affects O
+specific O
+versions O
+of O
+Microsoft S-IDTY
+Windows S-OS
+. O
+
+This O
+exploit O
+is O
+triggered O
+when O
+a O
+potential O
+victim O
+browses O
+to O
+a O
+malicious O
+page O
+using O
+Internet B-TOOL
+Explorer E-TOOL
+, O
+which O
+can O
+allow O
+the O
+attacker O
+to O
+execute O
+code O
+with O
+the O
+same O
+privileges O
+as O
+the O
+currently O
+logged-in O
+user O
+. O
+
+Once O
+exploit O
+has O
+been O
+achieved O
+, O
+Nidiran S-MAL
+is O
+delivered O
+through O
+a O
+self-extracting O
+executable O
+that O
+extracts O
+the O
+components O
+to O
+a O
+.tmp S-FILE
+folder O
+after O
+it O
+has O
+been O
+executed O
+. O
+
+The O
+threat O
+then O
+executes O
+“ O
+svchost.exe S-FILE
+” O
+, O
+a O
+PE S-TOOL
+file O
+, O
+which O
+is O
+actually O
+a O
+clean O
+tool O
+known O
+as O
+OLEVIEW.EXE S-FILE
+. O
+
+The O
+executable O
+will O
+then O
+load O
+iviewers.dll S-FILE
+, O
+which O
+is O
+normally O
+a O
+clean O
+, O
+legitimate O
+file O
+. O
+
+Attackers O
+have O
+been O
+known O
+to O
+distribute O
+malicious O
+files O
+masquerading O
+as O
+the O
+legitimate O
+iviewers.dll S-FILE
+file O
+and O
+then O
+use O
+DLL S-TOOL
+load O
+hijacking O
+to O
+execute O
+the O
+malicious O
+code O
+and O
+infect O
+the O
+computer O
+. O
+
+This O
+technique O
+is O
+associated O
+with O
+the O
+Korplug S-MAL/Plug-x S-MAL
+malware O
+and O
+is O
+frequently O
+used O
+in O
+China S-LOC
+based O
+cyberespionage O
+activity O
+. O
+
+Suckfly S-APT
+isn’t O
+the O
+only O
+attack O
+group O
+to O
+use O
+certificates O
+to O
+sign O
+malware O
+but O
+they O
+may O
+be O
+the O
+most O
+prolific O
+collectors O
+of O
+them O
+. O
+
+After O
+all O
+, O
+Stuxnet S-VULNAME
+, O
+widely O
+regarded O
+as O
+the O
+world O
+’s O
+first O
+known O
+cyberweapon O
+, O
+was O
+signed O
+using O
+stolen O
+certificates O
+from O
+companies O
+based O
+in O
+Taiwan S-LOC
+with O
+dates O
+much O
+earlier O
+than O
+Suckfly S-APT
+. O
+
+Other O
+cyberespionage O
+groups O
+, O
+including O
+Black B-APT
+Vine E-APT
+and O
+Hidden B-APT
+Lynx E-APT
+, O
+have O
+also O
+used O
+stolen O
+certificates O
+in O
+their O
+campaigns O
+. O
+
+In O
+April B-TIME
+2013 E-TIME
+, O
+a O
+third-party O
+vendor O
+published O
+a O
+report O
+about O
+a O
+cyberespionage O
+group O
+using O
+custom O
+malware O
+and O
+stolen O
+certificates O
+in O
+their O
+operations O
+. O
+
+The O
+report O
+documented O
+an O
+advanced O
+threat O
+group O
+they O
+attributed O
+to O
+China S-LOC
+. O
+
+Symantec S-SECTEAM
+tracks O
+the O
+group O
+behind O
+this O
+activity O
+as O
+Blackfly S-APT
+and O
+detects O
+the O
+malware O
+they O
+use O
+as O
+Backdoor.Winnti S-MAL
+. O
+
+The O
+Blackfly S-APT
+attacks O
+share O
+some O
+similarities O
+with O
+the O
+more O
+recent O
+Suckfly S-APT
+attacks O
+. O
+
+Blackfly S-APT
+began O
+with O
+a O
+campaign O
+to O
+steal O
+certificates O
+, O
+which O
+were O
+later O
+used O
+to O
+sign O
+malware O
+used O
+in O
+targeted O
+attacks O
+. O
+
+The O
+certificates O
+Blackfly S-APT
+stole O
+were O
+also O
+from O
+South O
+Korean O
+companies O
+, O
+primarily O
+in O
+the O
+video O
+game O
+and O
+software O
+development O
+industry O
+. O
+
+Another O
+similarity O
+is O
+that O
+Suckfly S-APT
+stole O
+a O
+certificate O
+from O
+Company O
+D O
+( O
+see O
+Figure O
+4 O
+) O
+less O
+than O
+two O
+years O
+after O
+Blackfly S-APT
+had O
+stolen O
+a O
+certificate O
+from O
+the O
+same O
+company O
+. O
+
+While O
+the O
+stolen O
+certificates O
+were O
+different O
+, O
+and O
+stolen O
+in O
+separate O
+instances O
+, O
+they O
+were O
+both O
+used O
+with O
+custom O
+malware O
+in O
+targeted O
+attacks O
+originating O
+from O
+China S-LOC
+. O
+
+Signing O
+malware O
+with O
+code-signing O
+certificates O
+is O
+becoming O
+more O
+common O
+, O
+as O
+seen O
+in O
+this O
+investigation O
+and O
+the O
+other O
+attacks O
+we O
+have O
+discussed O
+. O
+
+Attackers O
+are O
+taking O
+the O
+time O
+and O
+effort O
+to O
+steal O
+certificates O
+because O
+it O
+is O
+becoming O
+necessary O
+to O
+gain O
+a O
+foothold O
+on O
+a O
+targeted O
+computer O
+. O
+
+Attempts O
+to O
+sign O
+malware O
+with O
+code-signing O
+certificates O
+have O
+become O
+more O
+common O
+as O
+the O
+Internet O
+and O
+security O
+systems O
+have O
+moved O
+towards O
+a O
+more O
+trust O
+and O
+reputation O
+oriented O
+model O
+. O
+
+This O
+means O
+that O
+untrusted O
+software O
+may O
+not O
+be O
+allowed O
+to O
+run O
+unless O
+it O
+is O
+signed O
+. O
+
+As O
+we O
+noted O
+in O
+our O
+previous O
+research O
+on O
+the O
+Apple S-IDTY
+threat O
+landscape O
+, O
+some O
+operating O
+systems O
+, O
+such O
+as O
+Mac B-OS
+OS I-OS
+X E-OS
+, O
+are O
+configured O
+by O
+default O
+to O
+only O
+allow O
+applications O
+to O
+run O
+if O
+they O
+have O
+been O
+signed O
+with O
+a O
+valid O
+certificate O
+, O
+meaning O
+they O
+are O
+trusted O
+. O
+
+However O
+, O
+using O
+valid O
+code-signing O
+certificates O
+stolen O
+from O
+organizations O
+with O
+a O
+positive O
+reputation O
+can O
+allow O
+attackers O
+to O
+piggyback O
+on O
+that O
+company O
+’s O
+trust O
+, O
+making O
+it O
+easier O
+to O
+slip O
+by O
+these O
+defenses O
+and O
+gain O
+access O
+to O
+targeted O
+computers O
+. O
+
+Suckfly S-APT
+paints O
+a O
+stark O
+picture O
+of O
+where O
+cyberattack O
+groups O
+and O
+cybercriminals O
+are O
+focusing O
+their O
+attentions O
+. O
+
+Our O
+investigation O
+shines O
+a O
+light O
+on O
+an O
+often O
+unknown O
+and O
+seedier O
+secret O
+life O
+of O
+code-signing O
+certificates O
+, O
+which O
+is O
+completely O
+unknown O
+to O
+their O
+owners O
+. O
+
+The O
+implications O
+of O
+this O
+study O
+shows O
+that O
+certificate O
+owners O
+need O
+to O
+keep O
+a O
+careful O
+eye O
+on O
+them O
+to O
+prevent O
+them O
+from O
+falling O
+into O
+the O
+wrong O
+hands O
+. O
+
+It O
+is O
+important O
+to O
+give O
+certificates O
+the O
+protection O
+they O
+need O
+so O
+they O
+can't O
+be O
+used O
+maliciously O
+. O
+
+The O
+certificates O
+are O
+only O
+as O
+secure O
+as O
+the O
+safeguards O
+that O
+organizations O
+put O
+around O
+them O
+. O
+
+Once O
+a O
+certificate O
+has O
+been O
+compromised O
+, O
+so O
+has O
+the O
+reputation O
+of O
+the O
+organization O
+who O
+signed O
+it O
+. O
+
+An O
+organization O
+whose O
+certificate O
+has O
+been O
+stolen O
+and O
+used O
+to O
+sign O
+malware O
+will O
+always O
+be O
+associated O
+with O
+that O
+activity O
+. O
+
+Symantec S-SECTEAM
+monitors O
+for O
+this O
+type O
+of O
+activity O
+to O
+help O
+prevent O
+organizations O
+from O
+being O
+tied O
+to O
+malicious O
+actions O
+undertaken O
+with O
+their O
+stolen O
+certificates O
+. O
+
+During O
+the O
+course O
+of O
+this O
+investigation O
+, O
+we O
+ensured O
+that O
+all O
+certificates O
+compromised O
+by O
+Suckfly S-APT
+were O
+revoked O
+and O
+the O
+affected O
+companies O
+notified O
+. O
+
+Over O
+the O
+past O
+few O
+years O
+, O
+we O
+have O
+seen O
+a O
+number O
+of O
+advanced O
+threats O
+and O
+cybercrime O
+groups O
+who O
+have O
+stolen O
+code-signing O
+certificates O
+. O
+
+In O
+all O
+of O
+the O
+cases O
+involving O
+an O
+advanced O
+threat O
+, O
+the O
+certificates O
+were O
+used O
+to O
+disguise O
+malware O
+as O
+a O
+legitimate O
+file O
+or O
+application O
+. O
+
+File O
+hashes O
+: O
+
+05edd53508c55b9dd64129e944662c0d S-MD5
+1cf5ce3e3ea310b0f7ce72a94659ff54 S-MD5
+352eede25c74775e6102a095fb49da8c S-MD5
+3b595d3e63537da654de29dd01793059 S-MD5
+4709395fb143c212891138b98460e958 S-MD5
+50f4464d0fc20d1932a12484a1db4342 S-MD5
+96c317b0b1b14aadfb5a20a03771f85f S-MD5
+ba7b1392b799c8761349e7728c2656dd S-MD5
+de5057e579be9e3c53e50f97a9b1832b S-MD5
+e7d92039ffc2f07496fe7657d982c80f S-MD5
+e864f32151d6afd0a3491f432c2bb7a2 S-MD5
+. O
+
+Infrastructure O
+: O
+
+usv0503.iqservs-jp.com S-DOM
+aux.robertstockdill.com S-DOM
+fli.fedora-dns-update.com S-DOM
+bss.pvtcdn.com S-DOM
+ssl.microsoft-security-center.com S-DOM
+ssl.2upgrades.com S-DOM
+133.242.134.121 S-IP
+fli.fedora-dns-update.com S-DOM
+. O
+
+
+Indian O
+organizations O
+targeted O
+in O
+Suckfly S-APT
+attacks O
+. O
+
+In O
+March B-TIME
+2016 E-TIME
+, O
+Symantec S-SECTEAM
+published O
+a O
+blog O
+on O
+Suckfly S-APT
+, O
+an O
+advanced O
+cyberespionage O
+group O
+that O
+conducted O
+attacks O
+against O
+a O
+number O
+of O
+South O
+Korean O
+organizations O
+to O
+steal O
+digital O
+certificates O
+. O
+
+Since O
+then O
+we O
+have O
+identified O
+a O
+number O
+of O
+attacks O
+over O
+a O
+two-year O
+period O
+, O
+beginning O
+in O
+April B-TIME
+2014 E-TIME
+, O
+which O
+we O
+attribute O
+to O
+Suckfly S-APT
+. O
+
+The O
+attacks O
+targeted O
+high-profile O
+targets O
+, O
+including O
+government O
+and O
+commercial O
+organizations O
+. O
+
+These O
+attacks O
+occurred O
+in O
+several O
+different O
+countries O
+, O
+but O
+our O
+investigation O
+revealed O
+that O
+the O
+primary O
+targets O
+were O
+individuals O
+and O
+organizations O
+primarily O
+located O
+in O
+India S-LOC
+. O
+
+While O
+there O
+have O
+been O
+several O
+Suckfly S-APT
+campaigns O
+that O
+infected O
+organizations O
+with O
+the O
+group O
+’s O
+custom O
+malware O
+Backdoor.Nidiran S-MAL
+, O
+the O
+Indian O
+targets O
+show O
+a O
+greater O
+amount O
+of O
+post-infection O
+activity O
+than O
+targets O
+in O
+other O
+regions O
+. O
+
+This O
+suggests O
+that O
+these O
+attacks O
+were O
+part O
+of O
+a O
+planned O
+operation O
+against O
+specific O
+targets O
+in O
+India S-LOC
+. O
+
+The O
+first O
+known O
+Suckfly S-APT
+campaign O
+began O
+in O
+April B-TIME
+of I-TIME
+2014 E-TIME
+. O
+
+During O
+our O
+investigation O
+of O
+the O
+campaign O
+, O
+we O
+identified O
+a O
+number O
+of O
+global O
+targets O
+across O
+several O
+industries O
+who O
+were O
+attacked O
+in O
+2015 S-TIME
+. O
+
+Many O
+of O
+the O
+targets O
+we O
+identified O
+were O
+well O
+known O
+commercial O
+organizations O
+located O
+in O
+India S-LOC
+. O
+
+These O
+organizations O
+included O
+: O
+
+One O
+of O
+India S-LOC
+'s O
+largest O
+financial O
+organizations O
+A O
+large O
+e-commerce O
+company O
+The O
+e-commerce O
+company O
+'s O
+primary O
+shipping O
+vendor O
+One O
+of O
+India S-LOC
+'s O
+top O
+five O
+IT O
+firms O
+A O
+United B-LOC
+States E-LOC
+healthcare O
+provider O
+'s O
+Indian O
+business O
+unit O
+Two O
+government O
+organizations O
+. O
+
+Suckfly S-APT
+spent O
+more O
+time O
+attacking O
+the O
+government O
+networks O
+compared O
+to O
+all O
+but O
+one O
+of O
+the O
+commercial O
+targets O
+. O
+
+Additionally O
+, O
+one O
+of O
+the O
+two O
+government O
+organizations O
+had O
+the O
+highest O
+infection O
+rate O
+of O
+the O
+Indian O
+targets O
+. O
+
+Figure O
+1 O
+shows O
+the O
+infection O
+rate O
+for O
+each O
+of O
+the O
+targets O
+. O
+
+Indian O
+government O
+org O
+#2 O
+is O
+responsible O
+for O
+implementing O
+network O
+software O
+for O
+different O
+ministries O
+and O
+departments O
+within O
+India S-LOC
+'s O
+central O
+government O
+. O
+
+The O
+high O
+infection O
+rate O
+for O
+this O
+target O
+is O
+likely O
+because O
+of O
+its O
+access O
+to O
+technology O
+and O
+information O
+related O
+to O
+other O
+Indian O
+government O
+organizations O
+. O
+
+Suckfly S-APT
+'s O
+attacks O
+on O
+government O
+organizations O
+that O
+provide O
+information O
+technology O
+services O
+to O
+other O
+government O
+branches O
+is O
+not O
+limited O
+to O
+India S-LOC
+. O
+
+It O
+has O
+conducted O
+attacks O
+on O
+similar O
+organizations O
+in O
+Saudi B-LOC
+Arabia E-LOC
+, O
+likely O
+because O
+of O
+the O
+access O
+that O
+those O
+organizations O
+have O
+. O
+
+Suckfly S-APT
+'s O
+targets O
+are O
+displayed O
+in O
+figure O
+2 O
+by O
+their O
+industry O
+, O
+which O
+provides O
+a O
+clearer O
+view O
+of O
+the O
+group O
+’s O
+operations O
+. O
+
+Most O
+of O
+the O
+group O
+'s O
+attacks O
+are O
+focused O
+on O
+government O
+or O
+technology O
+related O
+companies O
+and O
+organizations O
+. O
+
+One O
+of O
+the O
+attacks O
+we O
+investigated O
+provided O
+detailed O
+insight O
+into O
+how O
+Suckfly S-APT
+conducts O
+its O
+operations O
+. O
+
+In O
+2015 S-TIME
+, O
+Suckfly S-APT
+conducted O
+a O
+multistage O
+attack O
+between O
+April B-TIME
+22 E-TIME
+and O
+May B-TIME
+4 E-TIME
+against O
+an O
+e-commerce O
+organization O
+based O
+in O
+India S-LOC
+. O
+
+Similar O
+to O
+its O
+other O
+attacks O
+, O
+Suckfly S-APT
+used O
+the O
+Nidiran S-MAL
+back O
+door O
+along O
+with O
+a O
+number O
+of O
+hacktools O
+to O
+infect O
+the O
+victim O
+'s O
+internal O
+hosts O
+. O
+
+The O
+tools O
+and O
+malware O
+used O
+in O
+this O
+breach O
+were O
+also O
+signed O
+with O
+stolen O
+digital O
+certificates O
+. O
+
+Suckfly S-APT
+'s O
+first O
+step O
+was O
+to O
+identify O
+a O
+user O
+to O
+target O
+so O
+the O
+attackers O
+could O
+attempt O
+their O
+initial O
+breach O
+into O
+the O
+e-commerce O
+company O
+'s O
+internal O
+network O
+. O
+
+We O
+don't O
+have O
+hard O
+evidence O
+of O
+how O
+Suckfly S-APT
+obtained O
+information O
+on O
+the O
+targeted O
+user O
+, O
+but O
+we O
+did O
+find O
+a O
+large O
+open-source O
+presence O
+on O
+the O
+initial O
+target O
+. O
+
+The O
+target O
+'s O
+job O
+function O
+, O
+corporate O
+email S-TOOL
+address O
+, O
+information O
+on O
+work O
+related O
+projects O
+, O
+and O
+publicly O
+accessible O
+personal O
+blog O
+could O
+all O
+be O
+freely O
+found O
+online O
+. O
+
+On O
+April B-TIME
+22 I-TIME
+, I-TIME
+2015 E-TIME
+, O
+Suckfly S-APT
+exploited O
+a O
+vulnerability O
+on O
+the O
+targeted O
+employee O
+'s O
+operating O
+system O
+( O
+Windows S-OS
+) O
+that O
+allowed O
+the O
+attackers O
+to O
+bypass O
+the O
+User B-TOOL
+Account I-TOOL
+Control E-TOOL
+and O
+install O
+the O
+Nidiran S-MAL
+back O
+door O
+to O
+provide O
+access O
+for O
+their O
+attack O
+. O
+
+While O
+we O
+know O
+the O
+attackers O
+used O
+a O
+custom O
+dropper O
+to O
+install O
+the O
+back O
+door O
+, O
+we O
+do O
+not O
+know O
+the O
+delivery O
+vector O
+. O
+
+Based O
+on O
+the O
+amount O
+of O
+open-source O
+information O
+available O
+on O
+the O
+target O
+, O
+it O
+is O
+feasible O
+that O
+a O
+spear-phishing S-ACT
+email S-TOOL
+may O
+have O
+been O
+used O
+. O
+
+After O
+the O
+attackers O
+successfully O
+exploited O
+the O
+employee O
+���s O
+system O
+, O
+they O
+gained O
+access O
+to O
+the O
+e-commerce O
+company O
+'s O
+internal O
+network O
+. O
+
+We O
+found O
+evidence O
+that O
+Suckfly S-APT
+used O
+hacktools O
+to O
+move O
