Cyber Intelligence 2017 Summary Report

By ClearSky Research Team

January 1, 2018


This is the preface of our Cyber Intelligence 2017 Summary Report. To get the full report for free, send a request to info[@]

Major cyber trends in 2017

The most significant attacks this year were executed by organized cybercrime groups and nation-state actors

Over the last two years, cyberspace has become a prominent medium for fighting between countries. Among the major global cyber actors, Russia is both the most significant nation-state actor, and the most prolific habitat for cybercrime groups, who stole in the past year billions of dollars using ransomware and spear phishing targeted attacks.

Cyber-attacks targeting democratic processes and public perception

This year we observed cyber-attacks that were executed with an end goal of undermining democratic processes by spreading misinformation in order to alter public opinion, as well as sabotaging elections and public opinion polls by various means. For instance, creating thousands of fake social media profiles, and blatantly trying to influence other countries’ electoral processes. This can be seen for example, in the propagation of fake news in Ukraine, attempting to alter election results in the US and France, and attempting to influence the outcome of the Brexit referendum.

Continue Reading

Charming Kitten: Iranian Cyber Espionage Against Human Rights Activists, Academic Researchers and Media Outlets – And the HBO Hacker Connection

By ClearSky Research Team

December 5, 2017

Threat actors

Charming Kitten is an Iranian cyberespionage group operating since approximately 2014. This report exposes their vast espionage apparatus, active during 2016-2017. We present incidents of company impersonation, made up organizations and individuals, spear phishing and watering hole attacks. We analyze their exploitation, delivery, and command-and-control infrastructure, and expose DownPaper, a malware developed by the attackers, which has not been publicly documented to date.

Incidents documented in this report are likely a small fraction of the actual amount of targeted attacks, which may reach thousands of individuals. We expose more than 85 IP addresses, 240 malicious domains, hundreds of hosts, and multiple fake entities – most of which were created in 2016-2017. The most recent domains (com-archivecenter[.]work, com-messengerservice[.]work and com-videoservice[.]work) were registered on December 2nd, 2017, and have probably not been used in attacks yet.

Continue Reading

LeetMX – a Yearlong Cyber-Attack Campaign Against Targets in Latin America

By ClearSky Research Team

November 2, 2017


leetMX is a widespread cyber-attack campaign originating from Mexico and focused on targets in Mexico, El Salvador, and other countries in Latin America, such as Guatemala, Argentina and Costa Rica. It has been operating since November 2016 at least. We are uncertain of its objectives but estimate it is  criminally motivated.

leetMX infrastructure includes 27 hosts and domains used for malware delivery or for command and control.  Hundreds of malware samples have been used, most are Remote Access Trojans and keyloggers.

Interestingly, the attackers camouflage one of their delivery domains by redirecting visitors to El Universal, a major Mexican newspaper.


Below are samples of malicious Office documents delivered to targets. These documents contain macros that run PowerShell, which downloads and run various payloads from domains and hosts controlled by the attackers.

Ministerio de Hacienda El Salvador – Declaraciones Pendientes folio 34598.docm

Continue Reading

Iranian Threat Agent Greenbug Impersonates Israeli High-Tech and Cyber Security Companies

By ClearSky Research Team

October 24, 2017


Iranian Threat Agent Greenbug  has been registering domains similar to those of Israeli High-Tech and Cyber Security Companies.

On 15 October 2017 a sample of ISMdoor was submitted to VirusTotal from Iraq.  The sample name was WmiPrv.tmp (f5ef3b060fb476253f9a7638f82940d9) and it had the following PDB string:

C:\Users\Void\Desktop\v 10.0.194\x64\Release\swchost.pdb

Two domains were used for command and control:


Continue Reading

Recent ISMAgent Samples and Infrastructure by Iranian Threat Group GreenBug

By ClearSky Research Team

August 28, 2017


Recently we detected new samples and Infrastructure of ISMAgent,  a trojan in use by Iranian Threat Group GreenBug. Interestingly, as part of the delivery mechanism, the malware is disguised as a base64 digital certificate and decoded via certutil.exe. This post describes the new campaign.


