Author Archives: Alex Lanstein

Spear Phishing the News Cycle: APT Actors Leverage Interest in the Disappearance of Malaysian Flight MH 370

| By and | Advanced Malware, Targeted Attack, Threat Intelligence, Threat Research

While many advanced persistent threat (APT) groups have increasingly embraced strategic Web compromise as a malware delivery vector, groups also continue to rely on spear-phishing emails that leverage popular news stories. The recent tragic disappearance of flight MH 370 is no exception. This post will examine multiple instances from different threat groups, all using spear-phishing messages and leveraging the disappearance of Flight 370 as a lure to convince the target to open a malicious attachment.

“Admin@338” Targets an APAC Government and U.S. Think Tank

The first spear phish from group “Admin@338” was sent to a foreign government in the Asian Pacific region on March 10, 2014 – just two days after the flight disappeared. The threat actors sent a spear-phishing email with an attachment titled, “Malaysian Airlines MH370.doc” (MD5: 9c43a26fe4538a373b7f5921055ddeae). Although threat actors often include some sort of “decoy content” upon successful exploitation (that is, a document representing what the recipient expected to open), in this case, the user is simply shown a blank document.

The attachment dropped a Poison Ivy variant into the path C:\DOCUME~1\admin\LOCALS~1\Temp\kav.exe (MD5: 9dbe491b7d614251e75fb19e8b1b0d0d), which, in turn, beaconed outbound to www.verizon.proxydns[.]com. This Poison Ivy variant was configured with the connection password “wwwst@Admin.” The APT group we refer to as Admin@338 has previously used Poison Ivy implants with this same password. We document the Admin@338 group’s activities in our Poison Ivy: Assessing Damage and Extracting Intelligence paper. Further, the domain www.verizon.proxydns[.]com previously resolved to the following IP addresses that have also been used by the Admin@338 group:

IP Address First Seen Last Seen
103.31.241.110 2013-08-27 2013-08-28
174.139.242.19 2013-08-28 2013-08-31
58.64.153.157 2013-09-03 2014-03-07
59.188.0.197 2014-03-07 2014-03-19

Continue reading »

Knowing Your Attacker — Clues Embedded in the Infection Life Cycle

| By | Business of Security, Security Perspective

Without the ability to perform offensive counter-operations, or the aid of significant SIGINT capabilities, 99 percent of private companies lack the ability to do true attribution to the operator level of cyber attacks. This difficulty is especially exacerbated when trying to analyze disjoint malware artifacts from the exploit life cycle. That is to say, even when a skilled malware analyst is handed an executable file out of context, it is difficult or impossible for him or her to say whether the attacker was Hyun-soo Kim, Ivo Russinov, or Edward Snowden. Most non-government organizations simply lack the situational G2 and knowledge of adversary TTPs to confidently (or at least, accurately) point the finger at a specific actor, or frankly, even a nation-state. Most of this reality is due to the fact that they can only see the small subset of malware that a) has been used against them, and b) that they can detect. That being said, when examining attacks within their full context - from targeting, to attacking, to the installation of long term implants, to lateral movement, and finally to data exfiltration - certain tippers can be gleaned from technical artifacts left in each stage that help paint the picture in broad strokes.

Continue reading »

Sanny CnC Backend Disabled

| By and | Advanced Malware, Targeted Attack, Threat Research

We recently encountered in the wild another sample related to the Sanny APT. For readers who are not familiar with the Sanny APT, please refer to our previous blog for the background. The sample was using the same lure text and CVE-2012-0158 vulnerability. However this time it was using a different board named “ecowas_1″ as compared to “kbaksan_1″ which was employed previously. The following are the CnC URLs to list stolen data entries extracted from the samples:

New -> hxxp://board.nboard.net/list.php?db=ecowas_1&p=1

Previous -> hxxp://board.nboard.net/list.php?db=kbaksan_1&p=1 Continue reading »

To Russia With Targeted Attack

| By and | Targeted Attack

Looking at the human aspect of offensive cyber operations is one of the most interesting parts of a malware analyst’s day. Malware that was generated by an algorithm, such as a polymorphic PDF, is a little boring because you know you aren’t fighting against a human on the other side of the keyboard. However, when dealing with nation-state sponsored intrusions, or at least deliberate attacks against a specific group of people, it’s interesting to look at the different stages of the attack, from victim selection, to attack method, to what kind of data is exfiltrated. We recently discovered an attack that appeared to be against primarily Russian targets.

Continue reading »

Defining Advanced Malware is as Difficult as Preventing It (Part 1 of 2)

| By | Threat Intelligence

Advanced targeted attacks—or the ubiquitous advanced persistent threat (APT), if you prefer—have captured the attention of the security industry because of their clandestine and sinister nature. Unfortunately, it is almost as challenging to get the security industry to agree on what constitutes an APT as it is to protect against one, but we can identify and agree upon a few common themes.

