Malware RSS Feed

Always Check Credentials

SANS Tip-of-the-Day - Thu, 12/18/2014 - 21:59

Chthonic: a New Modification of ZeuS

Malware Alerts - Thu, 12/18/2014 - 06:00

In the fall of 2014, we discovered a new banking Trojan, which caught our attention for two reasons:

  • First, it is interesting from the technical viewpoint, because it uses a new technique for loading modules.
  • Second, an analysis of its configuration files has shown that the malware targets a large number of online-banking systems: over 150 different banks and 20 payment systems in 15 countries. Banks in the UK, Spain, the US, Russia, Japan and Italy make up the majority of its potential targets.

Kaspersky Lab products detect the new banking malware as Trojan-Banker.Win32.Chthonic.

The Trojan is apparently an evolution of ZeusVM, although it has undergone a number of significant changes. Chthonic uses the same encryptor as Andromeda bots, the same encryption scheme as Zeus AES and Zeus V2 Trojans, and a virtual machine similar to that used in ZeusVM and KINS malware.

Infection

We have seen several techniques used to infect victim machines with Trojan-Banker.Win32.Chthonic:

  • sending emails containing exploits;
  • downloading the malware to victim machines using the Andromeda bot (Backdoor.Win32.Androm in Kaspersky Lab classification).

When sending messages containing an exploit, cybercriminals attached a specially crafted RTF document, designed to exploit the CVE-2014-1761 vulnerability in Microsoft Office products. The file has a .DOC extension to make it look less suspicious.

Sample message with CVE-2014-1761 exploit

In the event of successful vulnerability exploitation, a downloader for the Trojan was downloaded to the victim computer. In the example above, the file is downloaded from a compromised site – hxxp://valtex-guma.com.ua/docs/tasklost.exe.

The Andromeda bot downloaded the downloader from hxxp://globalblinds.org/BATH/lider.exe.

Downloading the Trojan

Once downloaded, the downloader injects its code into the msiexec.exe process. It seems that the downloader is based on the Andromeda bot's source code, although the two use different communication protocols.

Example of common functionality of Andromeda and Chthonic downloaders

Differences in communication protocols used by Andromeda and Chthonic C&C

The Chthonic downloader contains an encrypted configuration file (similar encryption using a virtual machine was used in KINS and ZeusVM). The main data contained in the configuration file includes: a list of С&С servers, a 16-byte key for RC4 encryption, UserAgent, botnet id.

The main procedure of calling virtual machine functions

After decrypting the configuration file, its individual parts are saved in a heap - in the following format:

This is done without passing pointers. The bot finds the necessary values by examining each heap element using the RtlWalkHeap function and matching its initial 4 bytes to the relevant MAGIC VALUE.

The downloader puts together a system data package typical of ZeuS Trojans (local_ip, bot_id, botnet_id, os_info, lang_info, bot_uptime and some others) and encrypts it first using XorWithNextByte and then using RC4. Next, the package is sent to one of the C&C addresses specified in the configuration file.

In response, the malware receives an extended loader – a module in a format typical of ZeuS, i.e., not a standard PE file but a set of sections that are mapped to memory by the loader itself: executable code, relocation table, point of entry, exported functions, import table.

Code with section IDs matching the module structures

It should be noted that the imports section includes only API function hashes. The import table is set up using the Stolen Bytes method, using a disassembler included in the loader for this purpose. Earlier, we saw a similar import setup in Andromeda.

Fragment of the import setup function in Andromeda and Chthonic

Header of a structure with module

The extended loader also contains a configuration file encrypted using the virtual machine. It loads the Trojan's main module, which in turn downloads all the other modules. However, the extended loader itself uses AES for encryption, and some sections are packed using UCL. The main module loads additional modules and sets up import tables in very much the same way as the original Chthonic downloader, i.e. this ZeuS variant has absorbed part of the Andromeda functionality.