+latterly O
+and O
+escalate O
+privileges O
+. O
+
+To O
+do O
+this O
+the O
+attackers O
+used O
+a O
+signed O
+credential-dumping O
+tool O
+to O
+obtain O
+the O
+victim O
+'s O
+account O
+credentials O
+. O
+
+With O
+the O
+account O
+credentials O
+, O
+the O
+attackers O
+were O
+able O
+to O
+access O
+the O
+victim O
+'s O
+account O
+and O
+navigate O
+the O
+internal O
+corporate O
+network O
+as O
+though O
+they O
+were O
+the O
+employee O
+. O
+
+On O
+April B-TIME
+27 E-TIME
+, O
+the O
+attackers O
+scanned O
+the O
+corporate O
+internal O
+network O
+for O
+hosts O
+with O
+ports O
+8080 O
+, O
+5900 O
+, O
+and O
+40 O
+open O
+. O
+
+Ports O
+8080 O
+and O
+5900 O
+are O
+common O
+ports O
+used O
+with O
+legitimate O
+protocols O
+, O
+but O
+can O
+be O
+abused O
+by O
+attackers O
+when O
+they O
+are O
+not O
+secured O
+. O
+
+It O
+isn't O
+clear O
+why O
+the O
+attackers O
+scanned O
+for O
+hosts O
+with O
+port O
+40 O
+open O
+because O
+there O
+isn't O
+a O
+common O
+protocol O
+assigned O
+to O
+this O
+port O
+. O
+
+Based O
+on O
+Suckfly S-APT
+scanning O
+for O
+common O
+ports O
+, O
+it O
+’s O
+clear O
+that O
+the O
+group O
+was O
+looking O
+to O
+expand O
+its O
+foothold O
+on O
+the O
+e-commerce O
+company O
+'s O
+internal O
+network O
+. O
+
+The O
+attackers O
+’ O
+final O
+step O
+was O
+to O
+exfiltrate O
+data O
+off O
+the O
+victim O
+’s O
+network O
+and O
+onto O
+Suckfly S-APT
+’s O
+infrastructure O
+. O
+
+While O
+we O
+know O
+that O
+the O
+attackers O
+used O
+the O
+Nidiran S-MAL
+back O
+door O
+to O
+steal O
+information O
+about O
+the O
+compromised O
+organization O
+, O
+we O
+do O
+not O
+know O
+if O
+Suckfly S-APT
+was O
+successful O
+in O
+stealing O
+other O
+information O
+. O
+
+These O
+steps O
+were O
+taken O
+over O
+a O
+13-day O
+period O
+, O
+but O
+only O
+on O
+specific O
+days O
+. O
+
+While O
+tracking O
+what O
+days O
+of O
+the O
+week O
+Suckfly S-APT
+used O
+its O
+hacktools O
+, O
+we O
+discovered O
+that O
+the O
+group O
+was O
+only O
+active O
+Monday S-TIME
+through O
+Friday S-TIME
+. O
+
+There O
+was O
+no O
+activity O
+from O
+the O
+group O
+on O
+weekends O
+. O
+
+We O
+were O
+able O
+to O
+determine O
+this O
+because O
+the O
+attackers O
+’ O
+hacktools O
+are O
+command O
+line O
+driven O
+and O
+can O
+provide O
+insight O
+into O
+when O
+the O
+operators O
+are O
+behind O
+keyboards O
+actively O
+working O
+. O
+
+Figure O
+4 O
+shows O
+the O
+attackers O
+’ O
+activity O
+levels O
+throughout O
+the O
+week O
+. O
+
+Suckfly S-APT
+made O
+its O
+malware O
+difficult O
+to O
+analyze O
+to O
+prevent O
+their O
+operations O
+from O
+being O
+detected O
+. O
+
+However O
+, O
+we O
+were O
+able O
+to O
+successfully O
+analyze O
+Suckfly S-APT
+malware O
+samples O
+and O
+extract O
+some O
+of O
+the O
+communications O
+between O
+the O
+Nidiran S-MAL
+back O
+door O
+and O
+the O
+Suckfly S-APT
+command B-TOOL
+and I-TOOL
+control E-TOOL
+( O
+C&C S-TOOL
+) O
+domains O
+. O
+
+We O
+analyzed O
+the O
+dropper S-TOOL
+, O
+which O
+is O
+an O
+executable O
+that O
+contains O
+the O
+following O
+three O
+files O
+: O
+
+dllhost.exe S-FILE
+: O
+The O
+main O
+host O
+for O
+the O
+.dll S-FILE
+file O
+. O
+iviewers.dll S-FILE
+: O
+Used O
+to O
+load O
+encrypted O
+payloads O
+and O
+then O
+decrypt O
+them O
+. O
+msfled O
+: O
+The O
+encrypted O
+payload O
+. O
+
+All O
+three O
+files O
+are O
+required O
+for O
+the O
+malware O
+to O
+run O
+correctly O
+. O
+
+Once O
+the O
+malware O
+has O
+been O
+executed O
+, O
+it O
+checks O
+to O
+see O
+if O
+it O
+has O
+a O
+connection O
+to O
+the O
+internet O
+before O
+running O
+. O
+
+If O
+the O
+connection O
+test O
+is O
+successful O
+, O
+the O
+malware O
+runs O
+and O
+attempts O
+to O
+communicate O
+with O
+the O
+C&C S-TOOL
+domain O
+over O
+ports O
+443 O
+and O
+8443 O
+. O
+
+In O
+the O
+samples O
+we O
+analyzed O
+we O
+found O
+the O
+port O
+and O
+C&C S-TOOL
+information O
+encrypted O
+and O
+hardcoded O
+into O
+the O
+Nidiran S-MAL
+malware O
+itself O
+. O
+
+The O
+key O
+for O
+the O
+RC4 S-ENCR
+encryption O
+in O
+this O
+sample O
+is O
+the O
+hardcoded O
+string O
+“ O
+h0le O
+” O
+. O
+
+Once O
+the O
+cookie O
+data O
+is O
+decoded O
+, O
+Suckfly S-APT
+has O
+the O
+network O
+name O
+, O
+hostname O
+, O
+IP S-PROT
+address O
+, O
+and O
+the O
+victim O
+'s O
+operating O
+system O
+information O
+. O
+
+Information O
+about O
+the O
+C&C S-TOOL
+infrastructure O
+identified O
+in O
+our O
+analysis O
+of O
+Suckfly S-APT
+activity O
+can O
+be O
+seen O
+in O
+Table O
+1 O
+. O
+
+Domain O
+Registration O
+IP S-PROT
+address O
+Registration O
+date O
+
+aux.robertstockdill.com S-DOM
+kumar.pari@yandex.com S-EMAIL
+Unknown O
+April B-TIME
+1 I-TIME
+, I-TIME
+2014 E-TIME
+. O
+ssl.2upgrades.com S-DOM
+kumar.pari@yandex.com S-EMAIL
+176.58.96.234 S-IP
+July B-TIME
+5 I-TIME
+, I-TIME
+2014 E-TIME
+. O
+bss.pvtcdn.com S-DOM
+registrar@mail.zgsj.com S-EMAIL
+106.184.1.38 S-IP
+May B-TIME
+19 I-TIME
+, I-TIME
+2015 E-TIME
+. O
+
+ssl.microsoft-security-center.com S-DOM
+Whoisguard S-TOOL
+Unknown O
+July B-TIME
+20 I-TIME
+, I-TIME
+2015 E-TIME.usv0503.iqservs-jp.com S-DOM
+Domain@quicca.com S-EMAIL
+133.242.134.121 S-IP
+August B-TIME
+18 I-TIME
+, I-TIME
+2014 E-TIME
+. O
+
+fli.fedora-dns-update.com S-DOM
+Whoisguard S-TOOL
+Unknown O
+Unknown O
+. O
+
+Suckfly S-APT
+targeted O
+one O
+of O
+India S-LOC
+’s O
+largest O
+e-commerce O
+companies O
+, O
+a O
+major O
+Indian O
+shipping O
+company O
+, O
+one O
+of O
+India S-LOC
+’s O
+largest O
+financial O
+organizations O
+, O
+and O
+an O
+IT O
+firm O
+that O
+provides O
+support O
+for O
+India S-LOC
+’s O
+largest O
+stock O
+exchange O
+. O
+
+All O
+of O
+these O
+targets O
+are O
+large O
+corporations O
+that O
+play O
+a O
+major O
+role O
+in O
+India S-LOC
+’s O
+economy O
+. O
+
+By O
+targeting O
+all O
+of O
+these O
+organizations O
+together O
+, O
+Suckfly S-APT
+could O
+have O
+had O
+a O
+much O
+larger O
+impact O
+on O
+India S-LOC
+and O
+its O
+economy O
+. O
+
+While O
+we O
+don't O
+know O
+the O
+motivations O
+behind O
+the O
+attacks O
+, O
+the O
+targeted O
+commercial O
+organizations O
+, O
+along O
+with O
+the O
+targeted O
+government O
+organizations O
+, O
+may O
+point O
+in O
+this O
+direction O
+. O
+
+Suckfly S-APT
+has O
+the O
+resources O
+to O
+develop O
+malware O
+, O
+purchase O
+infrastructure O
+, O
+and O
+conduct O
+targeted O
+attacks O
+for O
+years O
+while O
+staying O
+off O
+the O
+radar O
+of O
+security O
+organizations O
+. O
+
+During O
+this O
+time O
+they O
+were O
+able O
+to O
+steal O
+digital O
+certificates O
+from O
+South O
+Korean O
+companies O
+and O
+launch O
+attacks O
+against O
+Indian B-IDTY
+and I-IDTY
+Saudi I-IDTY
+Arabian I-IDTY
+government E-IDTY
+organizations O
+. O
+
+There O
+is O
+no O
+evidence O
+that O
+Suckfly S-APT
+gained O
+any O
+benefits O
+from O
+attacking O
+the O
+government O
+organizations O
+, O
+but O
+someone O
+else O
+may O
+have O
+benefited O
+from O
+these O
+attacks O
+. O
+
+The O
+nature O
+of O
+the O
+Suckfly S-APT
+attacks O
+suggests O
+that O
+it O
+is O
+unlikely O
+that O
+the O
+threat O
+group O
+orchestrated O
+these O
+attacks O
+on O
+their O
+own O
+. O
+
+We O
+believe O
+that O
+Suckfly S-APT
+will O
+continue O
+to O
+target O
+organizations O
+in O
+India O
+and O
+similar O
+organizations O
+in O
+other O
+countries O
+in O
+order O
+to O
+provide O
+economic O
+insight O
+to O
+the O
+organization O
+behind O
+Suckfly S-APT
+'s O
+operations O
+. O
+
+
+THE O
+DUKES S-APT
+7 O
+YEARS O
+OF O
+RUSSIAN O
+CYBERESPIONAGE O
+. O
+
+TOOLS O
+AND O
+TECHNIQUES O
+OF O
+THE O
+DUKES S-APT
+. O
+
+PINCHDUKE S-MAL
+: O
+First O
+known O
+activity O
+November B-TIME
+2008 E-TIME
+, O
+Most O
+recent O
+known O
+activity O
+Summer B-TIME
+2010 E-TIME
+, O
+C&C S-TOOL
+communication O
+methods O
+HTTP(S) S-PROT
+, O
+Known O
+toolset O
+components O
+Multiple O
+loaders S-TOOL
+, O
+Information B-TOOL
+stealer E-TOOL
+. O
+
+The O
+PinchDuke S-MAL
+toolset O
+consists O
+of O
+multiple O
+loaders S-TOOL
+and O
+a O
+core O
+information B-TOOL
+stealer E-TOOL
+Trojan S-MAL
+. O
+
+The O
+loaders S-TOOL
+associated O
+with O
+the O
+PinchDuke S-MAL
+toolset O
+have O
+also O
+been O
+observed O
+being O
+used O
+with O
+CosmicDuke S-MAL
+. O
+
+The O
+PinchDuke S-MAL
+information B-TOOL
+stealer E-TOOL
+gathers O
+system O
+configuration O
+information O
+, O
+steals O
+user O
+credentials O
+, O
+and O
+collects O
+user O
+files O
+from O
+the O
+compromised O
+host O
+transferring O
+these O
+via O
+HTTP B-PROT
+(S I-PROT
+) E-PROT
+to O
+a O
+C&C S-TOOL
+server O
+. O
+
+We O
+believe O
+PinchDuke S-MAL
+’s O
+credential O
+stealing O
+functionality O
+is O
+based O
+on O
+the O
+source O
+code O
+of O
+the O
+Pinch S-TOOL
+credential O
+stealing O
+malware O
+( O
+also O
+known O
+as O
+LdPinch S-MAL
+) O
+that O
+was O
+developed O
+in O
+the O
+early B-TIME
+2000s E-TIME
+and O
+has O
+later O
+been O
+openly O
+distributed O
+on O
+underground O
+forums O
+. O
+
+Credentials O
+targeted O
+by O
+PinchDuke S-MAL
+include O
+ones O
+associated O
+with O
+the O
+following O
+software O
+or O
+services O
+: O
+The O
+Bat! S-TOOL
+, O
+Yahoo! S-TOOL
+, O
+Mail.ru S-DOM
+, O
+Passport.Net S-DOM
+, O
+Google B-TOOL
+Talk E-TOOL
+, O
+Netscape B-TOOL
+Navigator E-TOOL
+, O
+Mozilla B-TOOL
+Firefox E-TOOL
+, O
+Mozilla B-TOOL
+Thunderbird E-TOOL
+, O
+Internet B-TOOL
+Explorer E-TOOL
+, O
+Microsoft S-IDTY
+Outlook S-TOOL
+, O
+WinInet B-TOOL
+Credential I-TOOL
+Cache E-TOOL
+, O
+Lightweight B-TOOL
+Directory I-TOOL
+Access I-TOOL
+Protocol E-TOOL
+( O
+LDAP S-TOOL
+) O
+. O
+
+PinchDuke S-MAL
+will O
+also O
+search O
+for O
+files O
+that O
+have O
+been O
+created O
+within O
+a O
+predefined O
+timeframe O
+and O
+whose O
+file O
+extension O
+is O
+present O
+in O
+a O
+predefined O
+list O
+. O
+
+As O
+a O
+curiosity O
+, O
+most O
+PinchDuke S-MAL
+samples O
+contain O
+a O
+Russian O
+language O
+error O
+message O
+: O
+“ O
+There O
+is O
+an O
+error O
+in O
+the O
+module O
+’s O
+name O
+! O
+The O
+length O
+of O
+the O
+data O
+section O
+name O
+must O
+be O
+4 O
+bytes O
+” O
+. O
+
+GEMINIDUKE S-MAL
+: O
+First O
+known O
+activity O
+January B-TIME
+2009 E-TIME
+, O
+Most O
+recent O
+known O
+activity O
+December B-TIME
+2012 E-TIME
+, O
+C&C S-TOOL
+communication O
+methods O
+HTTP(S) S-PROT
+, O
+Known O
+toolset O
+components O
+Loader S-TOOL
+, O
+Information B-TOOL
+stealer E-TOOL
+, O
+Multiple B-TOOL
+persistence I-TOOL
+components E-TOOL
+. O
+
+The O
+GeminiDuke S-MAL
+toolset O
+consists O
+of O
+a O
+core O
+information B-TOOL
+stealer E-TOOL
+, O
+a O
+loader S-TOOL
+and O
+multiple B-TOOL
+persistencerelated I-TOOL
+components E-TOOL
+. O
+
+Unlike O
+CosmicDuke S-MAL
+and O
+PinchDuke S-MAL
+, O
+GeminiDuke S-MAL
+primarily O
+collects O
+information O
+on O
+the O
+victim O
+computer O
+’s O
+configuration O
+. O
+
+The O
+collected O
+details O
+include O
+: O
+Local O
+user O
+accounts O
+, O
+Network O
+settings O
+, O
+Internet O
+proxy O
+settings O
+, O
+Installed O
+drivers O
+, O
+Running O
+processes O
+, O
+Programs O
+previously O
+executed O
+by O
+users O
+, O
+Programs O
+and O
+services O
+configured O
+to O
+automatically O
+run O
+at O
+startup O
+, O
+Values O
+of O
+environment O
+variables O
+, O
+Files O
+and O
+folders O
+present O
+in O
+any O
+users O
+home O
+folder O
+, O
+Files O
+and O
+folders O
+present O
+in O
+any O
+users O
+My O
+Documents O
+, O
+Programs O
+installed O
+to O
+the O
+Program O
+Files O
+folder O
+, O
+Recently O
+accessed O
+files O
+, O
+folders O
+and O
+programs O
+. O
+
+As O
+is O
+common O
+for O
+malware O
+, O
+the O
+GeminiDuke S-MAL
+infostealer S-TOOL
+uses O
+a O
+mutex O
+to O
+ensure O
+that O
+only O
+one O
+instance O
+of O
+itself O
+is O
+running O
+at O
+a O
+time O
+. O
+
+What O
+is O
+less O
+common O
+is O
+that O
+the O
+name O
+used O
+for O
+the O
+mutex O
+is O
+often O
+a O
+timestamp O
+. O
+
+We O
+believe O
+these O
+timestamps O
+to O
+be O
+generated O
+during O
+the O
+compilation O
+of O
+GeminiDuke S-MAL
+from O
+the O
+local O
+time O
+of O
+the O
+computer O
+being O
+used O
+. O
+
+Comparing O
+the O
+GeminiDuke S-MAL
+compilation O
+timestamps O
+, O
+which O
+always O
+reference O
+the O
+time O
+in O
+the O
+UTC+0 O
+timezone O
+, O
+with O
+the O
+local O
+time O
+timestamps O
+used O
+as O
+mutex O
+names O
+, O
+and O
+adjusting O
+for O
+the O
+presumed O
+timezone O
+difference O
+, O
+we O
+note O
+that O
+all O
+of O
+the O
+mutex O
+names O
+reference O
+a O
+time O
+and O
+date O
+that O
+is O
+within O
+seconds O
+of O
+the O
+respective O
+sample O
+’s O
+compilation O
+timestamp O
+. O
+
+Additionally O
+, O
+the O
+apparent O
+timezone O
+of O
+the O
+timestamps O
+in O
+all O
+of O
+the O
+GeminiDuke S-MAL
+samples O
+compiled O
+during O
+the O
+winter O
+is O
+UTC+3 O
+, O
+while O
+for O
+samples O
+compiled O
+during O
+the O
+summer O
+, O
+it O
+is O
+UTC+4 O
+. O
+
+The O
+observed O
+timezones O
+correspond O
+to O
+the O
+pre-2011 O
+definition O
+of O
+Moscow S-LOC
+Standard O
+Time O
+( O
+MSK O
+) O
+, O
+which O
+was O
+UTC+3 O
+during O
+the O
+winter O
+and O
+UTC+4 O
+during O
+the O
+summer O
+. O
+
+In O
+2011 S-TIME
+MSK O
+stopped O
+following O
+Daylight O
+Saving O
+Time O
+( O
+DST O
+) O
+and O
+was O
+set O
+to O
+UTC+4 O
+year-round O
+, O
+then O
+reset O
+to O
+UTC O
++3 O
+yearround O
+in O
+2014 S-TIME
+. O
+
+Some O
+of O
+the O
+observed O
+GeminiDuke S-MAL
+samples O
+that O
+used O
+timestamps O
+as O
+mutex O
+names O
+were O
+compiled O
+while O
+MSK O
+still O
+respected O
+DST O
+and O
+for O
+these O
+samples O
+, O
+the O
+timestamps O
+perfectly O
+align O
+with O
+MSK O
+as O
+it O
+was O
+defined O
+at O
+the O
+time O
+. O
+
+However O
+, O
+GeminiDuke S-MAL
+samples O
+compiled O
+after O
+MSK O
+was O
+altered O
+still O
+vary O
+the O
+timezone O
+between O
+UTC+3 O
+in O
+the O
+winter O
+and O
+UTC+4 O
+during O
+the O
+summer O
+. O
+
+While O
+computers O
+using O
+Microsoft S-IDTY
+Windows S-OS
+automatically O
+adjust O
+for O
+DST O
+, O
+changes O
+in O
+timezone O
+definitions O
+require O
+that O
+an O
+update O
+to O
+Windows S-OS
+be O
+installed O
+. O
+
+We O
+therefore O
+believe O
+that O
+the O
+Dukes S-APT
+group O
+simply O
+failed O
+to O
+update O
+the O
+computer O
+they O
+were O
+using O
+to O
+compile O
+GeminiDuke S-MAL
+samples O
+, O
+so O
+that O
+the O
+timestamps O
+seen O
+in O
+later O
+samples O
+still O
+appear O
+to O
+follow O
+the O
+old O
+definition O
+of O
+Moscow S-LOC
+Standard O
+Time O
+. O
+
+The O
+GeminiDuke S-MAL