Before I begin, I do want to make reference to testimony before congress from Richard Bejtlich, currently CSO at Mandiant, and formerly USAF. Rather than summarize, I’ll quote from the hearing on “Developments in China’s Cyber and Nuclear Capabilities:”

“…I use the strict definition of APT as created by the Air Force in 2006, namely as an unclassified reference to intrusions sets ultimately traced back to actors in China.”

This is a very fair and accurate definition. However, at the core, it requires the big “A”—attribution. Private companies (excluding government contractors) rarely have the ability to accurately identify a specific attacker, hence, making the distinction among a PLA unit, university training program, or contracted hacker, difficult. Because of that missing link, and the fact that many have misused the term, many attacks are miscategorized as APT simply due to being “advanced.”

Having said that, whether an attack is APT (or more accurately, if the attacker is the APT), or whether the attack is from another well-financed adversary, the TTPs have significant overlap. A typical scenario combines sophisticated exploits and social engineering to breach networks, execute malware instances, and establish communication with command and control (C&C) servers. As a result, technologies that examine executable files, monitor outbound communication, or analyze suspicious patterns in the network have become very popular; however, the effectiveness of some such solutions is questionable at best since advanced malware is constantly evolving to stay a step ahead of detection.

In this post, I will delineate the key characteristics of an advanced persistent threat and discuss some of the common approaches to mitigation. In a follow-up post, I will deconstruct why these common approaches are little more than a Band-Aid on a gaping wound.

Continue reading »

Spear phished by FireEye?

| By | Targeted Attack

Blogging about crimeware (commodity malware that will infect victims in a purely opportunistic fashion) is an easy thing to do ethically, as the “victim” often times does not add much value to the story. Also, there are so many copies of the malware publicly available that talking about the threat does not compromise your collection source, and in general, we try to avoid “naming names” for the sake of shaming anyone.

In the case of crimeware, whether a home user or a chemical company gets compromised by a ddos bot, the malware is going to act pretty much the same. For this reason, publicly talking about those types of threats don’t lead you down discussions of, “But now they now know that you know!”

Continue reading »

An overview of Rustock

| By | Botnets

As you might have seen in the news, the largest spam botnet, Rustock, was recently taken down in a collaborated, coordinated way. All parties involved were bound by a sealed federal lawsuit against the John Doe’s involved, but now that the case has been unsealed, it’s time to talk about a few of the details. Why has Rustock been so successful for so long? How has it managed to stay off the radar, yet be the largest spammer in the history of the Internet? Why has it taken so long for anyone to take action against them?

Continue reading »

Bad Actors Part 7 - 3fn (Or: Cutwail - How to do it right)

| By | Advanced Malware

“Wait … *beep beep* back up for a
second, Alex.  I heard 3fn was brought down
by the FTC!” 

That would be correct!  On June 4th the FTC served a
takedown notice that essentially dropped 3fn (aka “Triple Fiber Network”, Pricewert,
APX Telecom, APS Communications) off the Internet.  I was approached by law enforcement looking
for evidence of malicious activities, and luckily, I was in the midst of
writing up an article for my Bad Actors blog series.  I decided to wait until a little time had
passed before publishing details as not to tip off 3fn and possibly ruin an
investigation.  (Note that the investigatory
group that approached me was at the federal level, but was not the FTC)

Below you’ll find my analysis of their
IP blocks and a large amount of data about the Bad Actors whom they supported.  Most of the links below are completely Not
Safe For Work, possibly malicious, and frankly, many of them are disgusting in name as well as content.  It’s not advised that you actually visit any of them.  I also have more content that I didn't post, and if you're interested in it, feel free to drop me a line.

Continue reading »

SPAM bots have bugs too!

| By | Botnets

As you may or may not know, the popular SPAM bots work off something called a "template".  These templates contain tokens for the system-resident malware to replace with a word list that is periodically fetched from an external server.  In the past we've seen some bots that clearly separate the template update mechanism from the c&c communication (like Pushdo/Cutwail) and some that combine it more into one blurry malware package (like Rustock or Grum).

Continue reading »

A new method to monetize scareware

| By | Advanced Malware

Scareware in the form of Rogue AntiVirus software, such as XpAntiVirus2009, has long been a way to monetize infected computers.  Previously, the Rogue AVs would present you with screens that listed malware you didn't have, and for a nominal fee, you could buy the full version and clean the "infections".

Over the past couple days, Vundo has been pushing a piece of malware that encrypts various personal file types (.pdf, .doc, .jpg, etc) on your system, and "coincidentally", pushes a program called FileFix Pro 2009 which would decrypt them - for a fee.  Although we (Julia) broke the encryption, it's a sobering realization of the state of malware that it is now actively extorting users by holding their data ransom.  Despite this version of FileFix being trivial to crack, it does not bode well for the future of Internet malware.

Vundo has fundamentally altered its criminal business
model from "Scareware" tactics to "Ransomware" extortion.  While a user may be "silly" to buy into scareware, they
have little choice but to purchase the decryption software once the
ransomware does its thing.

Continue reading »