12 Mar Agent.btz: a source of inspiration? Aleks
10 Feb The Careto/Mask APT: Frequently Asked Questions GReAT
26 Sep The Icefog APT: A Tale of Cloak and Three Daggers GReAT
11 Sep Kimsuky APT: Operations possible North Korean links uncovered Dmitry Tarakanov
31 Aug 3rd Latin American Security Analysts Summit in Cancun Dmitry Bestuzhev
14 Aug NSAccess Control Lists Roel
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
The past few days has seen an extensive discussion within the IT security industry about a cyberespionage campaign called Turla, aka Snake and Uroburos, which, according to G-DATA experts, may have been created by Russian special services.
One of the main conclusions also pointed out by research from BAE SYSTEMS, is a connection between the authors of Turla and those of another malicious program, known as Agent.BTZ, which infected the local networks of US military operations in the Middle East in 2008.
We first became aware of this targeted campaign in March 2013. This became apparent when we investigated an incident which involved a highly sophisticated rootkit. We called it the Sun rootkit, based on a filename used as a virtual file system: sunstore.dmp, also accessible as \\.\Sundrive1 and \\.\Sundrive2. The Sun rootkit and Uroburos are the same.
We are still actively investigating Turla, and we believe it is far more complex and versatile than the already published materials suggest.
At this point, I would like to discuss the connection between Turla and Agent.btz in a little more detail.
The story of Agent.btz began back in 2007 and was extensively covered by the mass media in late 2008 when it was used to infect US military networks.
Here is what Wikipedia has to say about it: The 2008 cyberattack on the United States was the worst breach of U.S. military computers in history. The defense against the attack was named Operation Buckshot Yankee. It led to the creation of the United States Cyber Command.
It started when a USB flash drive infected by a foreign intelligence agency was left in the parking lot of a Department of Defense facility at a base in the Middle East. It contained malicious code and was put into a USB port from a laptop computer that was attached to United States Central Command.
The Pentagon spent nearly 14 months cleaning the worm, named Agent.btz, from military networks. Agent.btz, a variant of the SillyFDC worm, has the ability to scan computers for data, open backdoors, and send through those backdoors to a remote command and control server.
We do not know how accurate is the story with the USB flash drive left in the parking lot. We have also heard a number of other versions of this story, which may, or may not be right. However, the important fact here is that Agent.btz was a self replicating computer worm, not just a Trojan. Another important fact is that the malware has dozens of different variants.
We believe that the initial variants of the worm were created back in 2007. By 2011 a large number of its modifications had been detected. Today, most variants are detected by Kaspersky products as Worm.Win32.Orbina.
Curiously, in accordance with the naming convention used by PC Tools, the worm is also named Voronezh.1600 possibly a reference to the mythical Voronezh school of hackers, in Russia.
In any event, it is quite obvious that the US military were not the only victims of the worm. Copying itself from one USB flash drive to another, it rapidly spread globally. Although no new variants of the malware have been created for several years and the vulnerability enabling the worm to launch from USB flash drives using autorun.inf have long since been closed in newer versions of Windows, according to our data Agent.btz was detected 13,832 times in 107 countries across the globe in 2013 alone!
The dynamics of the worms epidemic are also worth noting. Over three years from 2011 to 2013 the number of infections caused by Agent.btz steadily declined; however, the top 10 affected countries changed very little.
|Agent.BTZ detections (unique users)||2011|
|Agent.BTZ detections (unique users)||2012|
|Agent.BTZ detections (unique users)||2013|
The statistics presented above are based on the following Kaspersky Anti-Virus verdicts: Worm.Win32.Autorun.j, Worm.Win32.Autorun.bsu, Worm.Win32.Autorun.bve, Trojan-Downloader.Win32.Agent.sxi, Worm.Win32.AutoRun.lqb, Trojan.Win32.Agent.bve, Worm.Win32.Orbina
To summarize the above, the Agent.btz worm has clearly spread all over the world, with Russia leading in terms of the number of infections for several years.
Map of infections caused by different modifications of Agent.btz in 2011-2013
For detailed information on the modus operandi of Agent.btz, I recommend reading an excellent report prepared by Sergey Shevchenko from ThreatExpert, back in November 2008.
On infected systems, the worm creates a file named thumb.dd on all USB flash drives connected to the computer, using it to store a CAB file containing the following files: winview.ocx, wmcache.nld and mswmpdat.tlb. These files contain information about the infected system and the worms activity logs for that system. Essentially, thumb.dd is a container for data which is saved on the flash drive, unless it can be sent directly over the Internet to the C&C server.
If such a flash drive is inserted into another computer infected with Orbina, the file thumb.dd will be copied to the computer under the name mssysmgr.ocx.
Given this functionality and the global scale of the epidemic caused by the worm, we believe that there are tens of thousands of USB flash drives in the world containing files named thumb.dd created by Agent.btz at some point in time and containing information about systems infected by the worm.