Sample change (812d3c4fddf9bb81d507397345a29bb0) exploits CVE-2017-0199 and calls the following URL:


Continue Reading

The Economy Behind Phishing Websites Creation

By ClearSky Research Team

August 23, 2017


The main aim of this research is to understand and describe the eco-systems of fake websites developers and designers, and the basic economy behind creation of fake websites that impersonate legitimate websites of banks, credit cards companies and corporations. Mostly, the aim of those fake websites is stealing credential (banking or corporate) or credit cards information.

As part of this research we checked dozens of popular Russian and English-speaking underground boards and forums, looking for vendors’ topics that provide services of fake webpages creation.  On the second stage, when it was available, we conducted HUMINT operation and made a direct contact with those cybercrime vendors of fake sites via instant messaging (mostly jabber) to get deeper understanding of their skills, works and pricing.

Totally, we have checked about 15 different phishing vendors, when the main criteria were the skills of the vendor, the prices and how he makes the fake site.

We have checked a price for two main types of fake sites:

  1. Banking login page that is similar to real one – when the aim is to steal the login and the password to banking account.
  2. Second stage to the banking login page in order to steal additional information – page that do not exist in real bank website and asks the user to enter their credit cards number, expiration date and CVV number.

In addition, we have checked whether the vendors are just duplicating the original website, or developing it from scratch/partially.

Why does it matter? – Because mostly the duplicated websites are being exposed and taken down quicker, and as one vendors (Vendor9) told us – duplicated websites, in many cases are being blocked by Chrome/Safari:

Some of the vendors (like Vendor5), also add some kinds of filters to prolong the time of the fake website till it is being exposed:

We have seen that some of the vendors, mostly the more qualified ones are aware of those issues and mention it in the conversation, while the lower quality “developers”, or in other words the script kiddies who try to earn money don’t even understand what is the difference between just duplicate a website and develop a fake from scratch. To note, that some of the vendors, duplicate the website and make basic “cleaning” i.e. basic changes in HTML and content.

Below is a table that summarizes the key points of the research (to note that in the public version of this report we censored the nicknames of the vendors. This is done for the purpose of not promoting them):


We can see that there are two different types of professionals who are required to fake websites creation: the developers and the designers. Some of the fake websites service providers, who are developers, work with 3rd party designers when a design / change in the websites is required. We can see it from our conversation with one of the vendors named “Vendor2”:

From pricing point of view, the average price for banking login page is about 60$, when the pricing is mostly divided into two groups, those who just duplicate the original site mostly price it at about 20-30$ and those who develop the fake website from scratch price it at 50$ or more, when some of the vendors ask about 150-200$ for their work.

When we asked for pricing for additional page that not exist at real websites, for grabbing and stealing credit cards data, in some cases the price was significantly raised because this additional page required some development and design work, and not just duplicating existing page.

Some of the fake sites vendors, also develop different tools and panels that allow them to collect in a proper and comfortable way the stolen credentials and offering it for additional payment to fake websites buyers.

One of the additional services that some vendors offer is control panels that allow collecting all the required data and log in convenient manner.

One panel is introduced and beign sold by “Vendor3”:

Another one is built and developed by “Vendor5”:

Most of the vendors, work very hard to promote their services, constantly pump up their topics in different forums, and although the basic pricing of most of them is relatively low, in order to gain proper reputation, they offer various kinds of actions and discount.

For example, one of the young leading vendors of the last year, “Vendor1”, offered free creation of fake websites for TLD .de for limited time:

This quotation, as well as most of the quotations, and conversations with the vendors, was originally in Russian, and were translated, edited and redacted when it was necessary, while we tried to keep the essence of the chat and the language level as near to the original as it was possible.

In terms of time, there are vendors who are ready to conduct their work in timeframe of ten minutes or within an hour, but there are vendors who ask for several days.