The entire sequence in which the malware loads, including the modules that are described below, is as follows:

Modules

Trojan-Banker.Win32.Chthonic has a modular structure. To date, we have discovered the following modules:

Name Description Has a 64bit version main Main module (v4.6.15.0 - v4.7.0.0) Yes info Collects system information Yes pony Module that steals saved passwords No klog Keylogger Yes http Web injection and formgrabber module Yes vnc Remote access Yes socks Proxy server Yes cam_recorder Recording video from the web camera Yes

The impressive set of functions enables the malware to steal online banking credentials using a variety of techniques. In addition, VNC and cam recorder modules enable attackers to connect to the infected computer remotely and use it to carry out transactions, as well as recording video and sound if the computer has a webcam and microphone.

Injections

Web injections are Chthonic's main weapon: they enable the Trojan to insert its own code and images into the code of pages loaded by the browser. This enables the attackers to obtain the victim's phone number, one-time passwords and PINs, in addition to the login and password entered by the victim.

For example, for one of the Japanese banks the Trojan hides the bank's warnings and injects a script that enables the attackers to carry out various transactions using the victim's account:

Online banking page screenshots before and after the injection

Interesting functions in injected script

The script can also display various fake windows in order to obtain the information needed by the attackers. Below is an example of a window which displays a warning of non-existent identification problems and prompts the user to enter TAN:

Fake TAN entry window

Our analysis of attacks against customers of Russian banks has uncovered an unusual web injection scenario. When opening an online banking web page in the browser, the entire contents of the page is spoofed, not just parts of it as in an ordinary attack. From the technical viewpoint, the Trojan creates an iframe with a phishing copy of the website that has the same size as the original window.

Below is a fragment of injected code, which replaces everything between title and body closing tags with the following text:

And here is the script itself:

Additionally, the bot receives a command to establish a backconnect connection if the injection is successful:

Coverage

There are several botnets with different configuration files. Overall, the botnets we are aware of target online banking systems of over 150 different banks and 20 payment systems in 15 countries. The cybercriminals seem most interested in banks in the UK, Spain, the US, Russia, Japan and Italy.

Chtonic target distribution by country

It is worth noting that, in spite of the large number of targets on the list, many code fragments used by the Trojan to perform web injections can no longer be used, because banks have changed the structure of their pages and, in some cases, the domains as well. It should also be noted that we saw some of these fragments in other bots' config files (e.g., Zeus V2) a few years back.

Conclusion

We can see that the ZeuS Trojan is still actively evolving and its new implementations take advantage of cutting-edge techniques developed by malware writers. This is significantly helped by the ZeuS source code having been leaked. As a result, it has become a kind of framework for malware writers, which can be used by anyone and can easily be adapted to cybercriminals' new needs. The new Trojan – Chthonic – is the next stage in the evolution of ZeuS: it uses Zeus AES encryption, a virtual machine similar to that used by ZeusVM and KINS, and the Andromeda downloader.

What all of this means is that we will undoubtedly see new variants of ZeuS in the future.

A few md5:

12b6717d2b16e24c5bd3c5f55e59528c
148563b1ca625bbdbb60673db2edb74a
6db7ecc5c90c90b6077d5aef59435e02
5a1b8c82479d003aa37dd7b1dd877493
2ab73f2d1966cd5820512fbe86986618
329d62ee33bec5c17c2eb5e701b28639
615e46c2ff5f81a11e73794efee96b38
77b42fb633369de146785c83270bb289
78575db9f70374f4bf2f5a401f70d8ac
97d010a31ba0ddc0febbd87190dc6078
b670dceef9bc29b49f7415c31ffb776a
bafcf2476bea39b338abfb524c451836
c15d1caccab5462e090555bcbec58bde
ceb9d5c20280579f316141569d2335ca
d0c017fef12095c45fe01b7773a48d13
d438a17c15ce6cec4b60d25dbc5421cd

Kaspersky Security Bulletin 2014. A Look into the APT Crystal Ball

Malware Alerts - Thu, 12/11/2014 - 07:00

 PDF version
 EPUB version
 Download Full Report PDF

  1. Predictions 2015
  2. Overall statistics for 2014
  3. Malware Evolution
  4. A Look into the APT Crystal Ball

Over the past years, Kaspersky's Global Research and Analysis Team (GReAT) has shed light on some of the biggest APT campaigns, including RedOctober, Flame, NetTraveler, Miniduke, Epic Turla, Careto/Mask and others. While studying these campaigns we have also identified a number of 0-day exploits, including the most recent CVE-2014-0546. We were also among the first to report on emerging trends in the APT world, such as cyber mercenaries who can be contracted to launch lightning attacks or more recently, attacks through unusual vectors such as hotel Wi-Fi. Over the past years, Kaspersky Lab's GReAT team has monitoring more than 60 threat actors responsible for cyber-attacks worldwide, organizations which appear to be fluent in many languages such as Russian, Chinese, German, Spanish, Arabic, Persian and others.

