TLP GREEN
PRIORITY INTELLIGENCE REPORT
Actor Type: Criminal
Serial: PIR-18-003-001
Industries: Petrochemical, Energy, Financial, Technology, Aviation, Telecommunications, Education, Healthcare, Military, Government
Countries: Saudi Arabia, Russia, China, Iraq, Iran, Israel, North Korea, U.S
Report Date: 20180103
The Iranian Cyber Evolution: RATs, Backdoors, and Droppers
Summary
Wapack Labs has been monitoring Iranian cyber activity for several years, specifically the evolving OilRig and Greenbug campaigns. Their adoption of a cyber operational paradigm involving both cyber hacktivism and cyber espionage tactics resembles cyber activity patterns employed by Chinese APT groups, whereby different groups perform different campaigns, with multiple teams conducting separate phases of a cyber campaign. With President Trump’s refusal to re-certify Iran’s compliance with the 2015 Iran nuclear agreement, Wapack analysts are researching the continued efforts of Iranian-backed cyber threats in order to detect and defend against next moves.[1]
One common attribute is that they all engage in prolonged reconnaissance campaigns of their targets; at times lasting over a year. Greenbug, a cyber-espionage group with suspected Iranian ties, has been dynamically progressing in such campaigns. In August 2017, a Greenbug tool, dubbed ISMAgent (an ISMDoor variant), resurfaced in the wild to harvest account credentials. Wapack Labs discovered evidence of ISMDoor variants relying on the VB:Trojan.Valyria (possibly Clayside) for delivery, linking Greenbug to another group of Iranian actors known as OilRig. Wapack Labs assesses with moderate confidence that recent activity involving ISMDoor is an indicator of the ramping up of another cyber campaign cycle.
Current U.S. Political Status
The Trump administration is mandated to either re-impose previous sanctions or modify the Iran nuclear agreement. The U.S. Congress has not introduced any additional legislation, effectively making President Trump decide the next steps. To date, the President and Congress have issued several new sanctions targeting the Iranian ballistic missile program and the Islamic Revolutionary Guard Corps (IRGC).[2] The Iranians have not retaliated openly against the new sanctions, but Deputy Foreign Minister Sayed Abbas Araqchi hinted in August 2017 that Iran "will show a very clever reaction”.[3]
Background
The U.S. and Iran have been adversaries since the 1979 Iranian revolution, which transformed Iran from a U.S.-allied monarchy into a hostile anti-American theocracy – opposing America’s influence and Israel’s existence. An added focus for Iran has been Saudi Arabia – typically viewed as a conflict between Shiite and Sunni, it is driven by geopolitical differences.[4] As the U.S. began to notice the balance in the Middle East shifting in Iran’s favor, the U.S. began to isolate Iran more aggressively. In Palestine, Iranian-backed Hamas radicals won the most democratic election ever held in the Arab world and seized control of the Gaza Strip. In Syria, Iran’s closest ally, foreign jihadists were allowed to cross through to Iraq and Iranian arms were being funneled to Hezbollah – undermining the United States’ goals in the region. Following the events of September 11, 2001, the United States targeted the Taliban and Saddam Hussein; both adversaries of Iran that kept Iran’s power in check – now the U.S. must act as the counterbalance to Iran.[5]
In 2006, the tension between Israel and Iran was coming to a breaking point. In order to prevent an Israeli strike on Iranian nuclear facilities, President George W. Bush, having no viable options for dealing with Iran, commenced Operation Olympic Games; an offensive, covert cyber weapon aimed at the Iranian nuclear facility in Natanz, Iran. As President Obama assumed office in 2008, he continued with the operation, increasing the sophistication of the attack. In August 2010, Iran’s nuclear program was crippled due to the STUXNET worm – a cyberwarfare tool/campaign that is suspected to be, but never officially confirmed to be, orchestrated by the United States and Israel. With the follow-up attacks of DUQU and FLAME, campaigns and groups that have allegedly emerged from Iran since 2010 are motivated by revenge and their tools contain pieces of STUXNET code.
Before the STUXNET attack, Iranian-linked groups were mainly involved in only defacement campaigns, as with the Iranian Cyber Army defacing the Twitter accounts of domestic dissidents and activists from Iran’s Green Movement in 2009. Techniques progressed over the next couple years, moving from defacement campaigns to more penetrable attacks; Dutch certificate authority company DigiNotar and the Chinese search engine Baidu. In August 2012, a group calling themselves the ‘Cutting Sword of Justice’ took responsibility for an attack dubbed Shamoon, targeting the Saudi Arabian energy company Saudi Aramco, delivering malware with disk wiping capabilities called Disttrack.B. Several motives behind the Aramco attack are:
- Mistreatment of the Shiites (Iran’s predominant branch of Islam) by Saudi Aramco
- Retaliation for STUXNET, which disrupted Iran’s nuclear enrichment program
- Payback for U.S.-imposed sanctions that have destabilized the Iranian economy.[6]
Credentials harvested for the Shamoon attack were farmed by ISMDoor prior to the attack. The ISMDoor trojan is attributed to a cyberespionage group named Greenbug and used to target Middle Eastern companies in the aviation, energy, government, education, and investment sectors.