Some of the vendors also publish colorful advertisements:



As they are acting as service providers, most of the vendors are very polity and patient to answer any questions that potential clients have (even too polite):

One of the vendors we had a conversation with, mentioned also some interesting points about creating good banking fakes:

In this research, we present in depth the vendors, their modus operandi and pricing and examples of their previously done works.

Read the full report:  The Economy behind Phishing Websites Creation

For full, uncensored version of report – email

Continue Reading

Operation Wilted Tulip – Exposing a Cyber Espionage Apparatus

By ClearSky Research Team

July 25, 2017

Threat actors

CopyKittens is a cyberespionage group that has been operating since at least 2013. In November 2015, ClearSky and Minerva Labs published the first public report exposing its activity [1]. In March 2017, ClearSky published a second report exposing further incidents, some of which impacted the German Bundestag [2].

In this report, Trend Micro and ClearSky expose a vast espionage apparatus spanning the entire time the group has been active. It includes recent incidents as well as older ones that have not been publicly reported; new malware; exploitation, delivery and command and control infrastructure; and the group’s modus operandi. We dubbed this activity Operation Wilted Tulip.

Continue Reading

Recent Winnti Infrastructure and Samples

By ClearSky Research Team

July 18, 2017


On July 17, 2017, we detected a malicious document in VirusTotal exploiting CVE-2017-0199. By pivoting off of the infrastructure we learned that it is related to Winnti, a Chinese threat actor that is mostly targeting the gaming industry. Below we outline initial findings.

The malicious file, named curriculum vitae.rtf (58c66b3ddbc0df9810119bb688ea8fb0) was uploaded from Turkey. Its content is presented below (we redacted personally identifiable information):

When the document is opened, it downloads and runs a file from the following URL:


Which contains a short VBS script:

The script downloads and runs an executable (a4b2a6883ba0451429df29506a1f6995) from the following URL:


Which uses backup.aolonline[.]cc as command and control server.

Indicators of compromise

Pivoting on IPs, code signing certificates, and domain registration details, we found further parts of the infrastructure, some got back to 2015. Most of them have been tagged as relating to “Casper aka LEAD” in a public PassiveTotal project by Cylance (However, we could not find a public report). Most sample were detected by Proofpoint as “ETPRO TROJAN Casper/LEAD DNS Lookup” (this signature was published in May 03, 2017).

The Maltego graph below depicts the relationship among the indicators (click to enlarge):