+infostealer O
+has O
+occasionally O
+been O
+wrapped O
+with O
+a O
+loader O
+that O
+appears O
+to O
+be O
+unique O
+to O
+GeminiDuke S-MAL
+and O
+has O
+never O
+been O
+observed O
+being O
+used O
+with O
+any O
+of O
+the O
+other O
+Duke S-APT
+toolsets O
+. O
+
+GeminiDuke S-MAL
+also O
+occasionally O
+embeds O
+additional O
+executables O
+that O
+attempt O
+to O
+achieve O
+persistence O
+on O
+the O
+victim O
+computer O
+. O
+
+These O
+persistence O
+components O
+appear O
+to O
+be O
+uniquely O
+customized O
+for O
+use O
+with O
+GeminiDuke S-MAL
+, O
+but O
+they O
+use O
+many O
+of O
+the O
+same O
+techniques O
+as O
+CosmicDuke S-MAL
+persistence O
+components O
+. O
+
+COSMICDUKE S-MAL
+: O
+First O
+known O
+activity O
+January B-TIME
+2010 E-TIME
+, O
+Most O
+recent O
+known O
+activity O
+Summer B-TIME
+2015 E-TIME
+, O
+Other O
+names O
+Tinybaron S-MAL
+, O
+BotgenStudios S-MAL
+, O
+NemesisGemina S-MAL
+, O
+C&C S-TOOL
+communication O
+methods O
+HTTP(S) S-PROT
+, O
+FTP S-PROT
+, O
+WebDav S-PROT
+, O
+Known O
+toolset O
+components O
+Information B-TOOL
+stealer E-TOOL
+, O
+Multiple O
+loaders S-TOOL
+, O
+Privilege O
+escalation O
+component O
+, O
+Multiple O
+persistence O
+components O
+. O
+
+The O
+CosmicDuke S-MAL
+toolset O
+is O
+designed O
+around O
+a O
+main O
+information B-TOOL
+stealer E-TOOL
+component O
+. O
+
+This O
+information B-TOOL
+stealer E-TOOL
+is O
+augmented O
+by O
+a O
+variety O
+of O
+components O
+that O
+the O
+toolset O
+operators O
+may O
+selectively O
+include O
+with O
+the O
+main O
+component O
+to O
+provide O
+additional O
+functionalities O
+, O
+such O
+as O
+multiple O
+methods O
+of O
+establishing O
+persistence O
+, O
+as O
+well O
+as O
+modules O
+that O
+attempt O
+to O
+exploit O
+privilege O
+escalation O
+vulnerabilities O
+in O
+order O
+to O
+execute O
+CosmicDuke S-MAL
+with O
+higher O
+privileges O
+. O
+
+CosmicDuke S-MAL
+’s O
+information O
+stealing O
+functionality O
+includes O
+: O
+Keylogging O
+, O
+Taking O
+screenshots O
+, O
+Stealing O
+clipboard O
+contents O
+, O
+Stealing O
+user O
+files O
+with O
+file O
+extensions O
+that O
+match O
+a O
+predefined O
+list O
+, O
+Exporting O
+the O
+users O
+cryptographic O
+certificates O
+including O
+private O
+keys O
+, O
+Collecting O
+user O
+credentials O
+, O
+including O
+passwords O
+, O
+for O
+a O
+variety O
+of O
+popular O
+chat O
+and O
+email S-TOOL
+programs O
+as O
+well O
+as O
+from O
+web O
+browsers O
+CosmicDuke S-MAL
+may O
+use O
+HTTP S-PROT
+, O
+HTTPS S-PROT
+, O
+FTP S-PROT
+or O
+WebDav S-PROT
+to O
+exfiltrate O
+the O
+collected O
+data O
+to O
+a O
+hardcoded O
+C&C S-TOOL
+server O
+. O
+
+While O
+we O
+believe O
+CosmicDuke S-MAL
+to O
+be O
+an O
+entirely O
+custom- O
+written O
+toolset O
+with O
+no O
+direct O
+sharing O
+of O
+code O
+with O
+other O
+Duke S-APT
+toolsets O
+, O
+the O
+high-level O
+ways O
+in O
+which O
+many O
+of O
+its O
+features O
+have O
+been O
+implemented O
+appear O
+to O
+be O
+shared O
+with O
+other O
+members O
+of O
+the O
+Duke S-APT
+arsenal O
+. O
+
+Specifically O
+, O
+the O
+techniques O
+CosmicDuke S-MAL
+uses O
+to O
+extract O
+user O
+credentials O
+from O
+targeted O
+software O
+and O
+to O
+detect O
+the O
+presence O
+of O
+analysis O
+tools O
+appear O
+to O
+be O
+based O
+on O
+the O
+techniques O
+used O
+by O
+PinchDuke S-MAL
+. O
+
+Likewise O
+, O
+many O
+of O
+CosmicDuke S-MAL
+’s O
+persistence O
+components O
+use O
+techniques O
+also O
+used O
+by O
+components O
+associated O
+with O
+GeminiDuke S-MAL
+and O
+CozyDuke S-MAL
+. O
+
+In O
+all O
+of O
+these O
+cases O
+, O
+the O
+techniques O
+are O
+the O
+same O
+, O
+but O
+the O
+code O
+itself O
+has O
+been O
+altered O
+to O
+work O
+with O
+the O
+toolset O
+in O
+question O
+, O
+leading O
+to O
+small O
+differences O
+in O
+the O
+final O
+implementation O
+. O
+
+A O
+few O
+of O
+the O
+CosmicDuke S-MAL
+samples O
+we O
+discovered O
+also O
+included O
+components O
+that O
+attempt O
+to O
+exploit O
+either O
+of O
+the O
+publicly O
+known O
+CVE-2010-0232 S-VULID
+or O
+CVE-2010- B-VULID
+4398 E-VULID
+privilege O
+escalation O
+vulnerabilities O
+. O
+
+In O
+the O
+case O
+of O
+CVE-2010-0232 S-VULID
+, O
+the O
+exploit O
+appears O
+to O
+be O
+based O
+directly O
+on O
+the O
+proof O
+of O
+concept O
+code O
+published O
+by O
+security O
+researcher O
+Tavis O
+Ormandy O
+when O
+he O
+disclosed O
+the O
+vulnerability O
+. O
+
+We O
+believe O
+that O
+the O
+exploit O
+for O
+CVE- B-VULID
+2010-4398 E-VULID
+was O
+also O
+based O
+on O
+a O
+publicly O
+available O
+proof O
+of O
+concept O
+. O
+
+In O
+addition O
+to O
+often O
+embedding O
+persistence O
+or O
+privilege O
+escalation O
+components O
+, O
+CosmicDuke S-MAL
+has O
+occasionally O
+embedded O
+PinchDuke S-MAL
+, O
+GeminiDuke S-MAL
+, O
+or O
+MiniDuke S-MAL
+components O
+. O
+
+It O
+should O
+be O
+noted O
+that O
+CosmicDuke S-MAL
+does O
+not O
+interoperate O
+with O
+the O
+second O
+, O
+embedded O
+malware O
+in O
+any O
+way O
+other O
+than O
+by O
+writing O
+the O
+malware O
+to O
+disk O
+and O
+executing O
+it O
+. O
+
+After O
+that O
+, O
+CosmicDuke S-MAL
+and O
+the O
+second O
+malware O
+operate O
+entirely O
+independently O
+of O
+each O
+other O
+, O
+including O
+separately O
+contacting O
+their O
+C&C S-TOOL
+servers O
+. O
+
+Sometimes O
+, O
+both O
+malware O
+have O
+used O
+the O
+same O
+C&C S-TOOL
+server O
+, O
+but O
+in O
+other O
+cases O
+, O
+even O
+the O
+servers O
+have O
+been O
+different O
+. O
+
+Finally O
+, O
+it O
+is O
+worth O
+noting O
+that O
+while O
+most O
+of O
+the O
+compilation O
+timestamps O
+for O
+CosmicDuke S-MAL
+samples O
+appear O
+to O
+be O
+authentic O
+, O
+we O
+are O
+aware O
+of O
+a O
+few O
+cases O
+of O
+them O
+being O
+forged O
+. O
+
+One O
+such O
+case O
+was O
+detailed O
+on O
+page O
+10 O
+as O
+an O
+apparent O
+evasion O
+attempt O
+. O
+
+Another O
+is O
+a O
+loader S-TOOL
+variant O
+seen O
+during O
+the O
+spring B-TIME
+of I-TIME
+2010 E-TIME
+in O
+conjunction O
+with O
+both O
+CosmicDuke S-MAL
+and O
+PinchDuke S-MAL
+. O
+
+These O
+loader S-TOOL
+samples O
+all O
+had O
+compilation O
+timestamps O
+purporting O
+to O
+be O
+from O
+the O
+24th B-TIME
+or I-TIME
+the I-TIME
+25th I-TIME
+of I-TIME
+September I-TIME
+, I-TIME
+2001 E-TIME
+. O
+
+However O
+, O
+many O
+of O
+these O
+loader O
+samples O
+embed O
+CosmicDuke S-MAL
+variants O
+that O
+exploit O
+the O
+CVE-2010- B-VULID
+0232 E-VULID
+privilege O
+escalation O
+vulnerability O
+thus O
+making O
+it O
+impossible O
+for O
+the O
+compilation O
+timestamps O
+to O
+be O
+authentic O
+. O
+
+MINIDUKE S-MAL
+: O
+First O
+known O
+activity O
+Loader O
+July B-TIME
+2010 E-TIME
+, O
+Backdoor O
+May B-TIME
+2011 E-TIME
+Most O
+recent O
+known O
+activity O
+Loader O
+: O
+Spring B-TIME
+2015 E-TIME
+, O
+Backdoor O
+: O
+Summer B-TIME
+2014 E-TIME
+C&C S-TOOL
+communication O
+methods O
+HTTP(S) S-PROT
+, O
+Twitter S-TOOL
+, O
+Known O
+toolset O
+components O
+Downloader S-TOOL
+, O
+Backdoor S-TOOL
+, O
+Loader S-TOOL
+. O
+
+The O
+MiniDuke S-MAL
+toolset O
+consists O
+of O
+multiple O
+downloader O
+and O
+backdoor O
+components O
+, O
+which O
+are O
+commonly O
+referred O
+to O
+as O
+the O
+MiniDuke S-MAL
+“ O
+stage O
+1 O
+” O
+, O
+“ O
+stage O
+2 O
+” O
+, O
+and O
+“ O
+stage O
+3 O
+” O
+components O
+as O
+per O
+Kaspersky O
+’s O
+original O
+MiniDuke S-MAL
+whitepaper O
+. O
+
+Additionally O
+, O
+a O
+specific O
+loader S-TOOL
+is O
+often O
+associated O
+with O
+the O
+MiniDuke S-MAL
+toolset O
+and O
+is O
+referred O
+to O
+as O
+the O
+“ O
+MiniDuke S-MAL
+loader S-TOOL
+” O
+. O
+
+While O
+the O
+loader S-TOOL
+has O
+often O
+been O
+used O
+together O
+with O
+other O
+MiniDuke S-MAL
+components O
+, O
+it O
+has O
+also O
+commonly O
+been O
+used O
+in O
+conjunction O
+with O
+CosmicDuke S-MAL
+and O
+PinchDuke S-MAL
+. O
+
+In O
+fact O
+, O
+the O
+oldest O
+samples O
+of O
+the O
+loader S-TOOL
+that O
+we O
+have O
+found O
+were O
+used O
+with O
+PinchDuke S-MAL
+. O
+
+To O
+avoid O
+confusion O
+however O
+, O
+we O
+have O
+decided O
+to O
+continue O
+referring O
+to O
+the O
+loader S-TOOL
+as O
+the O
+“ O
+MiniDuke S-MAL
+loader S-TOOL
+” O
+. O
+
+Two O
+details O
+about O
+MiniDuke S-MAL
+components O
+are O
+worth O
+noting O
+. O
+
+Firstly O
+, O
+some O
+of O
+the O
+MiniDuke S-MAL
+components O
+were O
+written O
+in O
+Assembly S-TOOL
+language O
+. O
+
+While O
+many O
+malware O
+were O
+written O
+in O
+Assembly S-TOOL
+during O
+the O
+‘ O
+old O
+days O
+‘ O
+of O
+curiosity-driven O
+virus O
+writing O
+, O
+it O
+has O
+since O
+become O
+a O
+rarity O
+. O
+
+Secondly O
+, O
+some O
+of O
+the O
+MiniDuke S-MAL
+components O
+do O
+not O
+contain O
+a O
+hardcoded O
+C&C S-TOOL
+server O
+address O
+, O
+but O
+instead O
+obtain O
+the O
+address O
+of O
+a O
+current O
+C&C S-TOOL
+server O
+via O
+Twitter S-TOOL
+. O
+
+The O
+use O
+of O
+Twitter S-TOOL
+either O
+to O
+initially O
+obtain O
+the O
+address O
+of O
+a O
+C&C S-TOOL
+server O
+( O
+or O
+as O
+a O
+backup O
+if O
+no O
+hardcoded O
+primary O
+C&C S-TOOL
+server O
+responds O
+) O
+is O
+a O
+feature O
+also O
+found O
+in O
+OnionDuke S-MAL
+, O
+CozyDuke S-MAL
+, O
+and O
+HammerDuke S-MAL
+. O
+
+COZYDUKE S-MAL
+: O
+First O
+known O
+activity O
+January B-TIME
+2010 E-TIME
+, O
+Most O
+recent O
+known O
+activity O
+: O
+Spring B-TIME
+2015 E-TIME
+, O
+Other O
+names O
+CozyBear S-MAL
+, O
+CozyCar S-MAL
+, O
+Cozer S-MAL
+, O
+EuroAPT S-MAL
+, O
+C&C S-TOOL
+communication O
+methods O
+HTTP(S) S-PROT
+, O
+Twitter S-TOOL
+( O
+backup O
+) O
+, O
+Known O
+toolset O
+components O
+Dropper S-TOOL
+, O
+Modular S-TOOL
+backdoor O
+, O
+Multiple O
+persistence O
+components O
+, O
+Information O
+gathering O
+module O
+, O
+Screenshot O
+module O
+, O
+Password O
+stealing O
+module O
+, O
+Password O
+hash O
+stealing O
+module O
+. O
+
+CozyDuke S-MAL
+is O
+not O
+simply O
+a O
+malware O
+toolset O
+; O
+rather O
+, O
+it O
+is O
+a O
+modular O
+malware O
+platform O
+formed O
+around O
+a O
+core O
+backdoor S-TOOL
+component O
+. O
+
+This O
+component O
+can O
+be O
+instructed O
+by O
+the O
+C&C S-TOOL
+server O
+to O
+download O
+and O
+execute O
+arbitrary O
+modules O
+, O
+and O
+it O
+is O
+these O
+modules O
+that O
+provide O
+CozyDuke S-MAL
+with O
+its O
+vast O
+array O
+of O
+functionality O
+. O
+
+Known O
+CozyDuke S-MAL
+modules O
+include O
+: O
+Command O
+execution O
+module O
+for O
+executing O
+arbitrary O
+Windows S-OS
+Command B-TOOL
+Prompt E-TOOL
+commands O
+, O
+Password B-TOOL
+stealer E-TOOL
+module O
+, O
+NT B-TOOL
+LAN I-TOOL
+Manager E-TOOL
+( O
+NTLM S-TOOL
+) O
+hash B-TOOL
+stealer E-TOOL
+module O
+, O
+System O
+information O
+gathering O
+module O
+, O
+Screenshot O
+module O
+. O
+
+In O
+addition O
+to O
+modules O
+, O
+CozyDuke S-MAL
+can O
+also O
+be O
+instructed O
+to O
+download O
+and O
+execute O
+other O
+, O
+independent O
+executables O
+. O
+
+In O
+some O
+observed O
+cases O
+, O
+these O
+executables O
+were O
+self-extracting O
+archive O
+files O
+containing O
+common O
+hacking O
+tools O
+, O
+such O
+as O
+PSExec S-TOOL
+and O
+Mimikatz S-TOOL
+, O
+combined O
+with O
+script O
+files O
+that O
+execute O
+these O
+tools O
+. O
+
+In O
+other O
+cases O
+, O
+CozyDuke S-MAL
+has O
+been O
+observed O
+downloading O
+and O
+executing O
+tools O
+from O
+other O
+toolsets O
+used O
+by O
+the O
+Dukes S-APT
+such O
+as O
+OnionDuke S-MAL
+, O
+SeaDuke S-MAL
+, O
+and O
+HammerDuke S-MAL
+. O
+
+ONIONDUKE S-MAL
+: O
+First O
+known O
+activity O
+February B-TIME
+2013 E-TIME
+, O
+Most O
+recent O
+known O
+activity O
+Spring B-TIME
+2015 E-TIME
+, O
+C&C S-TOOL
+communication O
+methods O
+HTTP(S) S-PROT
+, O
+Twitter S-TOOL
+( O
+backup O
+) O
+, O
+Known O
+toolset O
+components O
+Dropper S-TOOL
+, O
+Loader S-TOOL
+, O
+Multiple B-TOOL
+modular E-TOOL
+core O
+components O
+, O
+Information B-TOOL
+stealer E-TOOL
+, O
+Distributed B-TOOL
+Denial I-TOOL
+of I-TOOL
+Service E-TOOL
+( O
+DDoS S-TOOL
+) O
+module O
+, O
+Password O
+stealing O
+module O
+, O
+Information O
+gathering O
+module O
+, O
+Social O
+network O
+spamming O
+module O
+. O
+
+The O
+OnionDuke S-MAL
+toolset O
+includes O
+at O
+least O
+a O
+dropper S-TOOL
+, O
+a O
+loader S-TOOL
+, O
+an O
+information B-TOOL
+stealer E-TOOL
+Trojan S-MAL
+and O
+multiple B-TOOL
+modular E-TOOL
+variants O
+with O
+associated O
+modules O
+. O
+
+OnionDuke S-MAL
+first O
+caught O
+our O
+attention O
+because O
+it O
+was O
+being O
+spread O
+via O
+a O
+malicious O
+Tor S-TOOL
+exit O
+node O
+. O
+
+The O
+Tor S-TOOL
+node O
+would O
+intercept O
+any O
+unencrypted O
+executable O
+files O
+being O
+downloaded O
+and O
+modify O
+those O
+executables O
+by O
+adding O
+a O
+malicious O
+wrapper O
+contained O
+an O
+embedded O
+OnionDuke S-MAL
+. O
+
+Once O
+the O
+victim O
+finished O
+downloading O
+the O
+file O
+and O
+executed O
+it O
+, O
+the O
+wrapper O
+would O
+infect O
+the O
+victim O
+’s O
+computer O
+with O
+OnionDuke S-MAL
+before O
+executing O
+the O
+original O
+legitimate O
+executable O
+. O
+
+The O
+same O
+wrapper O
+has O
+also O
+been O
+used O
+to O
+wrap O
+legitimate O
+executable O
+files O
+, O
+which O
+were O
+then O
+made O
+available O
+for O
+users O
+to O
+download O
+from O
+torrent O
+sites O
+. O
+
+Again O
+, O
+if O
+a O
+victim O
+downloaded O
+a O
+torrent O
+containing O
+a O
+wrapped O
+executable O
+, O
+they O
+would O
+get O
+infected O
+with O
+OnionDuke S-MAL
+. O
+
+Finally O
+, O
+we O
+have O
+also O
+observed O
+victims O
+being O
+infected O
+with O
+OnionDuke S-MAL
+after O
+they O
+were O
+already O
+infected O
+with O
+CozyDuke S-MAL
+. O
+
+In O
+these O
+cases O
+, O
+CozyDuke S-MAL
+was O
+instructed O
+by O
+its O
+C&C S-TOOL
+server O
+to O
+download O
+and O
+execute O
+OnionDuke S-MAL
+toolset O
+. O
+
+SEADUKE S-MAL
+: O
+First O
+known O
+activity O
+October B-TIME
+2014 E-TIME
+, O
+Most O
+recent O
+known O
+activity O
+Spring B-TIME
+2015 E-TIME
+, O
+Other O
+names O
+SeaDaddy S-MAL
+, O
+SeaDask S-MAL
+, O
+C&C S-MAL
+communication O
+methods O
+HTTP(S) S-PROT
+, O
+Known O
+toolset O
+components O
+Backdoor O
+. O
+
+SeaDuke S-MAL
+is O
+a O
+simple O
+backdoor O
+that O
+focuses O
+on O
+executing O
+commands O
+retrieved O
+from O
+its O
+C&C S-TOOL
+server O
+, O
+such O
+as O
+uploading O
+and O
+downloading O
+files O
+, O
+executing O
+system O
+commands O
+and O
+evaluating O
+additional O
+Python S-TOOL
+code O
+. O
+
+SeaDuke S-MAL
+is O
+made O
+interesting O
+by O
+the O
+fact O
+that O
+it O
+is O
+written O
+in O
+Python S-TOOL
+and O