In May of 2016 a group named OilRig targeted the Saudi Arabian defense industry[7]. In September 2016, OilRig, attacked two Middle Eastern airline companies. On 16 November 2016, the second wave of disk wiping malware, dubbed Shamoon2, targeted Middle Eastern companies including the General Authority of Civil Aviation (GACA). Three days later, Greenbug, utilizing Shamoon2, dropped the Disttrack wiper on China’s telecommunication company, Huawei, to gain access to administrative credentials to access/wipe Huawei’s Virtual Desktop Infrastructure (VDI). Between 19-24 April 2017, Ben Gurion University (home to Israel’s Cyber Security Research Center) was attacked using the same methods – this time exploiting the Microsoft Word vulnerability in CVE-2017-0199.[8] Two months later in August 2017, an attack against the United Arab Emirates government using ISMAgent showed signs of continued development with its use of ISMInjector, a trojan that injects ISMAgent into processes[9]. Wapack Labs believes the OilRig campaigns and attacks that use ISMDoor, like Shamoon2, are related due to an overlap in malware used between the two. A dropper known as Clayslide is a consistently evolving malware dropper with VB and PowerShell variants used to deliver the Helminth backdoor during OilRig attacks. The ClaySlide dropper also delivered the ISMDoor trojan during an attack against Middle Eastern banks in May of 2016, and again in June of 2017 while targeting a Middle Eastern investment company.
Between the first Shamoon attack in 2012 and the emergence of Greenbug in 2016, Iran was not quiet in their cyber endeavors. Several campaigns transpired; advancing their methods and techniques that eventually gave way to the current landscape of Iranian-based cyber-attacks:
- Operation Ababil (September 2012 – February 2013)
- A 3-phase operation
- Threat Actor: Izz ad-Din al-Qassam (Cyber Fighters)
- Target: NY Stock Exchange, JP Morgan, US Bancorp, Bank of America, Suntrust, other US Financial Institutions
- Method: Distributed Denial of Service (DDoS) attack
- Operation Saffron Rose (June 2013 – May 2014)
- Target: US defense contractors, Iran citizens using anti-censorship tools
- Method: malware
- Operation Newscaster (2014)
- Target: military and political figures
- Method: social networking/social engineering
- Operation Cleaver (2013 – 2014)[10]
- Target: global critical infrastructure organizations
- Method: faked LinkedIn profiles
We believe with moderate confidence that Greenbug, Cutting Sword of Justice (CWoJ), Timberworm (a.k.a. Magic Hound, Cobalt Gypsy), OilRig, and other actors such as Rocket Kitten and Newscaster (a.k.a. Charming Kitten and NewsBeef) have a loose affiliation with an Iranian nexus. The different Iranian originated cyber campaigns by the different groups and/or teams occur within a mixed state sponsored and co-opted civilian hacktivist Iranian based cyber community. The groups or teams appear to conduct separate aspects of a campaign, one performing reconnaissance work – obtaining initial network access, or intelligence gathering work, such as gathering account credentials, while another performs attack operations.
Because the ISMDoor, and its variant ISMAgent, are Trojans used exclusively by the Greenbug/OilRig cyberespionage group prior to large-scale attacks and campaigns, it may be an effective way to predict future targets and identify areas of interest by the Iranian government.
Analysis
Recent ISMDoor activity in the wild is outlined below for situational awareness.
The recent deployment of ISMDoor was done so using the typosquatted domain below:
- thetaraysecurityupdate.com
The company Thetaray is an Israeli Financial fraud security company that provides ATM security software, analytics, and advanced Cyber Security to over 157 countries. The actual website is thetaray.com.
The registration info for the typosquatted domain is listed below. (It should be noted that Wapack Labs had, at last count, 586 sinkhole records of botnet related connections from devices associated with ito.gov.ir, with many occurring in the spring of 2017. Domain registration of one typosquatted domain does not conclusively prove Iranian attribution.)
IP |
Owner |
|
2.187.253.36 |
Information Technology Organization of Iran |
abuse@ito.gov.ir |
The use of the ISMDoor Trojan is further verified by the protocol used when attempting to reach the C2 domain. The newest ISMDoor variants communicate using AAAA DNS queries (IPv6 DNS queries) as their covert communications for Command and Control (C2). This is characterized by a 32-bit Hexadecimal session ID preceded by “n.n.c.” in DNS TXT records. An example of this protocol from a previous incident is shown below:
This protocol artifact is also visible in AAAA records generated during recent communications to the Thetaray typosquatted domain.
