This is the preface of our Cyber Intelligence 2017 Summary Report. To get the full report for free, send a request to info[@]clearskysec.com
The most significant attacks this year were executed by organized cybercrime groups and nation-state actors
Over the last two years, cyberspace has become a prominent medium for fighting between countries. Among the major global cyber actors, Russia is both the most significant nation-state actor, and the most prolific habitat for cybercrime groups, who stole in the past year billions of dollars using ransomware and spear phishing targeted attacks.
Cyber-attacks targeting democratic processes and public perception
This year we observed cyber-attacks that were executed with an end goal of undermining democratic processes by spreading misinformation in order to alter public opinion, as well as sabotaging elections and public opinion polls by various means. For instance, creating thousands of fake social media profiles, and blatantly trying to influence other countries’ electoral processes. This can be seen for example, in the propagation of fake news in Ukraine, attempting to alter election results in the US and France, and attempting to influence the outcome of the Brexit referendum.
Charming Kitten: Iranian Cyber Espionage Against Human Rights Activists, Academic Researchers and Media Outlets – And the HBO Hacker Connection
Charming Kitten is an Iranian cyberespionage group operating since approximately 2014. This report exposes their vast espionage apparatus, active during 2016-2017. We present incidents of company impersonation, made up organizations and individuals, spear phishing and watering hole attacks. We analyze their exploitation, delivery, and command-and-control infrastructure, and expose DownPaper, a malware developed by the attackers, which has not been publicly documented to date.
Incidents documented in this report are likely a small fraction of the actual amount of targeted attacks, which may reach thousands of individuals. We expose more than 85 IP addresses, 240 malicious domains, hundreds of hosts, and multiple fake entities – most of which were created in 2016-2017. The most recent domains (com-archivecenter[.]work, com-messengerservice[.]work and com-videoservice[.]work) were registered on December 2nd, 2017, and have probably not been used in attacks yet.
leetMX is a widespread cyber-attack campaign originating from Mexico and focused on targets in Mexico, El Salvador, and other countries in Latin America, such as Guatemala, Argentina and Costa Rica. It has been operating since November 2016 at least. We are uncertain of its objectives but estimate it is criminally motivated.
leetMX infrastructure includes 27 hosts and domains used for malware delivery or for command and control. Hundreds of malware samples have been used, most are Remote Access Trojans and keyloggers.
Interestingly, the attackers camouflage one of their delivery domains by redirecting visitors to El Universal, a major Mexican newspaper.
Below are samples of malicious Office documents delivered to targets. These documents contain macros that run PowerShell, which downloads and run various payloads from domains and hosts controlled by the attackers.
Ministerio de Hacienda El Salvador – Declaraciones Pendientes folio 34598.docm
Iranian Threat Agent Greenbug has been registering domains similar to those of Israeli High-Tech and Cyber Security Companies.
On 15 October 2017 a sample of ISMdoor was submitted to VirusTotal from Iraq. The sample name was WmiPrv.tmp (f5ef3b060fb476253f9a7638f82940d9) and it had the following PDB string:
Two domains were used for command and control:
Recently we detected new samples and Infrastructure of ISMAgent, a trojan in use by Iranian Threat Group GreenBug. Interestingly, as part of the delivery mechanism, the malware is disguised as a base64 digital certificate and decoded via certutil.exe. This post describes the new campaign.
Sample change managment.dot (812d3c4fddf9bb81d507397345a29bb0) exploits CVE-2017-0199 and calls the following URL:
The main aim of this research is to understand and describe the eco-systems of fake websites developers and designers, and the basic economy behind creation of fake websites that impersonate legitimate websites of banks, credit cards companies and corporations. Mostly, the aim of those fake websites is stealing credential (banking or corporate) or credit cards information.
As part of this research we checked dozens of popular Russian and English-speaking underground boards and forums, looking for vendors’ topics that provide services of fake webpages creation. On the second stage, when it was available, we conducted HUMINT operation and made a direct contact with those cybercrime vendors of fake sites via instant messaging (mostly jabber) to get deeper understanding of their skills, works and pricing.
Totally, we have checked about 15 different phishing vendors, when the main criteria were the skills of the vendor, the prices and how he makes the fake site.
We have checked a price for two main types of fake sites:
- Banking login page that is similar to real one – when the aim is to steal the login and the password to banking account.
- Second stage to the banking login page in order to steal additional information – page that do not exist in real bank website and asks the user to enter their credit cards number, expiration date and CVV number.
In addition, we have checked whether the vendors are just duplicating the original website, or developing it from scratch/partially.
Why does it matter? – Because mostly the duplicated websites are being exposed and taken down quicker, and as one vendors (Vendor9) told us – duplicated websites, in many cases are being blocked by Chrome/Safari:
Some of the vendors (like Vendor5), also add some kinds of filters to prolong the time of the fake website till it is being exposed:
We have seen that some of the vendors, mostly the more qualified ones are aware of those issues and mention it in the conversation, while the lower quality “developers”, or in other words the script kiddies who try to earn money don’t even understand what is the difference between just duplicate a website and develop a fake from scratch. To note, that some of the vendors, duplicate the website and make basic “cleaning” i.e. basic changes in HTML and content.