+designed O
+to O
+be O
+cross-platform O
+so O
+that O
+it O
+works O
+on O
+both O
+Windows S-OS
+and O
+Linux S-OS
+. O
+
+The O
+only O
+known O
+infection O
+vector O
+for O
+SeaDuke S-MAL
+is O
+via O
+an O
+existing O
+CozyDuke S-MAL
+infection O
+, O
+wherein O
+CozyDuke S-MAL
+downloads O
+and O
+executes O
+the O
+SeaDuke S-MAL
+toolset O
+. O
+
+Like O
+HammerDuke S-MAL
+, O
+SeaDuke S-MAL
+appears O
+to O
+be O
+used O
+by O
+the O
+Dukes S-APT
+group O
+primarily O
+as O
+a O
+secondary O
+backdoor O
+left O
+on O
+CozyDuke S-MAL
+victims O
+after O
+that O
+toolset O
+has O
+completed O
+the O
+initial O
+infection O
+and O
+stolen O
+any O
+readily O
+available O
+information O
+from O
+them O
+. O
+
+HAMMERDUKE S-MAL
+: O
+First O
+known O
+activity O
+January B-TIME
+2015 E-TIME
+, O
+Most O
+recent O
+known O
+activity O
+Summer B-TIME
+2015 E-TIME
+, O
+Other O
+names O
+HAMMERTOSS S-MAL
+, O
+Netduke S-MAL
+, O
+C&C S-TOOL
+communication O
+methods O
+HTTP(S) S-PROT
+, O
+Twitter S-TOOL
+, O
+Known O
+toolset O
+components O
+Backdoor O
+. O
+
+HammerDuke S-MAL
+is O
+a O
+simple O
+backdoor O
+that O
+is O
+apparently O
+designed O
+for O
+similar O
+use O
+cases O
+as O
+SeaDuke S-MAL
+. O
+
+Specifically O
+, O
+the O
+only O
+known O
+infection O
+vector O
+for O
+HammerDuke S-MAL
+is O
+to O
+be O
+downloaded O
+and O
+executed O
+by O
+CozyDuke S-MAL
+onto O
+a O
+victim O
+that O
+has O
+already O
+been O
+compromised O
+by O
+that O
+toolset O
+. O
+
+This O
+, O
+together O
+with O
+HammerDuke S-MAL
+’s O
+simplistic O
+backdoor O
+functionality O
+, O
+suggests O
+that O
+it O
+is O
+primarily O
+used O
+by O
+the O
+Dukes S-APT
+group O
+as O
+a O
+secondary O
+backdoor O
+left O
+on O
+CozyDuke S-MAL
+victims O
+after O
+CozyDuke S-MAL
+performed O
+the O
+initial O
+infection O
+and O
+stole O
+any O
+readily O
+available O
+information O
+from O
+them O
+. O
+
+HammerDuke S-MAL
+is O
+however O
+interesting O
+because O
+it O
+is O
+written O
+in O
+.NET S-TOOL
+, O
+and O
+even O
+more O
+so O
+because O
+of O
+its O
+occasional O
+use O
+of O
+Twitter S-TOOL
+as O
+a O
+C&C S-APT
+communication O
+channel O
+. O
+
+Some O
+HammerDuke S-MAL
+variants O
+only O
+contain O
+a O
+hardcoded O
+C&C S-TOOL
+server O
+address O
+from O
+which O
+they O
+will O
+retrieve O
+commands O
+, O
+but O
+other O
+HammerDuke S-MAL
+variants O
+will O
+first O
+use O
+a O
+custom O
+algorithm O
+to O
+generate O
+a O
+Twitter S-TOOL
+account O
+name O
+based O
+on O
+the O
+current O
+date O
+. O
+
+If O
+the O
+account O
+exists O
+, O
+HammerDuke S-MAL
+will O
+then O
+search O
+for O
+tweets O
+from O
+that O
+account O
+with O
+links O
+to O
+image O
+files O
+that O
+contain O
+embedded O
+commands O
+for O
+the O
+toolset O
+to O
+execute O
+. O
+
+HammerDuke S-MAL
+’s O
+use O
+of O
+Twitter S-TOOL
+and O
+crafted O
+image O
+files O
+is O
+reminiscent O
+of O
+other O
+Duke S-APT
+toolsets O
+. O
+
+Both O
+OnionDuke S-MAL
+and O
+MiniDuke S-MAL
+also O
+use O
+date-based O
+algorithms O
+to O
+generate O
+Twitter S-TOOL
+account O
+names O
+and O
+then O
+searched O
+for O
+any O
+tweets O
+from O
+those O
+accounts O
+that O
+linked O
+to O
+image O
+files O
+. O
+
+In O
+contrast O
+however O
+, O
+for O
+OnionDuke S-MAL
+and O
+MiniDuke S-MAL
+the O
+linked O
+image O
+files O
+contain O
+embedded O
+malware O
+to O
+be O
+downloaded O
+and O
+executed O
+, O
+rather O
+than O
+instructions O
+. O
+
+Similarly O
+, O
+GeminiDuke S-MAL
+may O
+also O
+download O
+image O
+files O
+, O
+but O
+these O
+would O
+contain O
+embedded O
+additional O
+configuration O
+information O
+for O
+the O
+toolset O
+itself O
+. O
+
+Unlike O
+HammerDuke S-MAL
+however O
+, O
+the O
+URLs O
+for O
+the O
+images O
+downloaded O
+by O
+GeminiDuke S-MAL
+are O
+hardcoded O
+in O
+its O
+initial O
+configuration O
+, O
+rather O
+than O
+retrieved O
+from O
+Twitter S-TOOL
+. O
+
+CLOUDDUKE S-MAL
+: O
+First O
+known O
+activity O
+June B-TIME
+2015 E-TIME
+, O
+Most O
+recent O
+known O
+activity O
+Summer B-TIME
+2015 E-TIME
+, O
+Other O
+names O
+MiniDionis S-MAL
+, O
+CloudLook S-MAL
+, O
+C&C S-TOOL
+communication O
+methods O
+HTTP(S) S-PROT
+, O
+Microsoft S-IDTY
+OneDrive S-TOOL
+, O
+Known O
+toolset O
+components O
+Downloader S-TOOL
+, O
+Loader S-TOOL
+, O
+Two O
+backdoor O
+variants O
+. O
+
+CloudDuke S-MAL
+is O
+a O
+malware O
+toolset O
+known O
+to O
+consist O
+of O
+, O
+at O
+least O
+, O
+a O
+downloader S-TOOL
+, O
+a O
+loader S-TOOL
+and O
+two O
+backdoor O
+variants O
+. O
+
+The O
+CloudDuke S-MAL
+downloader S-TOOL
+will O
+download O
+and O
+execute O
+additional O
+malware O
+from O
+a O
+preconfigured O
+location O
+. O
+
+Interestingly O
+, O
+that O
+location O
+may O
+be O
+either O
+a O
+web O
+address O
+or O
+a O
+Microsoft S-IDTY
+OneDrive S-TOOL
+account O
+. O
+
+Both O
+CloudDuke B-MAL
+backdoor E-MAL
+variants O
+support O
+simple O
+backdoor O
+functionality O
+, O
+similar O
+to O
+SeaDuke S-MAL
+. O
+
+While O
+one O
+variant O
+will O
+use O
+a O
+preconfigured O
+C&C S-TOOL
+server O
+over O
+HTTP S-PROT
+or O
+HTTPS S-PROT
+, O
+the O
+other O
+variant O
+will O
+use O
+a O
+Microsoft S-IDTY
+OneDrive S-TOOL
+account O
+to O
+exchange O
+commands O
+and O
+stolen O
+data O
+with O
+its O
+operators O
+. O
+
+
+THE O
+DUKES S-APT
+7 O
+YEARS O
+OF O
+RUSSIAN O
+CYBER O
+ESPIONAGE O
+. O
+
+The O
+Dukes S-APT
+primarily O
+use O
+spear-phishing S-ACT
+emails S-TOOL
+when O
+attempting O
+to O
+infect O
+victims O
+with O
+their O
+malware O
+. O
+
+These O
+spear-phishing S-ACT
+emails S-TOOL
+range O
+from O
+ones O
+purposely O
+designed O
+to O
+look O
+like O
+spam O
+messages O
+used O
+to O
+spread O
+common O
+crimeware O
+and O
+addressed O
+to O
+large O
+numbers O
+of O
+people O
+, O
+to O
+highly O
+targeted O
+emails S-TOOL
+addressed O
+to O
+only O
+a O
+few O
+recipients O
+( O
+or O
+even O
+just O
+one O
+person O
+) O
+and O
+with O
+content O
+that O
+is O
+highly O
+relevant O
+for O
+the O
+intended O
+recipient O
+. O
+
+In O
+some O
+cases O
+, O
+the O
+Dukes S-APT
+appear O
+to O
+have O
+used O
+previously O
+compromised O
+victims O
+to O
+send O
+new O
+spear-phishing S-ACT
+emails S-TOOL
+to O
+other O
+targets O
+. O
+
+The O
+spear-phishing S-ACT
+emails S-TOOL
+used O
+by O
+the O
+Dukes S-APT
+may O
+contain O
+either O
+specially-crafted O
+malicious O
+attachments O
+or O
+links O
+to O
+URLs O
+hosting O
+the O
+malware O
+. O
+
+When O
+malicious O
+attachments O
+are O
+used O
+, O
+they O
+may O
+either O
+be O
+designed O
+to O
+exploit O
+a O
+vulnerability O
+in O
+a O
+popular O
+software O
+assumed O
+to O
+be O
+installed O
+on O
+the O
+victim O
+’s O
+machine O
+, O
+such O
+as O
+Microsoft S-IDTY
+Word S-TOOL
+or O
+Adobe B-TOOL
+Reader E-TOOL
+, O
+or O
+the O
+attachment O
+itself O
+may O
+have O
+its O
+icon O
+and O
+filename O
+obfuscated O
+in O
+such O
+a O
+way O
+that O
+the O
+file O
+does O
+not O
+appear O
+to O
+be O
+an O
+executable O
+. O
+
+The O
+only O
+instances O
+which O
+we O
+are O
+aware O
+of O
+where O
+the O
+Dukes S-APT
+did O
+not O
+use O
+spear-phishing S-ACT
+as O
+the O
+initial O
+infection O
+vector O
+is O
+with O
+certain O
+OnionDuke S-MAL
+variants O
+. O
+
+These O
+were O
+instead O
+spread O
+using O
+either O
+a O
+malicious O
+Tor S-TOOL
+node O
+that O
+would O
+trojanize O
+legitimate O
+applications O
+on-the-fly O
+with O
+the O
+OnionDuke S-MAL
+toolset O
+, O
+or O
+via O
+torrent O
+files O
+containing O
+previously O
+trojanized O
+versions O
+of O
+legitimate O
+applications O
+. O
+
+Finally O
+, O
+it O
+is O
+worth O
+noting O
+that O
+the O
+Dukes S-APT
+are O
+known O
+to O
+sometimes O
+re-infect O
+a O
+victim O
+of O
+one O
+of O
+their O
+malware O
+tools O
+with O
+another O
+one O
+of O
+their O
+tools O
+. O
+
+Examples O
+include O
+CozyDuke S-MAL
+infecting O
+its O
+victims O
+with O
+SeaDuke S-MAL
+, O
+HammerDuke S-MAL
+,or O
+OnionDuke S-MAL
+; O
+and O
+CosmicDuke S-MAL
+infecting O
+its O
+victims O
+with O
+PinchDuke S-MAL
+,GeminiDuke S-MAL
+or O
+MiniDuke S-MAL
+. O
+
+The O
+Dukes S-APT
+have O
+employed O
+exploits O
+both O
+in O
+their O
+infection O
+vectors O
+as O
+well O
+as O
+in O
+their O
+malware O
+. O
+
+We O
+are O
+however O
+only O
+aware O
+of O
+one O
+instance O
+- O
+the O
+exploitation O
+of O
+CVE-2013-0640 S-VULID
+to O
+deploy O
+MiniDuke S-MAL
+- O
+where O
+we O
+believe O
+the O
+exploited O
+vulnerability O
+was O
+a O
+zero-day S-VULNAME
+at O
+the O
+time O
+that O
+the O
+group O
+acquired O
+the O
+exploit O
+. O
+
+In O
+all O
+known O
+cases O
+where O
+exploits O
+were O
+employed O
+, O
+we O
+believe O
+the O
+Dukes S-APT
+did O
+not O
+themselves O
+discover O
+the O
+vulnerabilities O
+or O
+design O
+the O
+original O
+exploits O
+; O
+for O
+the O
+exploited O
+zero-day S-VULNAME
+, O
+we O
+believe O
+the O
+Dukes S-APT
+purchased O
+the O
+exploit O
+. O
+
+In O
+all O
+other O
+cases O
+, O
+we O
+believe O
+the O
+group O
+simply O
+repurposed O
+publicly O
+available O
+exploits O
+or O
+proofs O
+of O
+concept O
+. O
+
+Attribution O
+is O
+always O
+a O
+difficult O
+question O
+, O
+but O
+attempting O
+to O
+answer O
+it O
+is O
+important O
+in O
+understanding O
+these O
+types O
+of O
+threats O
+and O
+how O
+to O
+defend O
+against O
+them O
+. O
+
+This O
+paper O
+has O
+already O
+stated O
+that O
+we O
+believe O
+the O
+Dukes S-APT
+to O
+be O
+a O
+Russian O
+state-sponsored O
+cyberespionage B-ACT
+operation E-ACT
+. O
+
+To O
+reach O
+this O
+conclusion O
+, O
+we O
+began O
+by O
+analyzing O
+the O
+apparent O
+objectives O
+and O
+motivations O
+of O
+the O
+group O
+. O
+
+Based O
+on O
+what O
+we O
+currently O
+know O
+about O
+the O
+targets O
+chosen O
+by O
+the O
+Dukes S-APT
+over O
+the O
+past O
+7 O
+years O
+, O
+they O
+appear O
+to O
+have O
+consistently O
+targeted O
+entities O
+that O
+deal O
+with O
+foreign O
+policy O
+and O
+security O
+policy O
+matters O
+. O
+
+These O
+targets O
+have O
+included O
+organizations O
+such O
+as O
+ministries O
+of O
+foreign O
+affairs O
+, O
+embassies O
+, O
+senates O
+, O
+parliaments O
+, O
+ministries O
+of O
+defense O
+, O
+defense O
+contractors O
+, O
+and O
+think O
+tanks O
+. O
+
+In O
+one O
+of O
+their O
+more O
+intriguing O
+cases O
+, O
+the O
+Dukes S-APT
+have O
+appeared O
+to O
+also O
+target O
+entities O
+involved O
+in O
+the O
+trafficking O
+of O
+illegal O
+drugs O
+. O
+
+Even O
+such O
+targets O
+however O
+appear O
+to O
+be O
+consistent O
+with O
+the O
+overarching O
+theme O
+, O
+given O
+the O
+drug O
+trade O
+’s O
+relevance O
+to O
+security O
+policy O
+. O
+
+Based O
+on O
+this O
+, O
+we O
+are O
+confident O
+in O
+our O
+conclusion O
+that O
+the O
+Dukes S-APT
+’ O
+primary O
+mission O
+is O
+the O
+collection O
+of O
+intelligence O
+to O
+support O
+foreign O
+and O
+security O
+policy O
+decision-making O
+. O
+
+Based O
+on O
+the O
+length O
+of O
+the O
+Dukes S-APT
+’ O
+activity O
+, O
+our O
+estimate O
+of O
+the O
+amount O
+of O
+resources O
+invested O
+in O
+the O
+operation O
+and O
+the O
+fact O
+that O
+their O
+activity O
+only O
+appears O
+to O
+be O
+increasing O
+, O
+we O
+believe O
+the O
+group O
+to O
+have O
+significant O
+and O
+most O
+critically O
+, O
+stable O
+financial O
+backing O
+. O
+
+The O
+Dukes S-APT
+have O
+consistently O
+operated O
+large-scale O
+campaigns O
+against O
+high-profile O
+targets O
+while O
+concurrently O
+engaging O
+in O
+smaller O
+, O
+more O
+targeted O
+campaigns O
+with O
+apparent O
+coordination O
+and O
+no O
+evidence O
+of O
+unintentional O
+overlap O
+or O
+operational O
+clashes O
+. O
+
+We O
+therefore O
+believe O
+the O
+Dukes S-APT
+to O
+be O
+a O
+single O
+, O
+large O
+, O
+wellcoordinated O
+organization O
+with O
+clear O
+separation O
+of O
+responsibilities O
+and O
+targets O
+. O
+
+The O
+Dukes S-APT
+appear O
+to O
+prioritize O
+the O
+continuation O
+of O
+their O
+operations O
+over O
+stealth O
+. O
+
+Their O
+2015 O
+CozyDuke S-MAL
+and O
+CloudDuke S-MAL
+campaigns O
+take O
+this O
+to O
+the O
+extreme O
+by O
+apparently O
+opting O
+for O
+speed O
+and O
+quantity O
+over O
+stealth O
+and O
+quality O
+. O
+
+In O
+the O
+most O
+extreme O
+case O
+, O
+the O
+Dukes S-APT
+continued O
+with O
+their O
+July B-TIME
+2015 E-TIME
+CloudDuke S-MAL
+campaign O
+even O
+after O
+their O
+activity O
+had O
+been O
+outed O
+by O
+multiple O
+security O
+vendors O
+. O
+
+We O
+therefore O
+believe O
+the O
+Dukes S-APT
+’ O
+primary O
+mission O
+to O
+be O
+so O
+valuable O
+to O
+their O
+benefactors O
+that O
+its O
+continuation O
+outweighs O
+everything O
+else O
+. O
+
+This O
+apparent O
+disregard O
+for O
+publicity O
+suggests O
+, O
+in O
+our O
+opinion O
+, O
+that O
+the O
+benefactors O
+of O
+the O
+Dukes S-APT
+is O
+so O
+powerful O
+and O
+so O
+tightly O
+connected O
+to O
+the O
+group O
+that O
+the O
+Dukes S-APT
+are O
+able O
+to O
+operate O
+with O
+no O
+apparent O
+fear O
+of O
+repercussions O
+on O
+getting O
+caught O
+. O
+
+We O
+believe O
+the O
+only O
+benefactor O
+with O
+the O
+power O
+to O
+offer O
+such O
+comprehensive O
+protection O
+would O
+be O
+the O
+government O
+of O
+the O
+nation O
+from O
+which O
+the O
+group O
+operates O
+. O
+
+We O
+therefore O
+believe O
+the O
+Dukes S-APT
+to O
+work O
+either O
+within O
+or O
+directly O
+for O
+a O
+government O
+, O
+thus O
+ruling O
+out O
+the O
+possibility O
+of O
+a O
+criminal O
+gang O
+or O
+another O
+third O
+party O
+. O
+
+Kaspersky B-SECTEAM
+Labs E-SECTEAM
+has O
+previously O
+noted O
+the O
+presence O
+of O
+Russian-language O
+artefacts O
+in O
+some O
+of O
+the O
+Duke S-APT
+malware O
+samples O
+. O
+
+We O
+have O
+also O
+found O
+a O
+Russian-language O
+error O
+message O
+in O
+many O
+PinchDuke S-MAL
+samples O
+which O
+translates O
+as O
+, O
+“ O
+There O
+is O
+an O
+error O
+in O
+the O
+module O
+’s O
+name O
+! O
+The O
+length O
+of O
+the O
+data O
+section O
+name O
+must O
+be O
+4 O
+bytes! O
+” O
+Additionally O
+, O
+Kaspersky S-SECTEAM
+noted O
+that O
+based O
+on O
+the O
+compilation O
+timestamps O
+, O
+the O
+authors O
+of O
+the O
+Duke S-APT
+malware O
+appear O
+to O
+primarily O
+work O
+from O
+Monday S-TIME
+to O
+Friday S-TIME
+between O
+the O
+times O
+of O
+6am S-TIME
+and O
+4pm S-TIME
+UTC+0 O
+. O
+
+This O
+corresponds O
+to O
+working O
+hours O
+between O
+9am S-TIME
+and O
+7pm S-TIME
+in O
+the O
+UTC+3 O
+time O
+zone O
+, O
+also O
+known O
+as O
+Moscow S-TIME
+Standard B-TOOL
+Time E-TOOL
+, O
+which O
+covers O
+, O
+among O
+others O
+, O
+much O
+of O
+western O
+Russia S-LOC
+, O
+including O
+Moscow S-LOC
+and O
+St. B-LOC