Over one year ago, we analyzed dozens of modules used by Red October, an extremely sophisticated cyber espionage operation. While performing the analysis, we noticed that the list of files that a module named USB Stealer searches for on USB flash drives connected to infected computers included the names of files created by Agent.btz mssysmgr.ocx and thumb.dd.
This means that Red October developers were actively looking for data collected several years previously by Agent.btz. All the USB Stealer modules known to us were created in 2010-2011.
Both Red October and Agent.btz were, in all probability, created by Russian-speaking malware writers. One program knew about the files created by the other and tried to make use of them. Are these facts sufficient to conclude that there was a direct connection between the developers of the two malicious programs?
I believe they are not.
First and foremost, it should be noted that the fact that the file thumb.dd contains data from Agent.btz-infected systems was publicly known. It is not impossible that the developers of Red October, who must have been aware of the large number of infections caused by Agent.btz and of the fact that the worm had infected US military networks, simply tried to take advantage of other peoples work to collect additional data. It should also be remembered that Red October was a tool for highly targeted pinpoint attacks, whereas Agent.btz was a worm, by definition designed to spread uncontrollably and collect any data it could access.
Basically, any malware writer could add scanning of USB flash drives for thumb.dd files and the theft of those files to their Trojan functionality. Why not steal additional data without too much additional effort? However, decrypting the data stolen requires one other thing the encryption key.
The connection between Turla and Agent.btz is more direct, although not sufficiently so to conclude that the two programs have the same origin.
Turla uses the same file names as Agent.btz mswmpdat.tlb, winview.ocx and wmcache.nld for its log files stored on infected systems.
All the overlapping file names are presented in the table below:
In addition, Agent.btz and Turla use the same XOR key to encrypt their log files:
The key is not a secret, either: it was discovered and published back in 2008 and anybody who had an interest in the Agent.btz story knew about the key. Is it possible that the developers of Turla decided to use somebody elses key to encrypt their logs? We are as yet unable to determine at what point in time this particular key was adopted for Turla. It is present in the latest samples (dated 2013-2014), but according to some data the development of Turla began back in 2006 before the earliest known variant of Agent.btz was created.
Now we have determined that Red October knew about the file names used by Agent.btz and searched for them. We have also determined that Turla used the same file names and encryption key as Agent.btz.
So what about a possible connection between Red October and Turla? Is there one? Having analyzed all the data at our disposal, we do not see any overlapping between the two projects. They do not know about each other, they do not communicate between themselves in any way, they are different in terms of their architecture and the technologies used.
The only thing they really have in common is that the developers of both Rocra and Turla appear to have Russian as their native language.
Back in 2012, while analyzing Flame and its cousins Gauss and MiniFlame, we noticed some similarities between them and Agent.btz (Orbina). The first thing we noticed was the analogous naming convention applied, with a predominance of use of files with the .ocx extension. Lets take as an example the name of the main module of Flame mssecmgr.ocx. In Agent.btz a very similar name was used for the log-file container on the infected system mssysmgr.ocx. And in Gauss all modules were in the form of files with names *.ocx.
|Using USB as storage||Yes (hub001.dat)||Yes (.thumbs.db)|
The Kurt/Godel module in Gauss contains the following functionality: when a drive contains a '.thumbs.db' file, its contents are read and checked for the magic number 0xEB397F2B. If found, the module creates %commonprogramfiles%\system\wabdat.dat and writes the data to this file, and then deletes the '.thumbs.db' file.
This is a container for data stolen by the 'dskapi' payload.
Besides, MiniFlame (module icsvnt32) also knew about the .thumbs.db file, and conducted a search for it on USB sticks.
If we recall how our data indicate that the development of both Flame and Gauss started back in 2008, it cant be ruled out that the developers of these programs were well acquainted with the analysis of Agent.btz and possibly used some ideas taken from it in their development activities.
The data can be presented in the form of a diagram showing the interrelations among all the analyzed malicious programs:
As can be seen in the diagram, the developers of all three (even four, if we include Gauss) spy programs knew about Agent.btz, i.e., about how it works and what filenames it uses, and used that information either to directly adopt the functionality, ideas and even filename, or attempted to use the results of the work of Agent.btz.
Summarizing all the above, it is possible to regard Agent.btz as a certain starting point in the chain of creation of several different cyber-espionage projects. The well-publicized story of how US military networks were infected could have served as the model for new espionage programs having similar objectives, while its technologies were clearly studied in great detail by all interested parties. Were the people behind all these programs all the same? Its possible, but the facts cant prove it.
The Mask is an advanced threat actor that has been involved in cyber-espionage operations since at least 2007.
What makes The Mask special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated piece of malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (iOS).
The Mask also uses a customized attack against older Kaspersky Lab products in order to hide in the system. This puts it above Duqu in terms of sophistication, making The Mask one of the most advanced threats at the current time. This and several other factors make us believe this could be a state-sponsored operation.