Passive DNS records show multiple domains registered on the same day that use a Greenbug naming convention. This naming convention is characterized by using the terms: “update”, “updater”, “secure”, “security” [SIC], and “security”. Examples of this naming convention from previous campaigns include those listed below:
- winsecupdater.com
- msftncsipupdater.com
- microsoftupdated.net
- update.bookiniran.co
- winprotectionupdater.com
- microsoftupdated.net
- winupdate123.com
- winowsautoupdater.com
The domains identified during this incident employ this same naming convention as seen below:
- thetaraysecurityupdate.com
- securepackupdater.com
- allsecpackupdater.com
- biocatchsecurity.com
- arbescurity.com
- covertixsecurity.com
- biocatchsecurity.com
In addition to the preceding listed domains, the following two domains were identified through passive DNS nameserver records as being registered around the same date and time of day.
IP |
Domain |
Owner |
|
2.187.253.39 |
thetaraysecurityupdate.com |
Information Technology Organization |
abuse@ito.gov.ir |
145.239.225.13 |
ns1.biocatchsecurity.com |
OVH |
noc@ovh.net |
46.105.248.175 |
ns1.arbescurity.com |
OVH |
greenwebus@gmail.com |
5.39.31.82 |
ns1.covertixsecurity.com |
OVH |
noc@ovh.net |
Currently, no attacks have been observed against these companies, however, the Greenbug group has an interest in them at some level.
OilRig and Greenbug Links
Examining recent activity revealed that on two previous occasions the ISMDoor Trojan relied on VB:Trojan.Valyria (a.k.a. ClaySlide) for delivery. Linking these two malware families will aid in future tracking of Greenbug / OilRig activities. The following static artifacts exist in recent ISMDoor samples and in VB:Trojan.Valyria samples:
Figure 1. ISMDoor / Valyria / ClaySlide Links
The first VB:Trojan.Valyria sample was used during a campaign targeting banks in the Middle East[11]. The second VB:Trojan.Valyria sample was employed in an attempt to target a large Middle Eastern investment company called Emaratech.
The attempt used a phishing email with the Valyria Trojan included as an attachment. This email attempt occurred in June of this year, however the attached Valyria Trojan was just recently submitted to VirusTotal.
Figure 2. Emaratech Phishing Attempt
The header data shows that this email was sent to the following email address:
- Shahzad.khurram@emaratech.ea
Conclusion
The Greenbug / OilRig group specializes in cyberespionage. Historically, activity attributable to them occurs prior to large attacks and campaigns. Tracking the TTPs used by this group aids in predicting potential targets and identifying Iranian areas of interest. Wapack Labs predicts with moderate confidence that the presence of droppers, backdoors, and RATS that are attributable to OilRig and Greenbug indicate a reconnaissance campaign to harvest credentials that will be followed by a cyber-attack. During the current political climate, Wapack Labs is tracking the movements of Iranian actors to maintain situation awareness for our members.
Additional Reporting:
https://redskyalliance.slack.com/files/U73N65QP5/F8LES74Q4/tir-003-2017_shamoon2.pdf
https://redskyalliance.slack.com/files/U73LECHRD/F7LA9J22G/tir-015-2017_greenbug.pdf
Report by: Scott Hall, Brent Davis, John Petrequin
Approved: Jeff Stutzman
Mitigations
The following YARA Rule identifies the ISMDoor Trojan:
r rule ismdoor_V1 { meta:
description = "Greenbug, ISMdoor variants" author = "Scott Hall(shall@wapacklabs.com)" “Copyright 2018 Wapack Labs LLC ALL RIGHTS RESERVED
strings:
$a = "Tmp98871" $b = "Tmp98872" $c = "Agent Injector\\PolicyConverter\\Inner\\obj\\Release\\Inner.pdb" $d = "ismagent.pdb" nocase $e = "AgentV3.exe -c SampleDomain.com" $f = "AgentV2.exe -c SampleDomain.com" $h = "ismagent" nocase $i = "-c SampleDomain.com -m scheduleminutes" nocase $j = "Tmp9932u1.bat" $k = "Tmp43hh11.txt" $l = "Tmp765643.txt"
condition: any of them } |
Appendix A: Estimative Language
We adhere to U.S. Intelligence Community standards with regards to the use of estimative language and judgments. The chart below approximates how judgments or likelihood correlate with percentages. Unless otherwise stated, our judgments are not derived via statistical analysis. Phrases such as “we judge” and “we assess” — and terms such as “probable” and “likely” convey analytical assessments.
Figure 3: Source CIA
High Confidence generally indicates that judgments are based on high-quality information from multiple sources. High confidence in a judgment does not imply that the assessment is a fact or a certainty.
Moderate Confidence generally means the information is credibly sourced and plausible, but not of sufficient quality or corroborated sufficiently to warrant a higher level of confidence.
Low Confidence generally means the information’s credibly and/or plausibility is uncertain, the information is too fragmented or poorly corroborated to make solid analytic inferences, or the reliability of the sources is questionable.
[1] https://www.washingtontimes.com/news/2017/dec/11/donald-trumps-iran-nuclear-deal-deadline-ignored-c/
[6] https://www.tofinosecurity.com/blog/shamoon-malware-and-scada-security-%E2%80%93-what-are-impacts
[7] https://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/
[9] https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/
Comments