+Petersburg E-LOC
+. O
+
+The O
+Kaspersky B-SECTEAM
+Labs E-SECTEAM
+analysis O
+of O
+the O
+Duke S-APT
+malware O
+authors O
+’ O
+working O
+times O
+is O
+supported O
+by O
+our O
+own O
+analysis O
+, O
+as O
+well O
+as O
+that O
+performed O
+by O
+FireEye S-SECTEAM
+. O
+
+This O
+assertion O
+of O
+time O
+zone O
+is O
+also O
+supported O
+by O
+timestamps O
+found O
+in O
+many O
+GeminiDuke S-MAL
+samples O
+, O
+which O
+similarly O
+suggest O
+the O
+group O
+work O
+in O
+the O
+Moscow S-LOC
+Standard B-TOOL
+Time E-TOOL
+timezone O
+, O
+as O
+further O
+detailed O
+in O
+the O
+section O
+on O
+the O
+technical O
+analysis O
+of O
+GeminiDuke S-MAL
+. O
+
+Finally O
+, O
+the O
+known O
+targets O
+of O
+the O
+Dukes S-APT
+- O
+Eastern O
+European O
+foreign O
+ministries O
+, O
+western O
+think O
+tanks O
+and O
+governmental O
+organizations O
+, O
+even O
+Russian-speaking O
+drug O
+dealers O
+- O
+conform O
+to O
+publiclyknown O
+Russian O
+foreign O
+policy O
+and O
+security O
+policy O
+interests O
+. O
+
+Even O
+though O
+the O
+Dukes S-APT
+appear O
+to O
+have O
+targeted O
+governments O
+all O
+over O
+the O
+world O
+, O
+we O
+are O
+unaware O
+of O
+them O
+ever O
+targeting O
+the O
+Russian O
+government O
+. O
+
+While O
+absence O
+of O
+evidence O
+is O
+not O
+evidence O
+of O
+absence O
+, O
+it O
+is O
+an O
+interesting O
+detail O
+to O
+note O
+. O
+
+
+Threat O
+Actor O
+Profile O
+: O
+TA505 S-APT
+, O
+From O
+Dridex S-MAL
+to O
+GlobeImposter S-MAL
+. O
+
+Proofpoint S-SECTEAM
+researchers O
+track O
+a O
+wide O
+range O
+of O
+threat O
+actors O
+involved O
+in O
+both O
+financially O
+motivated O
+cybercrime O
+and O
+state-sponsored O
+actions O
+. O
+
+One O
+of O
+the O
+more O
+prolific O
+actors O
+that O
+we O
+track O
+- O
+referred O
+to O
+as O
+TA505 S-APT
+- O
+is O
+responsible O
+for O
+the O
+largest O
+malicious O
+spam O
+campaigns O
+we O
+have O
+ever O
+observed O
+, O
+distributing O
+instances O
+of O
+the O
+Dridex S-MAL
+banking O
+Trojan S-MAL
+, O
+Locky S-MAL
+ransomware O
+, O
+Jaff S-MAL
+ransomware O
+, O
+The O
+Trick S-MAL
+banking O
+Trojan S-MAL
+, O
+and O
+several O
+others O
+in O
+very O
+high O
+volumes O
+. O
+
+Because O
+TA505 S-APT
+is O
+such O
+a O
+significant O
+part O
+of O
+the O
+email S-TOOL
+threat O
+landscape O
+, O
+this O
+blog O
+provides O
+a O
+retrospective O
+on O
+the O
+shifting O
+malware O
+, O
+payloads O
+, O
+and O
+campaigns O
+associated O
+with O
+this O
+actor O
+. O
+
+We O
+examine O
+their O
+use O
+malware O
+such O
+as O
+Jaff S-MAL
+, O
+Bart S-MAL
+, O
+and O
+Rockloader S-MAL
+that O
+appear O
+to O
+be O
+exclusive O
+to O
+this O
+group O
+as O
+well O
+as O
+more O
+widely O
+distributed O
+malware O
+like O
+Dridex S-MAL
+and O
+Pony S-MAL
+. O
+
+Where O
+possible O
+, O
+we O
+detail O
+the O
+affiliate O
+models O
+with O
+which O
+they O
+are O
+involved O
+and O
+outline O
+the O
+current O
+state O
+of O
+TA505 S-APT
+campaigns O
+. O
+
+The O
+infographic O
+in O
+Figure O
+1 O
+traces O
+the O
+earliest O
+known O
+dates O
+on O
+which O
+TA505 S-APT
+began O
+distributing O
+particular O
+malware O
+strains O
+, O
+beginning O
+with O
+Dridex S-MAL
+in O
+2014 S-TIME
+and O
+most O
+recently O
+when O
+they O
+elevated O
+GlobeImposter S-MAL
+and O
+Philadelphia S-MAL
+from O
+small O
+, O
+regionally O
+targeted O
+ransomware O
+variants O
+to O
+global O
+threats O
+. O
+
+Of O
+note O
+is O
+TA505 S-APT
+’s O
+use O
+of O
+the O
+Necurs S-MAL
+botnet O
+to O
+drive O
+their O
+massive O
+spam O
+campaigns O
+. O
+
+As O
+we O
+saw O
+in O
+both O
+2016 S-TIME
+and O
+2017 S-TIME
+, O
+disruptions O
+to O
+Necurs S-MAL
+went O
+hand-in-hand O
+with O
+quiet O
+periods O
+from O
+TA505 S-APT
+. O
+
+When O
+the O
+botnet O
+came O
+back O
+online O
+, O
+TA505 S-APT
+campaigns O
+quickly O
+returned O
+, O
+usually O
+at O
+even O
+greater O
+scale O
+than O
+before O
+the O
+disruption O
+. O
+
+The O
+following O
+is O
+a O
+more O
+detailed O
+description O
+of O
+the O
+malware O
+and O
+notable O
+campaign O
+attributes O
+associated O
+with O
+TA505 S-APT
+. O
+
+The O
+now O
+infamous O
+Dridex S-MAL
+banking O
+Trojan S-MAL
+can O
+trace O
+much O
+of O
+its O
+DNA O
+to O
+Cridex S-MAL
+and O
+Bugat S-MAL
+. O
+
+Dridex S-MAL
+itself O
+appeared O
+shortly O
+after O
+the O
+Zeus S-MAL
+banking O
+Trojan S-MAL
+was O
+taken O
+down O
+. O
+
+It O
+was O
+originally O
+documented O
+on O
+July B-TIME
+25 I-TIME
+, I-TIME
+2014 E-TIME
+( O
+or O
+June B-TIME
+22 I-TIME
+, I-TIME
+2014 E-TIME
+, O
+according O
+to O
+Kaspersky S-SECTEAM
+) O
+and O
+the O
+first O
+campaign O
+we O
+observed O
+in O
+which O
+TA505 S-APT
+distributed O
+Dridex S-MAL
+occurred O
+three O
+days O
+later O
+on O
+July B-TIME
+28 E-TIME
+. O
+
+Although O
+a O
+number O
+of O
+actors O
+have O
+distributed O
+Dridex S-MAL
+, O
+TA505 S-APT
+operates O
+multiple O
+affiliate O
+IDs O
+, O
+including O
+what O
+appears O
+to O
+be O
+the O
+earliest O
+recorded O
+affiliate O
+, O
+botnet O
+ID O
+125 O
+. O
+
+These O
+early O
+campaigns O
+were O
+distributed O
+via O
+the O
+Lerspeng S-MAL
+downloader S-TOOL
+while O
+later O
+campaigns O
+occasionally O
+used O
+Pony S-MAL
+or O
+Andromeda S-MAL
+as O
+intermediate O
+loaders O
+to O
+distribute O
+various O
+instances O
+of O
+Dridex S-MAL
+. O
+
+Although O
+TA505 S-APT
+initially O
+distributed O
+Dridex S-MAL
+botnet O
+ID O
+125 O
+, O
+they O
+were O
+observed O
+using O
+botnet O
+ID O
+220 O
+in O
+March B-TIME
+2015 E-TIME
+and O
+botnet O
+ID O
+223 O
+in O
+December B-TIME
+of I-TIME
+that I-TIME
+year E-TIME
+. O
+
+Later O
+, O
+they O
+were O
+also O
+associated O
+with O
+botnet O
+IDs O
+7200 O
+and O
+7500 O
+. O
+
+These O
+botnets O
+generally O
+target O
+the O
+following O
+regions O
+: O
+
+125: O
+UK S-LOC
+, O
+US S-LOC
+, O
+and O
+Canada S-LOC
+220: O
+UK S-LOC
+and O
+Australia S-LOC
+223: O
+Germany S-LOC
+7200: O
+UK S-LOC
+7500: O
+Australia S-LOC
+. O
+
+TA505 S-APT
+continued O
+distributing O
+Dridex S-MAL
+through O
+early B-TIME
+June I-TIME
+2017 E-TIME
+using O
+a O
+range O
+of O
+email S-TOOL
+attachments O
+. O
+
+Most O
+recently O
+these O
+included O
+PDF S-TOOL
+attachments O
+with O
+embedded O
+Microsoft S-IDTY
+Word S-TOOL
+documents O
+bearing O
+malicious O
+macros S-TOOL
+that O
+call O
+PowerShell S-TOOL
+commands O
+that O
+install O
+Dridex S-MAL
+. O
+
+However O
+, O
+because O
+of O
+the O
+length O
+of O
+time O
+for O
+which O
+the O
+group O
+has O
+been O
+distributing O
+Dridex S-MAL
+, O
+distribution O
+mechanisms O
+trace O
+the O
+state O
+of O
+the O
+art O
+for O
+the O
+last O
+two O
+years O
+of O
+email S-TOOL
+campaigns O
+with O
+techniques O
+ranging O
+from O
+straight O
+macro S-TOOL
+documents O
+to O
+a O
+variety O
+of O
+zipped S-TOOL
+scripts O
+. O
+
+In O
+October B-TIME
+2015 E-TIME
+, O
+we O
+observed O
+several O
+campaigns O
+in O
+which O
+TA505 S-APT
+targeted O
+Japanese O
+and O
+UK S-LOC
+organizations O
+with O
+the O
+Shifu S-MAL
+banking O
+Trojan S-MAL
+. O
+
+Shifu S-MAL
+is O
+relatively O
+common O
+in O
+Japan S-LOC
+but O
+was O
+a O
+new O
+addition O
+to O
+TA505 S-APT
+’s O
+toolbox O
+. O
+
+It O
+appears O
+that O
+they O
+introduced O
+Shifu S-MAL
+after O
+high-profile O
+law O
+enforcement O
+actions O
+impacted O
+Dridex S-MAL
+distribution O
+. O
+
+However O
+, O
+TA505 S-APT
+was O
+also O
+among O
+the O
+first O
+actors O
+to O
+return O
+to O
+high-volume O
+Dridex S-MAL
+distribution O
+this O
+same O
+month O
+, O
+even O
+as O
+they O
+demonstrated O
+their O
+ability O
+to O
+diversify O
+and O
+deliver O
+threats O
+beyond O
+Dridex S-MAL
+. O
+
+As O
+with O
+many O
+of O
+their O
+other O
+campaigns O
+, O
+TA505 S-APT
+delivered O
+Shifu S-MAL
+through O
+macro S-TOOL
+laden O
+Microsoft S-IDTY
+Office S-TOOL
+document O
+attachments O
+. O
+
+TA505 S-APT
+introduced O
+Locky S-MAL
+ransomware O
+in O
+February B-TIME
+2016 E-TIME
+. O
+
+After O
+alternating O
+for O
+over O
+four O
+months O
+with O
+Dridex S-MAL
+, O
+Locky S-MAL
+became O
+the O
+payload O
+of O
+choice O
+for O
+TA505 S-APT
+, O
+eclipsing O
+earlier O
+campaigns O
+in O
+terms O
+of O
+volume O
+and O
+reach O
+. O
+
+TA505 S-APT
+stopped O
+distributing O
+Dridex S-MAL
+in O
+July B-TIME
+2016 E-TIME
+, O
+relying O
+almost O
+exclusively O
+on O
+Locky S-MAL
+through O
+December B-TIME
+of I-TIME
+that I-TIME
+year E-TIME
+. O
+
+Like O
+Dridex S-MAL
+, O
+Locky S-MAL
+is O
+also O
+distributed O
+in O
+an O
+affiliate O
+model O
+; O
+TA505 S-APT
+exclusively O
+distributes O
+Locky S-MAL
+Affid=3 O
+. O
+
+Low-volume O
+campaigns O
+distributed O
+Dridex S-MAL
+during O
+much B-TIME
+of I-TIME
+2015 E-TIME
+Moderate O
+volumes O
+of O
+Dridex S-MAL
+appeared O
+from O
+the O
+end B-TIME
+of I-TIME
+2015 I-TIME
+through I-TIME
+February I-TIME
+2016 E-TIME
+; O
+it O
+is O
+worth O
+noting O
+that O
+these O
+“ O
+moderate O
+volume O
+” O
+campaigns O
+were O
+, O
+at O
+the O
+time O
+, O
+the O
+largest O
+campaigns O
+ever O
+observed O
+. O
+
+Alternating O
+Dridex S-MAL
+and O
+Locky S-MAL
+campaigns O
+of O
+varying O
+volumes O
+appeared O
+through O
+May B-TIME
+2016 E-TIME
+. O
+
+A O
+lull O
+in O
+June B-TIME
+2016 E-TIME
+associated O
+with O
+a O
+disruption O
+in O
+the O
+Necurs S-MAL
+botnet O
+; O
+TA505 S-APT
+is O
+heavily O
+reliant O
+on O
+this O
+massive O
+botnet O
+to O
+send O
+out O
+high-volume O
+malicious O
+spam O
+campaigns O
+and O
+disappearances O
+of O
+TA505 S-APT
+activity O
+frequently O
+accompany O
+disruptions O
+in O
+Necurs S-MAL
+. O
+
+Extremely O
+high-volume O
+campaigns O
+distributing O
+Locky S-MAL
+exclusively O
+in O
+July B-TIME
+2016 E-TIME
+, O
+consistently O
+delivering O
+tens O
+of O
+millions O
+of O
+messages O
+. O
+
+Another O
+lull O
+in O
+November B-TIME
+2016 E-TIME
+saw O
+the O
+complete O
+absence O
+of O
+Locky S-MAL
+and O
+Dridex S-MAL
+, O
+while O
+high-volume O
+campaigns O
+reappeared O
+in O
+December S-TIME
+, O
+albeit O
+at O
+lower O
+volumes O
+than O
+during O
+the O
+Q3 O
+2016 S-TIME
+peak O
+. O
+
+An O
+expected O
+break O
+following O
+the O
+2016-2017 B-TIME
+winter E-TIME
+holidays O
+turned O
+into O
+an O
+unexplained O
+three-month O
+hiatus O
+for O
+TA505 S-APT
+. O
+
+Large-scale O
+Dridex S-MAL
+and O
+Locky S-MAL
+campaigns O
+returned O
+in O
+Q2 O
+2017 S-TIME
+, O
+although O
+none O
+reached O
+the O
+volumes O
+we O
+observed O
+in O
+mid-2016 S-TIME
+. O
+
+Later O
+campaigns O
+saw O
+new O
+attachment O
+types O
+, O
+even O
+as O
+Dridex S-MAL
+and O
+Locky S-MAL
+payloads O
+remained O
+largely O
+unchanged O
+. O
+
+Locky S-MAL
+distribution O
+ceased O
+in O
+June S-TIME
+and O
+July S-TIME
+but O
+returned O
+in O
+August S-TIME
+with O
+volumes O
+rivaling O
+the O
+peaks O
+of O
+2016 S-TIME
+. O
+
+TA505 S-APT
+turned O
+to O
+URLs O
+in O
+early O
+August B-TIME
+2017 E-TIME
+to O
+distribute O
+Locky S-MAL
+, O
+finally O
+eschewing O
+the O
+document O
+or O
+zipped S-TOOL
+script O
+attachments O
+that O
+have O
+characterized O
+the O
+majority O
+of O
+their O
+Locky S-MAL
+campaigns O
+since O
+February B-TIME
+2016 E-TIME
+; O
+most O
+of O
+these O
+URLs O
+linked O
+to O
+malicious O
+documents O
+and O
+scripts O
+. O
+
+By O
+later O
+August S-TIME
+, O
+TA505 S-APT
+had O
+turned O
+back O
+to O
+large O
+attachment O
+campaigns O
+, O
+primarily O
+distributing O
+various O
+zipped S-TOOL
+scripts O
+that O
+downloaded O
+Locky S-MAL
+. O
+
+The O
+group O
+continued O
+this O
+pattern O
+with O
+occasional O
+URL O
+campaigns O
+and O
+attached O
+HTML S-TOOL
+files O
+bearing O
+malicious O
+links O
+. O
+
+TA505 S-APT
+first O
+introduced O
+Rockloader S-MAL
+in O
+April B-TIME
+2016 E-TIME
+as O
+an O
+intermediate O
+loader S-TOOL
+for O
+Locky S-MAL
+. O
+
+At O
+that O
+time O
+, O
+Rockloader S-MAL
+was O
+the O
+initial O
+payload O
+downloaded O
+by O
+malicious O
+attached O
+JavaScript S-TOOL
+files O
+. O
+
+Once O
+Rockloader S-MAL
+was O
+installed O
+, O
+it O
+downloaded O
+Locky S-MAL
+and O
+, O
+in O
+some O
+cases O
+, O
+Pony S-MAL
+and O
+Kegotip S-MAL
+. O
+
+Pony S-MAL
+is O
+another O
+loader S-TOOL
+with O
+information O
+stealing O
+capabilities O
+while O
+Kegotip S-MAL
+is O
+an O
+credential O
+and O
+email S-TOOL
+address O
+harvesting O
+malware O
+strain O
+that O
+would O
+appear O
+in O
+a O
+small O
+number O
+of O
+TA505 S-APT
+campaigns O
+the O
+following O
+year O
+as O
+the O
+primary O
+payload O
+. O
+
+Bart S-MAL
+ransomware O
+appeared O
+for O
+exactly O
+one O
+day O
+on O
+June B-TIME
+24 I-TIME
+, I-TIME
+2016 E-TIME
+. O
+
+It O
+was O
+a O
+secondary O
+payload O
+downloaded O
+by O
+Rockloader S-MAL
+, O
+the O
+initial O
+payload O
+in O
+a O
+large O
+email S-TOOL
+campaign O
+using O
+zipped S-TOOL
+JavaScript S-TOOL
+attachments O
+. O
+
+The O
+Bart S-MAL
+ransom O
+screen O
+was O
+visually O
+similar O
+to O
+Locky S-MAL
+’s O
+but O
+Bart S-MAL
+had O
+one O
+important O
+distinction O
+: O
+it O
+could O
+encrypt O
+files O
+without O
+contacting O
+a O
+command O
+and O
+control O
+server O
+. O
+
+However O
+, O
+we O
+have O
+not O
+seen O
+Bart S-MAL
+since O
+, O
+suggesting O
+that O
+this O
+was O
+either O
+an O
+experiment O
+or O
+that O
+the O
+ransomware O
+did O
+not O
+function O
+as O
+expected O
+for O
+TA505 S-APT
+. O
+
+TA505 S-APT
+briefly O
+distributed O
+the O
+Kegotip S-MAL
+information B-TOOL
+stealer E-TOOL
+in O
+April B-TIME
+2017 E-TIME
+. O
+
+Across O
+two O
+campaigns O
+of O
+several O
+million O
+messages O
+each O
+, O
+the O
+actor O
+used O
+both O
+macro S-TOOL
+laden O
+Microsoft S-IDTY
+Word S-TOOL
+documents O
+and O
+zipped S-TOOL
+VBScript S-TOOL
+attachments O
+to O
+install O
+the O
+Trojan S-MAL
+on O
+potential O
+victim O
+PCs S-TOOL
+. O
+
+Kegotip S-MAL
+is O
+an O
+infostealer S-TOOL
+( O
+credentials O
+and O
+email S-TOOL
+addresses O
+) O
+used O
+to O
+facilitate O
+other O
+crimeware O
+activities O
+. O
+
+It O
+steals O
+credentials O
+from O
+various O
+FTP S-PROT
+clients O
+, O
+Outlook S-TOOL
+, O
+and O
+Internet B-TOOL
+Explorer E-TOOL
+. O
+
+It O
+also O
+will O
+gather O
+email S-TOOL
+addresses O
+scraped O
+from O
+files O
+stored O
+on O
+the O
+computer O
+. O
+
+This O
+information O
+can O
+be O
+used O
+to O
+facilitate O
+future O
+spam O
+campaigns O
+by O
+the O
+perpetrator O
+or O
+may O
+be O
+sold O
+to O
+other O
+actors O
+. O
+
+TA505 S-APT
+introduced O
+Jaff S-MAL
+ransomware O
+in O
+May B-TIME
+2017 E-TIME
+. O
+
+Jaff S-MAL
+was O
+not O
+dramatically O
+different O
+from O
+other O
+ransomware O
+strains O
+. O
+
+The O
+payment O
+portal O
+was O
+initially O
+similar O
+to O
+the O
+one O