The world of Advanced Persistent Threats (APTs) is well known. Skilled adversaries compromising high-profile victims and stealthily exfiltrating valuable data over the course of many years. Such teams sometimes count tens or even hundreds of people, going through terabytes or even petabytes of exfiltrated data.
Although there has been an increasing focus on attribution and pinpointing the sources of these attacks, not much is known about a new emerging trend: the smaller hit-and-run gangs that are going after the supply chain and compromising targets with surgical precision.
Since 2011 we have been tracking a series of attacks that we link to a threat actor called Icefog. We believe this is a relatively small group of attackers that are going after the supply chain -- targeting government institutions, military contractors, maritime and ship-building groups, telecom operators, satellite operators, industrial and high technology companies and mass media, mainly in South Korea and Japan.
For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean think tanks. There are multiple reasons why this campaign is extraordinary in its execution and logistics. It all started one day when we encountered a somewhat unsophisticated spy program that communicated with its master via a public e-mail server. This approach is rather inherent to many amateur virus-writers.
However, there were a few things that attracted our attention:
The complete path found in the malware presents some of the Korean strings:
The rsh word, by all appearances, means a shortening of Remote Shell and the Korean words can be translated in English as attack and completion, i.e.:
We managed to identify several targets. Here are some of the organizations that the attackers were interested in targeting:
|The Sejong Institute is a non-profit private organization for public interest and a leading think tank in South Korea, conducting research on national security strategy, unification strategy, regional issues, and international political economy.|
Last week, I attended the International Conference on Cyber Security at Fordham University in NYC. This event brought together participants from government, the private sector and academia. The closing session was a panel featuring the directors of the CIA, FBI and NSA which drew a lot of attention.
FBI Director Robert Mueller speaking at the closing panel
Throughout the conference, there was a strong push for more cooperation internationally and between different sectors. While cooperation has come a long way, we still have a long way to go.
The topic of cyber-espionage didn't come up as much as I've been used to in recent times. Instead, there was more talk on cyber-sabotage with several presentations talking about this problem.
Lavabit was one of the very few secure e-mail service providers bringing security for its paid customers by encrypting all locally stored e-mail messages with an asymmetric key and AES-256. This means that in order to decrypt the messages, an attacker would need to compromise the server first and then to know your password. There was no way even for Lavabit to decrypt emails without a users password. A detailed description of how the Lavabit technology worked is available here: pastebin.com/rQ1Gvfy0
Over the last few years, we have been monitoring a cyber-espionage campaign that has successfully compromised more than 350 high profile victims in 40 countries. The main tool used by the threat actors during these attacks is NetTraveler, a malicious program used for covert computer surveillance.
The name NetTraveler comes from an internal string which is present in early versions of the malware: NetTraveler Is Running! This malware is used by APT actors for basic surveillance of their victims. Earliest known samples have a timestamp of 2005, although references exist indicating activity as early as 2004. The largest number of samples we observed were created between 2010 and 2013.
The NetTraveler builder icon
While researching PlugX propagation with the use of Java exploits we stumbled upon one compromised site that hosted and pushed a malicious Java applet exploiting the CVE 2013-0422 vulnerability. The very malicious Java application was detected heuristically with generic verdict for that vulnerability and it would have been hardly possible to spot that particular site between tons of other places where various malicious Java applications were detected with that generic verdict. But it was a very specific search conducted back then and this site appeared in statistics among not so many search results. Well, to be honest it was a false positive in terms of search criteria, but in this case it was a lucky mistake.
The infectious website was an Internet resource named - minjok.com and it turned out to be a news site in Korean and English languages covering mostly political events around the Korean peninsula. We notified an editor of this site about the compromise and although he has not responded, the site got closed after a while.
This is how minjok.com is described at http://www.northkoreatech.org/the-north-korean-website-list/minjok-tongshin/:
Description of minjok.com
During our research on the Winnti group we discovered a considerable amount of Winnti samples targeting different gaming companies. Using this sophisticated malicious program cybercriminals gained remote access to infected workstations and then carried out further activity manually.
Naturally, we were keen to find out how the malicious libraries spread across a local network. To do so, we tracked the attackers- activity on an infected computer.
At the beginning of the investigation we ran the malicious programs on a virtual machine, which worked fairly well - we even spotted some cybercriminal activity. But they quickly realized it wasn-t a computer they wanted to net. Once that was the case, the attackers- servers stopped responding to requests from bots working on virtual machines.
This is what we managed to learn at this stage of our monitoring.
First of all, the perpetrators looked at what was happening on the victim-s desktop. After that they enabled the remote command line and used it to browse the root folder of the current disk, searched for the file winmm.dll, and checked the operating system version. The ListFileManager plugin then came into play. It works with the file system and the attackers used it to browse the folders C:\Windows and C:\Work. Then they tried to restart the computer, but made a mistake in the parameters of the ?shutdown command, having typed ?shutdown /t /r 1 (the computer should have been restarted in 1 second), but after a while they shut the computer down completely with the use of the correct command ?shutdown /s /t 1.