Domain googlesoftservice[.]net
Domain igooglefiles[.]com
Domain aolonline[.]cc
Domain facebooknavigation[.]com
Domain googlecustomservice[.]com
Domain find2find[.]com
Domain tiwwter[.]net
Domain luckhairs[.]com
Domain googlerenewals[.]net
Domain pornsee[.]tv
Filename NSLS.dll
Filename HelpPane.exe
Filename nsls.dll
Filename conf.exe
Filename HelpPane.exe
Filename msimain17.sdb
Filename shell.exe
Filename 715578187~.exe
Filename COMSysAppLauncher.exe
Filename SysAppLauncher.dll
Filename curriculumvitae.rtf
Filename cryptbase.exe
Filename sign.exe
Filename mess.exe
Filename cryptbasesvc.dll
Filename video(20170201)_2.exe
Filename cryptbasesvc.dll
Filename cryptbase.dll
Filename COMSystemApplicationLauncher.dll
Hash 09ec3b13ee8c84e07f5c55b0fa296e40
Hash d8cc0485a7937b28fc242fbc69331014
Hash 5096b87a9dec78f9027dec76a726546d
Hash e4c5cb83ae9c406b4191331ef5bef8ff
Hash 09ec3b13ee8c84e07f5c55b0fa296e40
Hash 32c0c3bfa07220b489d8ff704be21acc
Hash 82496f6cede2d2b8758df1b6dc5c10a2
Hash 27491f061918f12dcf43b083558f4387
Hash 5096b87a9dec78f9027dec76a726546d
Hash 58c66b3ddbc0df9810119bb688ea8fb0
Hash a4b2a6883ba0451429df29506a1f6995
Hash e88f812a30cfb9fc03c4e41be0619c98
Hash f4da908122d8e8f9af9cf4427a95dd79
URL http://54.245.195[.]101/sign.exe
URL http://54.245.195[.]101/test.rtf
URL http://54.245.195[.]101/shell.exe
URL http://54.245.195[.]101/mess.exe
URL http://signup.facebooknavigation[.]com/
Host mess[.]googlerenewals[.]net
Host us[.]igooglefiles[.]com
Host signup[.]facebooknavigation[.]com
Host signup[.]facebooknavigation[.]com
Host signup[.]facebooknavigation[.]com
Host bot[.]new[.]googlecustomservice[.]com
Host jp[.]googlerenewals[.]net
Host xn--360tmp-k02m[.]new[.]googlecustomservice[.]com
Host us[.]igooglefiles[.]com
Host cdn[.]igooglefiles[.]com
Host xn--360tmp-k02m[.]tmp[.]googlecustomservice[.]com
Host xn--360tmp-k02m[.]www[.]googlecustomservice[.]com
Host ftp[.]googlecustomservice[.]com
Host game[.]googlecustomservice[.]com
Host www[.]googlecustomservice[.]com
Host new[.]googlecustomservice[.]com
Host bot[.]googlecustomservice[.]com
Host vnew[.]googlecustomservice[.]com
Host tmp[.]googlecustomservice[.]com
Host xn--360tmp-k02m[.]googlecustomservice[.]com
Host hk[.]uk[.]igooglefiles[.]com
Host us[.]uk[.]igooglefiles[.]com
Host www[.]uk[.]igooglefiles[.]com
Host lead1[.]uk[.]igooglefiles[.]com
Host cdn[.]uk[.]igooglefiles[.]com
Host show[.]uk[.]igooglefiles[.]com
Host uk[.]uk[.]igooglefiles[.]com
Host news[.]googlesoftservice[.]net
Host news[.]facebooknavigation[.]com
Host mess[.]googlerenewals[.]net
Host signup[.]facebooknavigation[.]com
Host backup[.]aolonline[.]cc
Host uk[.]igooglefiles[.]com
Host news[.]aolonline[.]cc


The indicators are available on PassiveTotal.

Continue Reading

The Rainmaker, Philadelphia and Stampado Ransomware Vendor is Expanding his Services

By ClearSky Research Team

May 9, 2017


ClearSky conducts consistent monitoring of various Darknet actors and communities, including specific actors that develop and sell malware, exploits, bots and ransomware.

We have recently encountered very aggressive jabber spam campaign, advertising the “Philadelphia” ransomware.

As Brian Krebs wrote in one of his recent post,  Philadelphia is  a ransomware-as-a-service crime ware package that is sold for roughly $400 to would-be cyber criminals who dream of carving out their own ransomware empires. Philadelphia has many features, including the ability to generate PDF reports and charts of victims to track the campaigns, as well as the ability to plot victims around the world using Google Maps.[1]

This is a screenshot of the jabber spam campaign:

In his post from March, Brian Krebs described the highly professional YouTube movie[2] advertising this Ransomware.

In addition to this movie, a professional and well-designed website was created by Philadelphia vendor in February 2017:


This website advertises both the Philadelphia and Stampado Ransomware, but also advertises other services and tools that are provided by the same person:

Continue Reading

Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA

By ClearSky Research Team

April 5, 2017


Over the past few months ClearSky has been collaborating with Palo Alto Networks on preventing and detecting targeted attacks in the Middle East using two relatively new Microsoft Windows malware families which we call KASPERAGENT and MICROPSIA. In addition, our research has uncovered evidence of links between attacks using these two new malware families and two families of Google Android malware we are calling SECUREUPDATE and VAMP.

Read the full report at Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA.



Continue Reading