+used O
+by O
+Locky S-MAL
+and O
+Bart S-MAL
+. O
+
+It O
+was O
+primarily O
+notable O
+for O
+its O
+high-volume O
+campaigns O
+and O
+its O
+association O
+with O
+TA505 S-APT
+, O
+given O
+the O
+actor O
+’s O
+propensity O
+for O
+massive O
+campaigns O
+and O
+ability O
+to O
+dominate O
+the O
+email S-TOOL
+landscape O
+. O
+
+Jaff S-MAL
+appeared O
+in O
+multi-million O
+message O
+campaigns O
+for O
+roughly O
+a O
+month O
+and O
+then O
+promptly O
+disappeared O
+as O
+soon O
+as O
+a O
+decryptor S-TOOL
+was O
+released O
+in O
+mid-June B-TIME
+2017 E-TIME
+. O
+
+The O
+Trick S-MAL
+, O
+also O
+known O
+as O
+Trickbot S-MAL
+, O
+is O
+another O
+banking O
+Trojan S-MAL
+that O
+TA505 S-APT
+first O
+began O
+distributing O
+in O
+June B-TIME
+of I-TIME
+2017 E-TIME
+, O
+although O
+we O
+have O
+observed O
+The O
+Trick S-MAL
+in O
+the O
+wild O
+since O
+fall B-TIME
+2016 E-TIME
+, O
+usually O
+in O
+regionally O
+targeted O
+campaigns O
+. O
+
+It O
+is O
+generally O
+considered O
+a O
+descendant O
+of O
+the O
+Dyreza S-MAL
+banking O
+Trojan S-MAL
+and O
+features O
+mutliple O
+modules O
+. O
+
+The O
+main O
+bot O
+is O
+responsible O
+for O
+persistence O
+, O
+the O
+downloading O
+of O
+additional O
+modules O
+, O
+loading O
+affiliate O
+payloads O
+, O
+and O
+loading O
+updates O
+for O
+the O
+malware O
+. O
+
+As O
+with O
+much O
+of O
+the O
+malware O
+distributed O
+by O
+TA505 S-APT
+, O
+The O
+Trick S-MAL
+has O
+appeared O
+in O
+frequent O
+, O
+high-volume O
+campaigns O
+. O
+
+The O
+campaigns O
+used O
+a O
+mix O
+of O
+attached O
+zipped S-TOOL
+scripts O
+( O
+WSF S-TOOL
+, O
+VBS S-TOOL
+) O
+, O
+malicious O
+Microsoft S-IDTY
+Office S-TOOL
+documents O
+( O
+Word S-TOOL
+, O
+Excel S-TOOL
+) O
+, O
+HTML S-TOOL
+attachments O
+, O
+password-protected O
+Microsoft S-IDTY
+Word S-TOOL
+documents O
+, O
+links O
+to O
+malicious O
+JavaScript S-TOOL
+, O
+and O
+other O
+vectors O
+. O
+
+The O
+last O
+TA505 S-APT
+campaigns O
+featuring O
+The O
+Trick S-MAL
+appeared O
+in O
+mid-September B-TIME
+2017 E-TIME
+with O
+payloads O
+alternating O
+between O
+Locky S-MAL
+and O
+The O
+Trick S-MAL
+. O
+
+Philadelphia S-MAL
+ransomware O
+has O
+been O
+circulating O
+since O
+September B-TIME
+2016 E-TIME
+. O
+
+It O
+first O
+attracted O
+our O
+attention O
+in O
+April B-TIME
+of I-TIME
+this I-TIME
+year E-TIME
+when O
+we O
+observed O
+an O
+actor O
+customizing O
+the O
+malware O
+for O
+use O
+in O
+highly O
+targeted O
+campaigns O
+. O
+
+In O
+a O
+brief O
+stint O
+, O
+TA505 S-APT
+distributed O
+it O
+in O
+one O
+large O
+campaign O
+in O
+July S-TIME
+, O
+but O
+we O
+have O
+not O
+seen O
+them O
+use O
+it O
+since O
+. O
+
+GlobeImposter S-MAL
+is O
+another O
+ransomware O
+strain O
+that O
+saw O
+relatively O
+small-scale O
+distribution O
+until O
+TA505 S-APT
+began O
+including O
+it O
+in O
+malicious O
+spam O
+campaigns O
+at O
+the O
+end B-TIME
+of I-TIME
+July I-TIME
+2017 E-TIME
+. O
+
+TA505 S-APT
+primarily O
+distributed O
+GlobeImposter S-MAL
+in O
+zipped S-TOOL
+script O
+attachments O
+through O
+the O
+beginning O
+of O
+September B-TIME
+2017 E-TIME
+. O
+
+Again O
+, O
+GlobeImposter S-MAL
+is O
+not O
+particularly O
+innovative O
+but O
+TA505 S-APT
+elevated O
+the O
+ransomware O
+from O
+a O
+regional O
+variant O
+to O
+a O
+major O
+landscape O
+feature O
+during O
+roughly O
+six O
+weeks O
+of O
+large O
+campaigns O
+. O
+
+TA505 S-APT
+is O
+arguably O
+one O
+of O
+the O
+most O
+significant O
+financially O
+motivated O
+threat O
+actors O
+because O
+of O
+the O
+extraordinary O
+volumes O
+of O
+messages O
+they O
+send O
+. O
+
+The O
+variety O
+of O
+malware O
+delivered O
+by O
+the O
+group O
+also O
+demonstrates O
+their O
+deep O
+connections O
+to O
+the O
+underground O
+malware O
+scene O
+. O
+
+At O
+the O
+time O
+of O
+writing O
+, O
+Locky S-MAL
+ransomware O
+remains O
+their O
+malware O
+of O
+choice O
+, O
+even O
+as O
+the O
+group O
+continues O
+to O
+experiment O
+with O
+a O
+variety O
+of O
+additional O
+malware O
+. O
+
+The O
+history O
+of O
+TA505 S-APT
+is O
+instructive O
+because O
+they: O
+Have O
+proven O
+to O
+be O
+highly O
+adaptable O
+, O
+shifting O
+techniques O
+and O
+malware O
+frequently O
+to O
+“ O
+follow O
+the O
+money O
+” O
+, O
+while O
+largely O
+sticking O
+to O
+successful O
+strategies O
+where O
+possible O
+Are O
+flexible O
+, O
+using O
+largely O
+interchangeable O
+components O
+, O
+innovating O
+where O
+necessary O
+on O
+the O
+malware O
+front O
+and O
+using O
+off-the-shelf O
+malware O
+where O
+possible O
+Operate O
+at O
+massive O
+scale O
+, O
+consistently O
+driving O
+global O
+trends O
+in O
+malware O
+distribution O
+and O
+message O
+volume O
+. O
+
+Each O
+of O
+these O
+elements O
+makes O
+TA505 S-APT
+a O
+magnifying O
+lens O
+through O
+which O
+to O
+consider O
+the O
+framework O
+employed O
+by O
+many O
+modern O
+threat O
+actors O
+. O
+
+Such O
+a O
+framework O
+typically O
+consists O
+of O
+five O
+elements O
+: O
+
+Actor O
+: O
+The O
+attacker O
+organization O
+; O
+real O
+humans O
+driven O
+by O
+various O
+motivations O
+-- O
+In O
+the O
+case O
+of O
+TA505 S-APT
+, O
+the O
+motivations O
+are O
+financial O
+. O
+
+Vector O
+: O
+The O
+delivery O
+mechanism O
+; O
+email S-TOOL
+via O
+attacker-controlled O
+or O
+leased O
+spam O
+botnet O
+-- O
+Necurs S-MAL
+for O
+TA505 S-APT
+-- O
+remains O
+a O
+dominant O
+vector O
+, O
+and O
+certainly O
+the O
+vector O
+of O
+choice O
+for O
+this O
+actor O
+. O
+
+Hoster O
+: O
+The O
+sites O
+hosting O
+malware O
+; O
+if O
+malware O
+is O
+not O
+directly O
+attached O
+to O
+email S-TOOL
+, O
+then O
+macro S-TOOL
+enabled O
+documents O
+, O
+malicious O
+scripts O
+, O
+or O
+exploit O
+kits O
+will O
+pull O
+payloads O
+from O
+these O
+servers O
+. O
+
+TA505 S-APT
+almost O
+exclusively O
+hosts O
+malware O
+in O
+this O
+way O
+, O
+although O
+they O
+vary O
+the O
+means O
+of O
+installing O
+their O
+final O
+payloads O
+on O
+victim O
+machines O
+. O
+
+Payload O
+: O
+The O
+malware O
+; O
+software O
+that O
+will O
+enable O
+the O
+attacker O
+to O
+make O
+use O
+of O
+( O
+control O
+, O
+exfiltrate O
+data O
+from O
+, O
+or O
+download O
+more O
+software O
+to O
+) O
+the O
+target O
+computer O
+. O
+
+For O
+TA505 S-APT
+, O
+the O
+payloads O
+have O
+shifted O
+over O
+the O
+years O
+and O
+months O
+of O
+their O
+activity O
+, O
+but O
+their O
+sending O
+and O
+hosting O
+infrastructure O
+make O
+these O
+changes O
+relatively O
+simple O
+to O
+implement O
+. O
+
+C&C S-TOOL
+: O
+The O
+command B-TOOL
+and I-TOOL
+control E-TOOL
+channel O
+that O
+serves O
+to O
+relay O
+commands O
+between O
+the O
+installed O
+malware O
+and O
+attackers O
+. O
+
+TA505 S-APT
+operates O
+a O
+variety O
+of O
+C&C S-TOOL
+servers O
+, O
+allowing O
+it O
+to O
+be O
+resilient O
+in O
+the O
+case O
+of O
+takedowns O
+, O
+sinkholes O
+, O
+and O
+other O
+defensive O
+operations O
+. O
+
+This O
+framework O
+enables O
+attackers O
+to O
+operate O
+in O
+robust O
+, O
+horizontally O
+segmented O
+ecosystems O
+, O
+specializing O
+in O
+developing O
+certain O
+parts O
+of O
+the O
+framework O
+, O
+and O
+selling O
+or O
+leasing O
+to O
+others O
+; O
+such O
+frameworks O
+are O
+resistant O
+to O
+takedowns O
+and O
+individual O
+component O
+failures O
+. O
+
+But O
+such O
+frameworks O
+also O
+increase O
+attackers' O
+detection O
+surface O
+, O
+that O
+is O
+, O
+their O
+susceptibility O
+to O
+discovery O
+. O
+
+In O
+the O
+case O
+of O
+TA505 S-APT
+, O
+while O
+most O
+elements O
+of O
+the O
+framework O
+are O
+well-developed O
+, O
+their O
+reliance O
+on O
+the O
+Necurs S-MAL
+botnet O
+for O
+the O
+sending O
+high-volume O
+malicious O
+spam O
+- O
+a O
+key O
+component O
+of O
+the O
+Vector O
+element O
+above O
+- O
+appears O
+to O
+be O
+their O
+Achilles S-MAL
+heel O
+. O
+
+
+A O
+XENOTIME S-APT
+to O
+Remember O
+: O
+Veles S-TOOL
+in O
+the O
+Wild O
+. O
+
+Release_Time O
+: O
+2019-12-04 O
+
+Report_URL O
+: O
+https://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/ O
+
+
+“ O
+When O
+I O
+use O
+a O
+word O
+, O
+” O
+Humpty O
+Dumpty O
+said O
+, O
+in O
+rather O
+a O
+scornful O
+tone O
+, O
+“ O
+it O
+means O
+just O
+what O
+I O
+choose O
+it O
+to O
+mean—neither O
+more O
+nor O
+less. O
+” O
+– O
+Through O
+the O
+Looking B-IDTY
+Glass E-IDTY
+, O
+Lewis O
+Carroll O
+FireEye S-SECTEAM
+recently O
+published O
+a O
+blog O
+covering O
+the O
+tactics O
+, O
+techniques O
+, O
+and O
+procedures O
+( O
+TTPs O
+) O
+for O
+the O
+“ O
+TRITON S-MAL
+actor O
+” O
+when O
+preparing O
+to O
+deploy O
+the O
+TRITON S-MAL/TRISIS S-MAL
+malware O
+framework O
+in O
+2017 S-TIME
+. O
+
+Overall O
+, O
+the O
+post O
+does O
+a O
+commendable O
+job O
+in O
+making O
+public O
+findings O
+previously O
+only O
+privately O
+shared O
+( O
+presumably O
+by O
+FireEye S-SECTEAM
+, O
+and O
+in O
+several O
+reports O
+I O
+authored O
+for O
+my O
+employer O
+, O
+Dragos S-SECTEAM
+) O
+to O
+threat O
+intelligence O
+customers O
+. O
+
+As O
+such O
+, O
+the O
+blog O
+continues O
+to O
+push O
+forward O
+the O
+narrative O
+of O
+how O
+ICS B-ACT
+attacks E-ACT
+are O
+enabled O
+through O
+prepositioning O
+and O
+initial O
+intrusion O
+operations O
+– O
+an O
+item O
+I O
+have O
+discussed O
+at O
+length O
+. O
+
+Yet O
+one O
+point O
+of O
+confusion O
+in O
+the O
+blog O
+comes O
+at O
+the O
+very O
+start O
+: O
+referring O
+to O
+the O
+entity O
+responsible O
+for O
+TRITON S-MAL
+as O
+the O
+“ O
+TRITON S-MAL
+actor O
+” O
+. O
+
+This O
+seems O
+confusing O
+as O
+FireEye S-SECTEAM
+earlier O
+publicly O
+declared O
+the O
+“ O
+TRITON S-MAL
+actor O
+” O
+as O
+a O
+discrete O
+entity O
+, O
+linked O
+to O
+a O
+Russian O
+research O
+institution O
+, O
+and O
+christened O
+it O
+as O
+“ O
+TEMP.Veles S-APT
+” O
+. O
+
+In O
+the O
+2018 S-TIME
+public O
+posting O
+announcing O
+TEMP.Veles S-APT
+, O
+FireEye S-SECTEAM
+researchers O
+noted O
+that O
+the O
+institute O
+in O
+question O
+at O
+least O
+supported O
+TEMP.Veles S-APT
+activity O
+in O
+deploying O
+TRITON S-MAL
+, O
+with O
+subsequent O
+public O
+presentations O
+at O
+Cyberwarcon S-SECTEAM
+and O
+the O
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+sponsored O
+Security B-SECTEAM
+Analyst I-SECTEAM
+Summit E-SECTEAM
+essentially O
+linking O
+TRITON S-MAL
+and O
+the O
+research O
+institute O
+( O
+and O
+therefore O
+TEMP.Veles S-APT
+) O
+as O
+one O
+in O
+the O
+same O
+. O
+
+Yet O
+the O
+most-recent O
+posting O
+covering O
+TTPs S-PROT
+from O
+initial O
+access O
+through O
+prerequisites O
+to O
+enable O
+final O
+delivery O
+of O
+effects O
+on O
+target O
+( O
+deploying O
+TRITON S-MAL/TRISIS S-MAL
+) O
+avoids O
+the O
+use O
+of O
+the O
+TEMP.Veles S-APT
+term O
+entirely O
+. O
+
+In O
+subsequent O
+discussion O
+, O
+FireEye S-SECTEAM
+personnel O
+indicate O
+that O
+there O
+was O
+not O
+“ O
+an O
+avalanche O
+of O
+evidence O
+to O
+substantiate O
+” O
+anything O
+more O
+than O
+“ O
+TRITON S-MAL
+actor O
+” O
+– O
+summing O
+matters O
+by O
+indicating O
+this O
+term O
+“ O
+is O
+the O
+best O
+we O
+’ve O
+got O
+for O
+the O
+public O
+for O
+now O
+” O
+. O
+
+Meanwhile O
+, O
+parallel O
+work O
+at O
+Dragos S-SECTEAM
+( O
+my O
+employer O
+, O
+where O
+I O
+have O
+performed O
+significant O
+work O
+on O
+the O
+activity O
+described O
+above O
+) O
+uncovered O
+similar O
+conclusions O
+concerning O
+TTPs S-PROT
+and O
+behaviors O
+, O
+for O
+both O
+the O
+2017 S-TIME
+event O
+and O
+subsequent O
+activity O
+in O
+other O
+industrial O
+sectors O
+. O
+
+Utilizing O
+Diamond O
+Model O
+methodology O
+for O
+characterizing O
+activity O
+by O
+behaviors O
+attached O
+to O
+victims O
+, O
+we O
+began O
+tracking O
+TRITON S-MAL/TRISIS S-MAL
+and O
+immediate O
+enabling O
+activity O
+as O
+a O
+distinct O
+activity O
+group O
+( O
+collection O
+of O
+behaviors O
+, O
+infrastructure O
+, O
+and O
+victimology O
+) O
+designated O
+XENOTIME S-APT
+. O
+
+Based O
+on O
+information O
+gained O
+from O
+discussion O
+with O
+the O
+initial O
+TRITON S-MAL/TRISIS S-MAL
+responders O
+and O
+subsequent O
+work O
+on O
+follow-on O
+activity O
+by O
+this O
+entity O
+, O
+Dragos S-SECTEAM
+developed O
+a O
+comprehensive O
+( O
+public O
+) O
+picture O
+of O
+adversary O
+activity O
+roughly O
+matching O
+FireEye S-SECTEAM
+’s O
+analysis O
+published O
+in O
+April B-TIME
+2019 E-TIME
+, O
+described O
+in O
+various O
+media O
+. O
+
+At O
+this O
+stage O
+, O
+we O
+have O
+two O
+similar O
+, O
+parallel O
+constructions O
+of O
+events O
+– O
+the O
+how O
+behind O
+the O
+immediate O
+deployment O
+and O
+execution O
+of O
+TRITON S-MAL/TRISIS S-MAL
+– O
+yet O
+dramatically O
+different O
+responses O
+in O
+terms O
+of O
+attribution O
+and O
+labeling O
+. O
+
+Since O
+late B-TIME
+2018 E-TIME
+, O
+based O
+upon O
+the O
+most-recent O
+posting O
+, O
+FireEye S-SECTEAM
+appears O
+to O
+have O
+“ O
+walked O
+back O
+” O
+the O
+previously-used O
+terminology O
+of O
+TEMP.Veles S-APT
+and O
+instead O
+refers O
+rather O
+cryptically O
+to O
+the O
+“ O
+TRITON S-MAL
+actor O
+” O
+, O
+while O
+Dragos S-SECTEAM
+leveraged O
+identified O
+behaviors O
+to O
+consistently O
+refer O
+to O
+an O
+activity O
+group O
+, O
+XENOTIME S-APT
+. O
+
+Given O
+that O
+both O
+organizations O
+appear O
+to O
+describe O
+similar O
+( O
+if O
+not O
+identical O
+) O
+activity O
+, O
+any O
+reasonable O
+person O
+could O
+( O
+and O
+should O
+) O
+ask O
+– O
+why O
+the O
+inconsistency O
+in O
+naming O
+and O
+identification? O
+Aside O
+from O
+the O
+competitive O
+vendor O
+naming O
+landscape O
+( O
+which O
+I O
+am O
+not O
+a O
+fan O
+of O
+in O
+cases O
+on O
+direct O
+overlap O
+, O
+but O
+which O
+has O
+more O
+to O
+say O
+for O
+itself O
+when O
+different O
+methodologies O
+are O
+employed O
+around O
+similar O
+observations O
+) O
+, O
+the O
+distinction O
+between O
+FireEye S-SECTEAM
+and O
+Dragos S-SECTEAM
+’ O
+approaches O
+with O
+respect O
+to O
+the O
+“ O
+TRITON S-MAL
+actor O
+” O
+comes O
+down O
+to O
+fundamental O
+philosophical O
+differences O
+in O
+methodology O
+. O
+
+As O
+wonderfully O
+described O
+in O
+a O
+recent O
+public O
+posting O
+, O
+FireEye S-SECTEAM
+adheres O
+to O
+a O
+naming O
+convention O
+based O
+upon O
+extensive O
+data O
+collection O
+and O
+activity O
+comparison O
+, O
+designed O
+to O
+yield O
+the O
+identification O
+of O
+a O
+discrete O
+, O
+identifiable O
+entity O
+responsible O
+for O
+a O
+given O
+collection O
+of O
+activity O
+. O
+
+This O
+technique O