Below is a table that summarizes the key points of the research (to note that in the public version of this report we censored the nicknames of the vendors. This is done for the purpose of not promoting them):
We can see that there are two different types of professionals who are required to fake websites creation: the developers and the designers. Some of the fake websites service providers, who are developers, work with 3rd party designers when a design / change in the websites is required. We can see it from our conversation with one of the vendors named “Vendor2”:
From pricing point of view, the average price for banking login page is about 60$, when the pricing is mostly divided into two groups, those who just duplicate the original site mostly price it at about 20-30$ and those who develop the fake website from scratch price it at 50$ or more, when some of the vendors ask about 150-200$ for their work.
When we asked for pricing for additional page that not exist at real websites, for grabbing and stealing credit cards data, in some cases the price was significantly raised because this additional page required some development and design work, and not just duplicating existing page.
Some of the fake sites vendors, also develop different tools and panels that allow them to collect in a proper and comfortable way the stolen credentials and offering it for additional payment to fake websites buyers.
One of the additional services that some vendors offer is control panels that allow collecting all the required data and log in convenient manner.
One panel is introduced and beign sold by “Vendor3”:
Another one is built and developed by “Vendor5”:
Most of the vendors, work very hard to promote their services, constantly pump up their topics in different forums, and although the basic pricing of most of them is relatively low, in order to gain proper reputation, they offer various kinds of actions and discount.
For example, one of the young leading vendors of the last year, “Vendor1”, offered free creation of fake websites for TLD .de for limited time:
This quotation, as well as most of the quotations, and conversations with the vendors, was originally in Russian, and were translated, edited and redacted when it was necessary, while we tried to keep the essence of the chat and the language level as near to the original as it was possible.
In terms of time, there are vendors who are ready to conduct their work in timeframe of ten minutes or within an hour, but there are vendors who ask for several days.
Some of the vendors also publish colorful advertisements:
As they are acting as service providers, most of the vendors are very polity and patient to answer any questions that potential clients have (even too polite):
One of the vendors we had a conversation with, mentioned also some interesting points about creating good banking fakes:
In this research, we present in depth the vendors, their modus operandi and pricing and examples of their previously done works.
Read the full report: The Economy behind Phishing Websites Creation
For full, uncensored version of report – email firstname.lastname@example.org
CopyKittens is a cyberespionage group that has been operating since at least 2013. In November 2015, ClearSky and Minerva Labs published the first public report exposing its activity . In March 2017, ClearSky published a second report exposing further incidents, some of which impacted the German Bundestag .
In this report, Trend Micro and ClearSky expose a vast espionage apparatus spanning the entire time the group has been active. It includes recent incidents as well as older ones that have not been publicly reported; new malware; exploitation, delivery and command and control infrastructure; and the group’s modus operandi. We dubbed this activity Operation Wilted Tulip.
On July 17, 2017, we detected a malicious document in VirusTotal exploiting CVE-2017-0199. By pivoting off of the infrastructure we learned that it is related to Winnti, a Chinese threat actor that is mostly targeting the gaming industry. Below we outline initial findings.
The malicious file, named curriculum vitae.rtf (58c66b3ddbc0df9810119bb688ea8fb0) was uploaded from Turkey. Its content is presented below (we redacted personally identifiable information):
When the document is opened, it downloads and runs a file from the following URL:
Which contains a short VBS script:
The script downloads and runs an executable (a4b2a6883ba0451429df29506a1f6995) from the following URL:
Which uses backup.aolonline[.]cc as command and control server.
Indicators of compromise
Pivoting on IPs, code signing certificates, and domain registration details, we found further parts of the infrastructure, some got back to 2015. Most of them have been tagged as relating to “Casper aka LEAD” in a public PassiveTotal project by Cylance (However, we could not find a public report). Most sample were detected by Proofpoint as “ETPRO TROJAN Casper/LEAD DNS Lookup” (this signature was published in May 03, 2017).
The Maltego graph below depicts the relationship among the indicators (click to enlarge):
The indicators are available on PassiveTotal.
ClearSky conducts consistent monitoring of various Darknet actors and communities, including specific actors that develop and sell malware, exploits, bots and ransomware.
We have recently encountered very aggressive jabber spam campaign, advertising the “Philadelphia” ransomware.
As Brian Krebs wrote in one of his recent post, Philadelphia is a ransomware-as-a-service crime ware package that is sold for roughly $400 to would-be cyber criminals who dream of carving out their own ransomware empires. Philadelphia has many features, including the ability to generate PDF reports and charts of victims to track the campaigns, as well as the ability to plot victims around the world using Google Maps.
This is a screenshot of the jabber spam campaign:
In his post from March, Brian Krebs described the highly professional YouTube movie advertising this Ransomware.
This website advertises both the Philadelphia and Stampado Ransomware, but also advertises other services and tools that are provided by the same person:
Over the past few months ClearSky has been collaborating with Palo Alto Networks on preventing and detecting targeted attacks in the Middle East using two relatively new Microsoft Windows malware families which we call KASPERAGENT and MICROPSIA. In addition, our research has uncovered evidence of links between attacks using these two new malware families and two families of Google Android malware we are calling SECUREUPDATE and VAMP.
Read the full report at Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA.