Apt attacks against Israel and Palestine
This short report introduces a series of attacks against Israel and Palestine. It uses malicious files as the source of communication for a large number of influential or politically relevant organizations. Through our investigation, no apt record with the same behavior previously. However, we can still find some similar attacks.
That was the summer of 2014. We obtained malicious samples in some small infrastructure, which showed that attackers were poor or limited in available resources.
Initially, we analyzed the file ecc240f1983007177bc5bbecba50eea27b80fd3d14fd261bef6cda10b8ffe1e9 and pushed it to malwr.com (3] for automatic analysis. The sample, formerly Israel Homeland Defense Directory 2015 _Secured_.exe, is displayed on the following page.
In fact, the original file is a rar self-extracting file, which contains three components. In fact, our analysts later said that this malware is not a well-known apt malware type, we further analyzed the target, details, and attack target.
0x01 further analysis
The most common method of this type of malware is to package it into a rar compressed package. Of course, this is not the only method. attackers also use some other methods, such as Visual Basic packaging and the original installation package, we believe that the channel for dissemination is to push malware to the third download site. The following figure shows some related information.
Pomf. se is a small file sharing and hosting site with its headquarters in Sweden. Using small sites as a channel of transmission seems to be one of their characteristics, similarly, we have found similar malware from some other small websites, and they are all executable files. We first analyzed the SHA256 hash file ecc240f1983007177bc5bbecba50eea27b80fd3d14fd261bef6cda10b8ffe1e9.
We selected a name named DownExecute to refer to malware. At the same time, we confirmed all its variants. The following picture shows the common packaging mode, and the curl is used for network connection, or download the final malware.
In addition, some of the binary files are self-signed.
So what can this malware do? In fact, it only serves as a download tool and is also used for Local Environment check, including the debugging check, using a function called IsDebuggerPresent, check whether VirtualBox exists by checking the path. \ VBoxMiniRdrDN.
At the same time, we also checked the existence of a series of anti-virus software, and even included the process with the word "security.
Later, the malware will start to decrypt some of its own data, including the attacker's control server.
At the same time, the malware will start to connect to the attacker server, and a plaintext text will be created in the same folder to start logging ..... (Mlgb .....)
As we can see from the preliminary information, downloadexcute is used to download and execute another malware, just like its name, because its own attack behavior is almost none, downloadexcute is a tool used by attackers to gain a firm foothold. Only when downloadexcute succeeds will the next intrusion be initiated.
As mentioned above, we have conducted a lot of investigations and found some more comprehensive malware in some infrastructure that belong to the Xtreme RAT and Poison Ivy families and use the same domain name as downloadexcute, we can think of it as a software in the second stage after downloadexcute. The observed Poison Ivy uses admin2014 and admin! @ # $ % As the password
We have investigated the connected domain names, but most of the connected domain names are dynamic domain names. Primarily associated with the no-ip.com. Through tracking by the PwC intelligence team, we were associated with some small malicious behaviors in the Middle East. Through these investigations, we used Maltego for threat visualization.
This attack is a little different from the previous one. From the previous hacker operations in the Middle East, we are familiar with most of the ip addresses, compared with Host vendors that are often used, this time mainly points to the Host Sailor of Belize.
As mentioned in our previous report (5], attackers are used to domain names that look similar to the target, so they seem a little more normal. Based on this, we made some simple analysis for this target recognition. For a specific list, see Appendix B.
From the above information, we can determine that the attack target may be dominated by Israeli news media.
Afterwards, we investigated the content of the document. Some of the documents were clearly aimed at Israel and focused on military and political affairs.
The topic of the document is associated with the Palestinian Liberation Organization leader Abbas. It can be seen that attackers expect the target to use fluent Arabic.
0x02 conclusion
In fact, we cannot conclude that this attack was specifically targeted at the Middle East, but several of the behavior patterns can remind us.
I don't understand why I like using no-ip.com and its related services so much. However, we found that several hackers in the Arab underground Forum strongly recommended the no-ip service.
Use public malware instead of writing one by yourself (such as Poison Ivy/Xtreme RAT)
The goal seems to be confined to the Middle East, or some of Israel's sensitive issues.
Password mode. A previous blog post (7] In Fireeye showed a group of MoleRats, using Poison Ivy and Xtreme RAT! @ # GooD #@!, Or yes! @ # Password mode.
However, the attacker's choice of self-developed dropper may indicate how to access the system is their biggest problem (after all, it is executable ...), We can find the earliest samples that were compiled in June 2014, and other samples that were found later are compiled not long ago. We believe this attack will continue for 12 months.
Appendix
SHA256 zookeeper
For too long, refer to the original article.
Appendix c Signature
rule DownExecute_A{meta: author = "PwC Cyber Threat Operations :: @tlansec" date = "2015-04" reference = "http://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html" description = “Malware is often wrapped/protected, best to run on memory”strings: $winver1 = "win 8.1" $winver2 = "win Server 2012 R2" $winver3 = "win Srv 2012" $winver4 = "win srv 2008 R2" $winver5 = "win srv 2008" $winver6 = "win vsta" $winver7 = "win srv 2003 R2" $winver8 = "win hm srv" $winver9 = "win Strg srv 2003" $winver10 = "win srv 2003" $winver11 = "win XP prof x64 edt" $winver12 = "win XP" $winver13 = "win 2000" $pdb1 = "D:\\Acms\\2\\docs\\Visual Studio 2013\\Projects\\DownloadExcute\\DownloadExcute\\Release\\DownExecute.pdb" $pdb2 = "d:\\acms\\2\\docs\\visual studio 2013\\projects\\downloadexcute\\downloadexcute\\downexecute\\json\\rapidjson\\writer.h" $pdb3 = ":\\acms\\2\\docs\\visual studio 2013\\projects\\downloadexcute\\downloadexcute\\downexecute\\json\\rapidjson\\internal/stack.h" $pdb4 = "\\downloadexcute\\downexecute\\" $magic1 = "<win get="" version="" info="" name="" error"="" $magic2="P@$sw0rd$nd" $magic3="$t@k0v2rF10w" $magic4="|*|123xXx(Mutex)xXx321|*|6-21-2014-03:06PM" wide="" $str1="Download Excute" ascii="" fullword="" $str2="EncryptorFunctionPointer %d" $str3="%s\\%s.lnk" $str4="Mac:%s-Cpu:%s-HD:%s" $str5="feed back responce of host" $str6="GET Token at host" $str7="dwn md5 err" condition:="" all="" of="" ($winver*)="" or="" any="" ($pdb*)="" ($magic*)="" 2="" ($str*)="" }=""
Network IDS
alert http any any -> any any (msg:"--[PwC CTD] -- Unclassified Middle Eastern Actor - DownExecute URI (/dw/gtk)"; flow:established,to_server; urilen:7; content:"/dw/gtk"; http_uri; depth:7; content:"GET" ; http_method; content:!"User-Agent:"; http_header; content:!"Referer:"; http_header; reference:md5,4dd319a230ee3a0735a656231b4c9063; classtype:trojan-activity; metadata:tlp WHITE,author @ipsosCustodes; sid:99999901; rev:2015200401;)alert http any any -> any any (msg:"--[PwC CTD] -- Unclassified Middle Eastern Actor - DownExecute URI (/dw/setup)"; flow:established,to_server; urilen:>8; content:"/dw/setup"; http_uri; depth:9; content:"POST" ; http_method; reference:md5,4dd319a230ee3a0735a656231b4c9063; classtype:trojan-activity; metadata:tlp WHITE,author @ipsosCustodes; sid:99999902; rev:2015200401;)alert http any any -> any any (msg:"--[PwC CTD] -- Unclassified Middle Eastern Actor - DownExecute Headers"; flow:established,to_server; urilen:>7; content:"Accept */*"; http_client_body; content:"Content-Type: multipart/form-data\; boundary=------------------------"; http_header; content: "ci_session="; http_cookie; depth:11; content: "POST"; http_method; content:!"Referer:"; http_header; content:!"User-Agent:"; http_header; reference:md5,4dd319a230ee3a0735a656231b4c9063; classtype:trojan-activity; metadata:tlp WHITE,author @ipsosCustodes; sid:99999903; rev:2015200401;)