+is O
+precise O
+and O
+praiseworthy O
+– O
+yet O
+at O
+the O
+same O
+time O
+, O
+appears O
+so O
+rigorous O
+as O
+to O
+impose O
+limitations O
+on O
+the O
+ability O
+to O
+dynamically O
+adjust O
+and O
+adapt O
+to O
+emerging O
+adversary O
+activity O
+. O
+( O
+Or O
+for O
+that O
+matter O
+, O
+even O
+categorize O
+otherwise O
+well-known O
+historical O
+actors O
+operating O
+to O
+the O
+present O
+day O
+, O
+such O
+as O
+Turla S-APT
+. O
+) O
+FireEye S-SECTEAM
+’s O
+methodology O
+may O
+have O
+particular O
+limitations O
+in O
+instances O
+where O
+adversaries O
+( O
+such O
+as O
+XENOTIME S-APT
+and O
+presumably O
+TEMP.Veles S-APT
+) O
+rely O
+upon O
+extensive O
+use O
+of O
+publicly-available O
+, O
+commonly-used O
+tools O
+with O
+limited O
+amounts O
+of O
+customization O
+. O
+
+In O
+such O
+cases O
+, O
+utilizing O
+purely O
+technical O
+approaches O
+for O
+differentiation O
+( O
+an O
+issue O
+I O
+lightly O
+touched O
+on O
+in O
+a O
+recent O
+post O
+) O
+becomes O
+problematic O
+, O
+especially O
+when O
+trying O
+to O
+define O
+attribution O
+to O
+specific O
+, O
+“ O
+who-based O
+” O
+entities O
+( O
+such O
+as O
+a O
+Russian O
+research O
+institute O
+) O
+. O
+
+My O
+understanding O
+is O
+FireEye S-SECTEAM
+labels O
+entities O
+where O
+definitive O
+attribution O
+is O
+not O
+yet O
+possible O
+with O
+the O
+“ O
+TEMP O
+” O
+moniker O
+( O
+hence O
+, O
+TEMP.Veles S-APT
+) O
+– O
+yet O
+in O
+this O
+case O
+FireEye S-SECTEAM
+developed O
+and O
+deployed O
+the O
+label O
+, O
+then O
+appeared O
+to O
+move O
+away O
+from O
+it O
+in O
+subsequent O
+reporting O
+. O
+
+Based O
+on O
+the O
+public O
+blog O
+post O
+– O
+which O
+also O
+indicated O
+that O
+FireEye S-SECTEAM
+is O
+responding O
+to O
+an O
+intrusion O
+at O
+a O
+second O
+facility O
+featuring O
+the O
+same O
+or O
+similar O
+observations O
+– O
+this O
+is O
+presumably O
+not O
+for O
+lack O
+of O
+evidence O
+, O
+yet O
+the O
+“ O
+downgrade O
+” O
+occurs O
+all O
+the O
+same O
+. O
+
+In O
+comparison O
+, O
+XENOTIME S-APT
+was O
+defined O
+based O
+on O
+principles O
+of O
+infrastructure O
+( O
+compromised O
+third-party O
+infrastructure O
+and O
+various O
+networks O
+associated O
+with O
+several O
+Russian O
+research O
+institutions O
+) O
+, O
+capabilities O
+( O
+publicly- O
+and O
+commercially-available O
+tools O
+with O
+varying O
+levels O
+of O
+customization O
+) O
+and O
+targeting O
+( O
+an O
+issue O
+not O
+meant O
+for O
+discussion O
+in O
+this O
+blog O
+) O
+. O
+
+In O
+personally O
+responding O
+to O
+several O
+incidents O
+across O
+multiple O
+industry O
+sectors O
+since O
+early B-TIME
+2018 E-TIME
+matching O
+TTPs S-PROT
+from O
+the O
+TRITON S-MAL/TRISIS S-MAL
+event O
+, O
+these O
+items O
+proved O
+consistent O
+and O
+supported O
+the O
+creation O
+of O
+the O
+XENOTIME S-APT
+activity O
+group O
+. O
+
+This O
+naming O
+decision O
+was O
+founded O
+upon O
+the O
+underlying O
+methodology O
+described O
+in O
+the O
+Diamond O
+Model O
+of O
+intrusion O
+analysis O
+. O
+
+As O
+such O
+, O
+this O
+decision O
+does O
+not O
+necessarily O
+refer O
+to O
+a O
+specific O
+institution O
+, O
+but O
+rather O
+a O
+collection O
+of O
+observations O
+and O
+behaviors O
+observed O
+across O
+multiple O
+, O
+similarly-situated O
+victims O
+. O
+
+Of O
+note O
+, O
+this O
+methodology O
+of O
+naming O
+abstracts O
+away O
+the O
+“ O
+who O
+” O
+element O
+– O
+XENOTIME S-APT
+may O
+represent O
+a O
+single O
+discrete O
+entity O
+( O
+such O
+as O
+a O
+Russian O
+research O
+institution O
+) O
+or O
+several O
+entities O
+working O
+in O
+coordination O
+in O
+a O
+roughly O
+repeatable O
+, O
+similar O
+manner O
+across O
+multiple O
+events O
+. O
+
+Ultimately O
+, O
+the O
+epistemic O
+foundation O
+of O
+the O
+behavior-based O
+naming O
+approach O
+makes O
+this O
+irrelevant O
+for O
+tracking O
+( O
+and O
+labeling O
+for O
+convenience O
+sake O
+) O
+observations O
+. O
+
+Much O
+like O
+the O
+observers O
+watching O
+the O
+shadows O
+of O
+objects O
+cast O
+upon O
+the O
+wall O
+of O
+the O
+cave O
+, O
+these O
+two O
+definitions O
+( O
+XENOTIME S-APT
+and O
+TEMP.Veles S-APT
+, O
+both O
+presumably O
+referring O
+to O
+“ O
+the O
+TRITON S-MAL
+actor O
+” O
+) O
+describe O
+the O
+same O
+phenomena O
+, O
+yet O
+at O
+the O
+same O
+time O
+appear O
+different O
+. O
+
+This O
+question O
+of O
+perception O
+and O
+accuracy O
+rests O
+upon O
+the O
+underlying O
+epistemic O
+framework O
+and O
+the O
+goal O
+conceived O
+for O
+that O
+framework O
+in O
+defining O
+an O
+adversary O
+: O
+FireEye S-SECTEAM
+’s O
+methodology O
+follows O
+a O
+deductive O
+approach O
+requiring O
+the O
+collection O
+of O
+significant O
+evidence O
+over O
+time O
+to O
+yield O
+a O
+conclusion O
+that O
+will O
+be O
+necessary O
+given O
+the O
+premises O
+( O
+the O
+totality O
+of O
+evidence O
+suggests O
+APTxx O
+) O
+; O
+the O
+Dragos S-SECTEAM
+approach O
+instead O
+seeks O
+an O
+inductive O
+approach O
+, O
+where O
+premises O
+may O
+all O
+be O
+true O
+but O
+the O
+conclusion O
+need O
+not O
+necessarily O
+follow O
+from O
+them O
+given O
+changes O
+in O
+premises O
+over O
+time O
+or O
+other O
+observations O
+not O
+contained O
+within O
+the O
+set O
+( O
+thus O
+, O
+identified O
+behaviors O
+strongly O
+suggests O
+an O
+activity O
+group O
+, O
+defined O
+as O
+X O
+) O
+. O
+
+From O
+an O
+external O
+analysts O
+’ O
+point O
+of O
+view O
+, O
+the O
+wonder O
+is O
+, O
+which O
+is O
+superior O
+to O
+the O
+other? O
+And O
+my O
+answer O
+for O
+this O
+is O
+: O
+neither O
+is O
+perfect O
+, O
+but O
+both O
+are O
+useful O
+– O
+depending O
+upon O
+your O
+goals O
+and O
+objectives O
+. O
+
+But O
+rather O
+than O
+trying O
+to O
+pursue O
+some O
+comparison O
+between O
+the O
+two O
+for O
+identification O
+of O
+superiority O
+( O
+an O
+approach O
+that O
+will O
+result O
+in O
+unproductive O
+argument O
+and O
+social O
+media O
+warring O
+) O
+, O
+the O
+point O
+of O
+this O
+post O
+is O
+to O
+highlight O
+the O
+distinctions O
+between O
+these O
+approaches O
+and O
+how O
+– O
+in O
+the O
+case O
+of O
+“ O
+the O
+TRITON S-MAL
+actor O
+” O
+– O
+they O
+result O
+in O
+noticeably O
+different O
+conclusions O
+from O
+similar O
+datasets O
+. O
+
+One O
+reason O
+for O
+the O
+distinction O
+may O
+be O
+differences O
+in O
+evidence O
+, O
+as O
+FireEye S-SECTEAM
+’s O
+public O
+reporting O
+notes O
+two O
+distinct O
+events O
+of O
+which O
+they O
+are O
+aware O
+of O
+and O
+have O
+responded O
+to O
+related O
+to O
+“ O
+the O
+TRITON S-MAL
+actor O
+” O
+while O
+Dragos S-SECTEAM
+has O
+been O
+engaged O
+several O
+instances O
+– O
+thus O
+, O
+Dragos S-SECTEAM
+would O
+possess O
+more O
+evidence O
+to O
+cement O
+the O
+definition O
+of O
+an O
+activity O
+group O
+, O
+while O
+FireEye S-SECTEAM
+’s O
+data O
+collection-centric O
+approach O
+would O
+require O
+far O
+more O
+observations O
+to O
+yield O
+an O
+“ O
+APT O
+” O
+. O
+
+Yet O
+irrespective O
+of O
+this O
+, O
+it O
+is O
+confusing O
+why O
+the O
+previously-declared O
+“ O
+TEMP O
+” O
+category O
+was O
+walked O
+back O
+as O
+this O
+has O
+led O
+to O
+not O
+small O
+amount O
+of O
+confusion O
+– O
+in O
+both O
+technical O
+and O
+non-technical O
+audiences O
+– O
+as O
+to O
+just O
+what O
+FireEye S-SECTEAM
+’s O
+blog O
+post O
+refers O
+. O
+
+Thus O
+respected O
+journalists O
+( O
+at O
+least O
+by O
+me O
+) O
+conflate O
+the O
+“ O
+TRITON S-MAL
+actor O
+is O
+active O
+at O
+another O
+site O
+” O
+with O
+“ O
+TRITON S-MAL
+malware O
+was O
+identified O
+at O
+another O
+site O
+” O
+. O
+
+In O
+this O
+case O
+, O
+we O
+’re O
+seeing O
+a O
+definite O
+problem O
+with O
+the O
+overly-conservative O
+naming O
+approach O
+used O
+as O
+it O
+engenders O
+confusion O
+in O
+a O
+significant O
+subset O
+of O
+the O
+intended O
+audience O
+. O
+
+While O
+some O
+may O
+dismiss O
+adversary O
+or O
+activity O
+naming O
+as O
+so O
+much O
+marketing O
+, O
+having O
+a O
+distinct O
+label O
+for O
+something O
+allows O
+for O
+clearer O
+communication O
+and O
+more O
+accurate O
+discussion O
+. O
+
+Furthermore O
+, O
+conflating O
+adversaries O
+with O
+tools O
+, O
+since O
+tools O
+can O
+be O
+repurposed O
+or O
+used O
+by O
+other O
+entities O
+than O
+those O
+first O
+observed O
+deploying O
+them O
+, O
+leads O
+to O
+further O
+potential O
+confusion O
+as O
+the O
+“ O
+X S-TOOL
+actor O
+” O
+is O
+quickly O
+compressed O
+in O
+the O
+minds O
+of O
+some O
+to O
+refer O
+to O
+any O
+and O
+all O
+instantiations O
+of O
+tool O
+“ O
+X S-TOOL
+” O
+. O
+
+Overall O
+, O
+the O
+discussion O
+above O
+may O
+appear O
+so O
+much O
+splitting O
+of O
+hairs O
+or O
+determining O
+how O
+many O
+angels O
+can O
+dance O
+on O
+the O
+head O
+of O
+a O
+pin O
+– O
+yet O
+given O
+the O
+communicative O
+impacts O
+behind O
+different O
+naming O
+and O
+labeling O
+conventions O
+, O
+this O
+exploration O
+seems O
+not O
+merely O
+useful O
+but O
+necessary O
+. O
+
+Understanding O
+the O
+“ O
+how O
+” O
+and O
+“ O
+why O
+” O
+behind O
+different O
+entity O
+classifications O
+of O
+similar O
+( O
+or O
+even O
+the O
+same O
+) O
+activity O
+allows O
+us O
+to O
+move O
+beyond O
+the O
+dismissive O
+approach O
+of O
+“ O
+everyone O
+has O
+their O
+names O
+for O
+marketing O
+purposes O
+” O
+to O
+a O
+more O
+productive O
+mindset O
+that O
+grasps O
+the O
+fundamental O
+methodologies O
+that O
+( O
+should O
+) O
+drive O
+these O
+decisions O
+. O
+
+
+Threat B-APT
+Group I-APT
+3390 E-APT
+Cyberespionage O
+. O
+
+CTU S-SECTEAM
+researchers O
+have O
+observed O
+TG-3390 S-APT
+actors O
+using O
+tools O
+that O
+are O
+favored O
+by O
+multiple O
+threat O
+groups O
+: O
+
+PlugX S-MAL
+— O
+A O
+remote O
+access O
+tool O
+notable O
+for O
+communications O
+that O
+may O
+contain O
+HTTP S-PROT
+headers O
+starting O
+with O
+" O
+X- O
+" O
+( O
+e.g. O
+, O
+" O
+X-Session S-TOOL
+: O
+0 O
+" O
+) O
+. O
+
+Its O
+presence O
+on O
+a O
+compromised O
+system O
+allows O
+a O
+threat O
+actor O
+to O
+execute O
+a O
+wide O
+variety O
+of O
+commands O
+, O
+including O
+uploading O
+and O
+downloading O
+files O
+, O
+and O
+spawning O
+a O
+reverse O
+shell O
+. O
+
+The O
+malware O
+can O
+be O
+configured O
+to O
+use O
+multiple O
+network O
+protocols O
+to O
+avoid O
+network-based O
+detection O
+. O
+
+DLL S-TOOL
+side O
+loading O
+is O
+often O
+used O
+to O
+maintain O
+persistence O
+on O
+the O
+compromised O
+system O
+. O
+
+HttpBrowser S-MAL
+( O
+also O
+known O
+as O
+TokenControl S-MAL
+) O
+— O
+A O
+backdoor O
+notable O
+for O
+HTTPS S-PROT
+communications O
+with O
+the O
+HttpBrowser S-MAL
+User-Agent S-TOOL
+. O
+
+HttpBrowser S-MAL
+'s O
+executable O
+code O
+may O
+be O
+obfuscated O
+through O
+structured O
+exception O
+handling O
+and O
+return-oriented O
+programming O
+. O
+
+Its O
+presence O
+on O
+a O
+compromised O
+system O
+allows O
+a O
+threat O
+actor O
+to O
+spawn O
+a O
+reverse O
+shell O
+, O
+upload O
+or O
+download O
+files O
+, O
+and O
+capture O
+keystrokes O
+. O
+
+Antivirus O
+detection O
+for O
+HttpBrowser S-MAL
+is O
+extremely O
+low O
+and O
+is O
+typically O
+based O
+upon O
+heuristic O
+signatures O
+. O
+
+DLL S-TOOL
+side O
+loading O
+has O
+been O
+used O
+to O
+maintain O
+persistence O
+on O
+the O
+compromised O
+system O
+. O
+
+ChinaChopper S-MAL
+web B-TOOL
+shell E-TOOL
+— O
+A O
+web-based O
+executable O
+script O
+that O
+allows O
+a O
+threat O
+actor O
+to O
+execute O
+commands O
+on O
+the O
+compromised O
+system O
+. O
+
+The O
+server-side O
+component O
+provides O
+a O
+simple O
+graphical O
+user O
+interface O
+for O
+threat O
+actors O
+interacting O
+with O
+web B-TOOL
+shells E-TOOL
+. O
+
+Hunter S-TOOL
+— O
+A O
+web O
+application O
+scanning O
+tool O
+written O
+by O
+@tojen O
+to O
+identify O
+vulnerabilities O
+in O
+Apache B-TOOL
+Tomcat E-TOOL
+, O
+Red B-TOOL
+Hat I-TOOL
+JBoss I-TOOL
+Middleware E-TOOL
+, O
+and O
+Adobe B-TOOL
+ColdFusion E-TOOL
+. O
+
+It O
+can O
+also O
+identify O
+open O
+ports O
+, O
+collect O
+web O
+banners O
+, O
+and O
+download O
+secondary O
+files O
+. O
+
+The O
+following O
+tools O
+appear O
+to O
+be O
+exclusive O
+to O
+TG-3390 S-APT
+: O
+OwaAuth S-MAL
+web B-TOOL
+shell E-TOOL
+— O
+A O
+web B-TOOL
+shell E-TOOL
+and O
+credential O
+stealer S-TOOL
+deployed O
+to O
+Microsoft S-IDTY
+Exchange S-TOOL
+servers O
+. O
+
+It O
+is O
+installed O
+as O
+an O
+ISAPI B-TOOL
+filter E-TOOL
+. O
+
+Captured O
+credentials O
+are O
+DES S-ENCR
+encrypted O
+using O
+the O
+password O
+" O
+12345678 O
+" O
+and O
+are O
+written O
+to O
+the O
+log.txt O
+file O
+in O
+the O
+root O
+directory O
+. O
+
+Like O
+the O
+ChinaChopper S-MAL
+web B-TOOL
+shell E-TOOL
+, O
+the O
+OwaAuth S-MAL
+web B-TOOL
+shell E-TOOL
+requires O
+a O
+password O
+. O
+
+However O
+, O
+the O
+OwaAuth S-MAL
+web B-TOOL
+shell E-TOOL
+password O
+contains O
+the O
+victim O
+organization's O
+name O
+. O
+
+ASPXTool S-MAL
+— O
+A O
+modified O
+version O
+of O
+the O
+ASPXSpy S-MAL
+web B-TOOL
+shell E-TOOL
+. O
+
+It O
+is O
+deployed O
+to O
+internally O
+accessible O
+servers O
+running O
+Internet B-TOOL
+Information I-TOOL
+Services E-TOOL
+( O
+IIS S-TOOL
+) O
+. O
+
+TG-3390 S-APT
+actors O
+have O
+also O
+used O
+the O
+following O
+publicly O
+available O
+tools O
+: O
+
+Windows B-TOOL
+Credential I-TOOL
+Editor E-TOOL
+( O
+WCE S-TOOL
+) O
+— O
+obtains O
+passwords O
+from O
+memory O
+. O
+gsecdump S-TOOL
+— O
+obtains O
+passwords O
+from O
+memory O
+. O
+winrar S-TOOL
+— O
+compresses O
+data O
+for O
+Exfiltration S-ACT
+. O
+nbtscan S-TOOL
+— O
+scans O
+NetBIOS S-TOOL
+name O
+servers O
+. O
+
+CTU S-SECTEAM
+researchers O
+have O
+not O
+observed O
+TG-3390 S-APT
+actors O
+performing O
+reconnaissance O
+prior O
+to O
+compromising O
+organizations O
+. O
+
+As O
+discussed O
+in O
+the O
+Actions O
+on O
+objectives O
+section O
+, O
+the O
+threat O
+actors O
+appear O
+to O
+wait O
+until O
+they O
+have O
+established O
+a O
+foothold O
+. O
+
+TG-3390 S-APT
+actors O
+use O
+command B-TOOL
+and I-TOOL
+control E-TOOL
+( O
+C2 S-TOOL
+) O
+domains O
+for O
+extended O
+periods O
+of O
+time O
+but O
+frequently O
+change O
+the O
+domains' O
+IP O
+addresses O
+. O
+
+The O
+new O
+IP O
+addresses O
+are O
+typically O
+on O
+the O
+same O
+subnet O
+as O
+the O
+previous O
+ones O
+. O
+
+TG-3390 S-APT
+is O
+capable O
+of O
+using O
+a O
+C2 S-TOOL
+infrastructure O
+that O
+spans O
+multiple O
+networks O
+and O
+registrars O
+. O
+
+The O
+most O
+common O
+registrar O
+used O
+by O
+the O
+adversary O
+is O
+HiChina B-IDTY
+Zhicheng I-IDTY
+Technology I-IDTY
+Ltd E-IDTY
+. O
+
+The O
+threat O
+actors O
+have O
+a O
+demonstrated O
+ability O
+to O
+move O
+from O
+one O
+network O
+provider O
+to O
+another O
+, O
+using O
+some O
+infrastructure O
+for O
+extended O
+periods O
+of O
+time O
+and O
+other O
+domains O
+for O
+only O
+a O
+few O
+days O
+. O
+
+Seemingly O
+random O
+activity O
+patterns O
+in O
+infrastructure O
+deployment O
+and O
+usage O
+, O
+along O
+with O
+the O
+ability O
+to O
+use O
+a O
+wide O
+variety O
+of O
+geographically O
+diverse O
+infrastructure O
+, O
+help O
+the O
+threat O
+actors O
+avoid O
+detection O
+. O
+
+TG-3390 S-APT
+SWCs S-OS
+may O
+be O
+largely O
+geographically O
+independent O
+, O
+but O
+the O
+group's O
+most O
+frequently O
+used O
+C2 S-TOOL
+registrars O
+and O
+IP O
+net O
+blocks O
+are O
+located O
+in O
+the O
+U.S. S-LOC
+Using O
+a O
+U.S. S-LOC
+based O
+C2 S-TOOL
+infrastructure O
+to O
+compromise O
+targets O
+in O
+the O
+U.S. S-LOC
+helps O
+TG-3390 S-APT
+actors O
+avoid O
+geo-blocking O
+and O
+geo-flagging O
+measures O
+used O
+in O
+network O
+defense O
+. O
+
+The O
+threat O
+actors O
+create O
+PlugX S-MAL
+DLL S-TOOL
+stub O
+loaders S-TOOL
+that O
+will O
+run O
+only O
+after O
+a O
+specific O
+date O
+. O
+
+The O
+compile O
+dates O
+of O
+the O
+samples O
+analyzed O
+by O
+CTU S-SECTEAM
+researchers O
+are O
+all O
+later O
+than O
+the O
+hard-coded O
+August B-TIME
+8 I-TIME
+, I-TIME
+2013 E-TIME
+date O
+, O
+indicating O
+that O
+the O
+code O
+might O
+be O
+reused O
+from O
+previous O
+tools O
+. O
+
+The O
+OwaAuth S-MAL
+web B-TOOL
+shell E-TOOL
+is O
+likely O
+created O
+with O
+a O
+builder O
+, O
+given O
+that O
+the O
+PE S-TOOL
+compile O
+time O
+of O
+the O
+binary O
+does O
+not O
+change O
+between O
+instances O
+and O
+the O
+configuration O
+fields O
+are O
+padded O
+to O
+a O
+specific O
+size O
+. O
+
+The O
+adversaries O
+modify O
+publicly O
+available O
+tools O
+such O
+as O
+ASPXSpy S-MAL
+to O
+remove O
+identifying O
+characteristics O
+that O
+network O
+defenders O
+use O
+to O
+identify O
+web B-TOOL
+shells E-TOOL
+. O
+
+TG-3390 S-APT
+conducts O
+SWCs S-OS
+or O
+sends O
+spearphishing S-ACT
+emails S-TOOL
+with O
+ZIP S-TOOL
+archive O
+attachments O
+. O
+
+The O
+ZIP S-TOOL
+archives O
+have O
+names O
+relevant O
+to O
+the O
+targets O
+and O
+contain O
+both O
+legitimate O
+files O
+and O
+malware O
+. O
+
+One O
+archive O
+sample O
+analyzed O
+by O
+CTU S-SECTEAM
+researchers O
+contained O
+a O
+legitimate O
+PDF S-TOOL
+file O
+, O
+a O
+benign O
+image O
+of O
+interest O
+to O
+targets O
+, O
+and O
+an O
+HttpBrowser S-MAL
+installer S-TOOL
+disguised O
+as O
+an O
+image O
+file O
+. O
+
+Both O
+the O
+redirect O
+code O
+on O
+the O
+compromised O
+site O
+and O
+the O
+exploit O
+code O
+appear O
+and O
+disappear O
+, O
+indicating O
+that O
+the O
+adversaries O
+add O
+the O
+code O
+when O
+they O
+want O
+to O
+leverage O
+the O
+SWC S-OS
+and O
+remove O
+the O
+code O
+when O
+it O
+is O
+not O
+in O
+use O
+to O
+limit O
+the O
+visibility O
+of O
+their O
+operations O
+. O
+
+The O
+threat O
+actors O
+have O
+evolved O
+to O
+whitelisting O
+IP S-PROT
+addresses O
+and O
+only O
+delivering O
+the O
+exploit O
+and O
+payload O
+to O
+specific O
+targets O
+of O
+interest O
+. O
+
+CTU S-SECTEAM
+researchers O
+have O
+observed O
+TG-3390 S-APT
+compromising O
+a O
+target O
+organization's O
+externally O
+and O
+internally O
+accessible O
+assets O
+, O
+such O
+as O
+an O
+OWA S-TOOL
+server O
+, O
+and O
+adding O
+redirect O
+code O
+to O
+point O
+internal O
+users O
+to O
+an O
+external O
+website O
+that O
+hosts O
+an O
+exploit O
+and O
+delivers O
+malware O
+. O
+
+TG-3390 S-APT
+actors O
+have O
+used O
+Java S-TOOL
+exploits S-TOOL
+in O
+their O
+SWCs S-OS
+. O
+
+In O
+particular O
+, O
+the O
+threat O
+actors O
+have O
+exploited O
+CVE-2011-3544 S-VULID
+, O
+a O
+vulnerability S-TOOL
+in O
+the O
+Java S-TOOL
+Runtime B-TOOL
+Environment E-TOOL
+, O
+to O
+deliver O
+the O
+HttpBrowser S-MAL
+backdoor S-TOOL
+; O
+and O
+CVE-2010-0738 S-VULID
+, O
+a O
+vulnerability S-TOOL
+in O
+JBoss S-TOOL
+, O
+to O
+compromise O
+internally O
+and O
+externally O
+accessible O
+assets O
+used O
+to O
+redirect O
+users' O
+web O
+browsers O
+to O
+exploit O
+code O
+. O
+
+In O
+activity O
+analyzed O
+by O
+CTU S-SECTEAM
+researchers O
+, O
+TG-3390 S-APT
+executed O
+the O
+Hunter S-TOOL
+web O
+application O
+scanning O
+tool O
+against O
+a O
+target O
+server O
+running O
+IIS S-TOOL
+. O
+
+Hunter S-TOOL
+queried O
+the O
+following O
+URIs O
+in O
+a O
+specific O
+order O
+to O
+determine O
+if O
+the O
+associated O
+software O
+configurations O
+are O
+insecure O
+. O
+
+TG-3390 S-APT
+uses O
+DLL S-TOOL
+side O
+loading O
+, O
+a O
+technique O
+that O
+involves O
+running O
+a O
+legitimate O
+, O
+typically O
+digitally O
+signed O
+, O
+program O
+that O
+loads O
+a O
+malicious O
+DLL S-TOOL
+. O
+
+CTU S-SECTEAM
+researchers O
+have O
+observed O
+the O
+threat O
+actors O
+employing O
+legitimate O
+Kaspersky S-SECTEAM
+antivirus O
+variants O
+in O
+analyzed O
+samples O
+. O
+
+The O
+DLL S-TOOL
+acts O
+as O
+a O
+stub O
+loader S-TOOL
+, O
+which O
+loads O
+and O
+executes O
+the O
+shell O
+code O
+. O
+
+The O
+adversaries O
+have O
+used O
+this O
+technique O
+to O
+allow O
+PlugX S-MAL
+and O
+HttpBrowser S-MAL
+to O
+persist O
+on O
+a O
+system O
+. O
+
+Note O
+: O
+DLL S-TOOL
+side O
+loading O
+is O
+a O
+prevalent O
+persistence O
+technique O
+that O
+is O
+used O
+to O
+launch O
+a O
+multitude O
+of O
+backdoors S-TOOL
+. O
+
+The O
+challenge O
+is O
+detecting O
+known O
+good O
+software O
+loading O
+and O
+running O
+malware O
+. O
+
+As O
+security O
+controls O
+have O
+improved O
+, O
+DLL S-TOOL
+side O
+loading O
+has O
+evolved O
+to O
+load O
+a O
+payload O
+stored O
+in O
+a O
+different O
+directory O
+or O
+from O
+a O
+registry O
+value O
+. O
+
+In O
+other O
+cases O
+, O
+threat O
+actors O
+placed O
+web B-TOOL
+shells E-TOOL
+on O
+externally O
+accessible O
+servers O
+, O
+sometimes O
+behind O
+a O
+reverse O
+proxy O
+, O
+to O
+execute O
+commands O
+on O
+the O
+compromised O
+system O
+. O
+
+TG-3390 S-APT
+actors O
+have O
+deployed O
+the O
+OwaAuth S-MAL
+web B-TOOL
+shell E-TOOL
+to O
+Exchange S-TOOL
+servers O
+, O
+disguising O
+it O
+as O
+an O
+ISAPI B-TOOL
+filter E-TOOL
+. O
+
+The O
+IIS S-TOOL
+w3wp.exe S-FILE
+process O
+loads O
+the O
+malicious O
+DLL S-TOOL
+, O
+which O
+CTU S-SECTEAM
+researchers O
+have O
+observed O
+in O
+the O
+Program O
+Files\Microsoft\Exchange O
+Server\ClientAccess\Owa\Bin O
+directory O
+. O
+
+To O
+traverse O
+the O
+firewall S-TOOL
+, O
+C2 S-TOOL
+traffic O
+for O
+most O
+TG-3390 S-APT
+tools O
+occurs O
+over O
+ports O
+53 O
+, O
+80 O
+, O
+and O
+443 O
+. O
+
+The O
+PlugX S-MAL
+malware O
+can O
+be O
+configured O
+to O
+use O
+HTTP S-PROT
+, O
+DNS S-PROT
+, O
+raw O
+TCP S-PROT
+, O
+or O
+UDP S-PROT
+to O
+avoid O
+network-based O
+detection O
+. O
+
+In O
+one O
+sample O
+analyzed O
+by O
+CTU S-SECTEAM
+researchers O
+, O
+PlugX S-MAL
+was O
+configured O
+with O
+hard-coded O
+user O
+credentials O
+to O
+bypass O
+a O
+proxy O
+that O
+required O
+authentication O
+. O
+
+Newer O
+HttpBrowser S-MAL
+versions O
+use O
+SSL S-PROT
+with O
+self-signed O
+certificates O
+to O
+encrypt O
+network O
+communications O
+. O
+
+TG-3390 S-APT
+actors O
+frequently O
+change O
+the O
+C2 S-TOOL
+domain's O
+A O
+record O
+to O
+point O
+to O
+the O
+loopback O
+IP S-PROT
+address O
+127.0.0.1 S-IP
+, O
+which O
+is O
+a O
+variation O
+of O
+a O
+technique O
+known O
+as O
+" O
+parking O
+" O
+. O
+
+Other O
+variations O
+of O
+parking O
+point O
+the O
+IP S-PROT
+address O
+to O
+Google S-IDTY
+'s O
+recursive O
+name O
+server O
+8.8.8.8 O
+, O
+an O
+address O
+belonging O
+to O
+Confluence O
+, O
+or O
+to O
+other O
+non-routable O
+addresses O
+. O
+
+When O
+the O
+adversaries' O
+operations O
+are O
+live O
+, O
+they O
+modify O
+the O
+record O
+again O
+to O
+point O
+the O
+C2 S-TOOL
+domain O
+to O
+an O
+IP O
+address O
+they O
+can O
+access O
+. O
+
+CTU S-SECTEAM
+researchers O
+have O
+discovered O
+numerous O
+details O
+about O
+TG-3390 S-APT
+operations O
+, O
+including O
+how O
+the O
+adversaries O
+explore O
+a O
+network O
+, O
+move O
+laterally O
+, O
+and O
+exfiltrate O
+data O
+. O
+
+After O
+compromising O
+an O
+initial O
+victim's O
+system O
+( O
+patient O
+0 O
+) O
+, O
+the O
+threat O
+actors O
+use O
+the O
+Baidu S-IDTY
+search O
+engine O
+to O
+search O
+for O
+the O
+victim's O
+organization O
+name O
+. O
+
+They O
+then O
+identify O
+the O
+Exchange S-TOOL
+server O
+and O
+attempt O
+to O
+install O
+the O
+OwaAuth S-MAL
+web B-TOOL
+shell E-TOOL
+. O
+
+If O
+the O
+OwaAuth S-MAL
+web B-TOOL
+shell E-TOOL
+is O
+ineffective O
+because O
+the O
+victim O
+uses O
+two-factor O
+authentication O
+for O
+webmail O
+, O
+the O
+adversaries O
+identify O
+other O
+externally O
+accessible O
+servers O
+and O
+deploy O
+ChinaChopper S-MAL
+web B-TOOL
+shells E-TOOL
+. O
+
+Within O
+six O
+hours O
+of O
+entering O
+the O
+environment O
+, O
+the O
+threat O
+actors O
+compromised O
+multiple O
+systems O
+and O
+stole O
+credentials O
+for O
+the O
+entire O
+domain O
+. O
+
+The O
+threat O
+actors O
+use O
+the O
+Hunter S-TOOL
+and O
+nbtscan S-TOOL
+tools O
+, O
+sometimes O
+renamed O
+, O
+to O
+conduct O
+network O
+reconnaissance O
+for O
+vulnerable O
+servers O
+and O
+online O
+systems O
+. O
+
+TG-3390 S-APT
+actors O
+favor O
+At.exe S-FILE
+to O
+create O
+scheduled O
+tasks O
+for O
+executing O
+commands O
+on O
+remote O
+systems O
+. O
+
+Over O
+a O
+few O
+days' O
+span O
+, O
+the O
+threat O
+actors O
+install O
+remote O
+access O
+tools O
+on O
+additional O
+systems O
+based O
+upon O
+the O
+results O
+of O
+the O
+network O
+reconnaissance O
+. O
+
+They O
+use O
+At.exe S-FILE
+to O
+schedule O
+tasks O
+to O
+run O
+self-extracting O
+RAR S-TOOL
+archives O
+, O
+which O
+install O
+either O
+HttpBrowser S-MAL
+or O
+PlugX S-MAL
+. O
+
+CTU S-SECTEAM
+researchers O
+observed O
+the O
+threat O
+actors O
+collecting O
+Cisco S-IDTY
+VPN S-TOOL
+profiles O
+to O
+use O
+when O
+accessing O
+the O
+victim's O
+network O
+via O
+VPN S-TOOL
+. O
+
+To O
+facilitate O
+lateral O
+movement O
+, O
+the O
+adversaries O
+deploy O
+ASPXTool S-TOOL
+web B-TOOL
+shells E-TOOL
+to O
+internally O
+accessible O
+systems O
+running O
+IIS S-TOOL
+. O
+
+CTU S-SECTEAM
+researchers O
+have O
+observed O
+the O
+threat O
+actors O
+encrypting O
+data O
+using O
+the O
+password O
+" O
+admin-windows2014 O
+" O
+and O
+splitting O
+the O
+RAR S-TOOL
+archives O
+into O
+parts O
+in O
+the O
+recycler O
+directory O
+, O
+with O
+the O
+same O
+name O
+as O
+the O
+uncompressed O
+data O
+. O
+
+The O
+number O
+at O
+the O
+end O
+of O
+the O
+password O
+corresponds O
+to O
+the O
+year O
+of O
+the O
+intrusion O
+. O
+
+For O
+example O
+, O
+the O
+password O
+" O
+admin-windows2014 O
+" O
+shown O
+in O
+Figure O
+14 O
+was O
+changed O
+to O
+"admin-windows2015" O
+for O
+TG-3390 S-APT
+intrusions O
+conducted O
+in O
+2015 S-TIME
+. O
+
+CTU S-SECTEAM
+researchers O
+have O
+observed O
+TG-3390 S-APT
+actors O
+staging O
+RAR S-TOOL
+archives O
+, O
+renamed O
+with O
+a O
+.zip S-FILE
+file O
+extension O
+, O
+on O
+externally O
+accessible O
+web O
+servers O
+. O
+
+The O
+adversaries O
+then O
+issue O
+HTTP S-PROT
+GET O
+requests O
+, O
+sometimes O
+with O
+the O
+User-Agent S-TOOL
+MINIXL S-TOOL
+, O
+to O
+exfiltrate O
+the O
+archive O
+parts O
+from O
+the O
+victim's O
+network O
+. O
+
+Successfully O
+evicting O
+TG-3390 S-APT
+from O
+an O
+environment O
+requires O
+a O
+coordinated O
+plan O
+to O
+remove O
+all O
+access O
+points O
+, O
+including O
+remote B-TOOL
+access I-TOOL
+tools E-TOOL
+and O
+web B-TOOL
+shells E-TOOL
+. O
+
+Within O
+weeks O
+of O
+eviction O
+, O
+the O
+threat O
+actors O
+attempt O
+to O
+access O
+their O
+ChinaChopper S-MAL
+web B-TOOL
+shells E-TOOL
+from O
+previously O
+used O
+IP S-PROT
+addresses O
+. O
+
+Finding O
+the O
+web B-TOOL
+shells E-TOOL
+inaccessible O
+, O
+the O
+adversaries O
+search O
+google.co.jp S-DOM
+for O
+remote O
+access O
+solutions O
+. O
+
+CTU S-SECTEAM
+researchers O
+discovered O
+the O
+threat O
+actors O
+searching O
+for O
+" O
+[company] O
+login O
+, O
+" O
+which O
+directed O
+them O
+to O
+the O
+landing O
+page O
+for O
+remote O
+access O
+. O
+
+TG-3390 S-APT
+attempts O
+to O
+reenter O
+the O
+environment O
+by O
+identifying O
+accounts O
+that O
+do O
+not O
+require O
+two-factor O
+authentication O
+for O
+remote O
+access O
+solutions O
+, O
+and O
+then O
+brute O
+forcing O
+usernames O
+and O
+passwords O
+. O
+
+After O
+reestablishing O
+access O
+, O
+the O
+adversaries O
+download O
+tools O
+such O
+as O
+gsecudmp S-TOOL
+and O
+WCE S-TOOL
+that O
+are O
+staged O
+temporarily O
+on O
+websites O
+that O
+TG-3390 S-APT
+previously O
+compromised O
+but O
+never O
+used O
+. O
+
+CTU S-SECTEAM
+researchers O
+believe O
+legitimate O
+websites O
+are O
+used O
+to O
+host O
+tools O
+because O
+web O
+proxies O
+categorize O
+the O
+sites O
+as O
+benign O
+. O
+
+TG-3390 S-APT
+actors O
+keep O
+track O
+of O
+and O
+leverage O
+existing O
+ASPXTool S-TOOL
+web B-TOOL
+shells E-TOOL
+in O
+their O
+operations O
+, O
+preferring O
+to O
+issue O
+commands O
+via O
+an O
+internally O
+accessible O
+web B-TOOL
+shell E-TOOL
+rather O
+than O
+HttpBrowser S-MAL
+or O
+PlugX S-MAL
+. O
+
+After O
+reentering O
+an O
+environment O
+, O
+the O
+threat O
+actors O
+focus O
+on O
+obtaining O
+the O
+active O
+directory O
+contents O
+. O
+
+TG-3390 S-APT
+is O
+known O
+for O
+compromising O
+organizations O
+via O
+SWCs S-TOOL
+and O
+moving O
+quickly O
+to O
+install O
+backdoors O
+on O
+Exchange S-TOOL
+servers O
+. O
+
+Despite O
+the O
+group's O
+proficiency O
+, O
+there O
+are O
+still O
+many O
+opportunities O
+to O
+detect O
+and O
+disrupt O
+its O
+operation O
+by O
+studying O
+its O
+modus O
+operandi O
+. O
+
+The O
+threat O
+actors O
+work O
+to O
+overcome O
+existing O
+security O
+controls O
+, O
+or O
+those O
+put O
+in O
+place O
+during O
+an O
+engagement O
+, O
+to O
+complete O
+their O
+mission O
+of O
+exfiltrating O
+intellectual O
+property O
+. O
+
+Due O
+to O
+TG-3390 S-APT
+'s O
+determination O
+, O
+organizations O
+should O
+formulate O
+a O
+solid O
+eviction O
+plan O
+before O
+engaging O
+with O
+the O
+threat O
+actors O
+to O
+prevent O
+them O
+from O
+reentering O
+the O
+network O
+. O