By closely observing these threat actors, we put together a list of what appear to be the emerging threats in the APT world. We think these will play an important role in 2015 and deserve special attention, both from an intelligence point of view but also with technologies designed to stop them.

The merger of cyber-crime and APT

For many years, cyber-criminal gangs focused exclusively on stealing money from end users. An explosion of credit card theft, hijacking of electronic payment accounts or online banking connections led to consumer losses in the worth hundreds of millions of dollars. Maybe this market is no longer so lucrative, or maybe the cybercriminal market is simply overcrowded, but it now seems like there is a struggle being waged for 'survival'. And, as usual, that struggle is leading to evolution.

What to expect: In one incident we recently investigated attackers compromised an accountant's computer and used it to initiate a large transfer with their bank. Although it might seem that this is nothing very unusual, we see a more interesting trend: Targeted attacks directly against banks, not their users.

In a number of incidents investigated by Kaspersky Lab experts from the Global Research and Analysis Team, several banks were breached using methods straight out of the APT playbook. Once the attackers got into the banks' networks, they collected enough information to enable them to steal money directly from the bank in several ways:

  • Remotely commanding ATMs to dispense cash.
  • Performing SWIFT transfers from various customer accounts,
  • Manipulating online banking systems to perform transfers in the background.

These attacks are an indication of a new trend that is embracing APT style attacks in the cybercriminal world. As usual, cybercriminals prefer to keep it simple: they now attack the banks directly because that's where they money is.  We believe this is a noteworthy trend that will become more prominent in 2015.

Fragmentation of bigger APT groups

2014 saw various sources expose APT groups to the public eye. Perhaps the best-known case is the FBI indictment of five hackers on various computer crimes:

This public "naming and shaming" means we expect some of the bigger and "noisier" APT groups to shatter and break into smaller units, operating independently.

What to expect: This will result in a more widespread attack base, meaning more companies will be hit, as smaller groups diversify their attacks. At the same time, it means that bigger companies that were previously compromised by two or three major APT groups (eg. Comments Crew and Wekby) will see more varied attacks from a wider range of sources.

Evolving malware techniques

As computers become more sophisticated and powerful, operating systems also become more complex. Both Apple and Microsoft have spent a lot of time improving the security posture of their respective operating systems. Additionally, special tools such as Microsoft's EMET are now available to help thwart targeted attacks against software vulnerabilities.

With Windows x64 and Apple Yosemite becoming more popular, we expect APT groups to update their toolsets with more powerful backdoors and technologies to evade security solutions.

What to expect: Today, we are already seeing APT groups constantly deploying malware for 64-bit systems, including 64-bit rookits. In 2015, we expect to see more sophisticated malware implants, enhanced evasion techniques and more use of virtual file systems (such as those from Turla and Regin) to conceal precious tools and stolen data.

While we see these increases in advanced techniques, some attackers are moving in the opposite direction. While minimizing the number of exploits and amount of compiled code they introduce to compromised networks altogether, their work continues to require sophisticated code or exploit introduction at a stable entry into the enterprise, script tools and escalation of privilege of all sorts, and stolen access credentials at victim organizations.

As we saw with BlackEnergy 2 (BE2), attackers will actively defend their own presence and identity within victim networks once discovered. Their persistence techniques are becoming more advanced and expansive. These same groups will step up the amount and aggression of destructive last effort components used to cover their tracks, and they include more *nix support, networking equipment, and embedded OS support. We have already seen some expansion from BE2, Yeti, and Winnti actors.

New methods of data exfiltration

The days when attackers would simply activate a backdoor in a corporate network and start siphoning terabytes of information to FTP servers around the world are long gone. Today, more sophisticated groups use SSL on a regular basis alongside custom communication protocols.

Some of the more advanced groups rely on backdooring networking devices and intercepting traffic directly for commands. Other techniques we have seen include exfiltration of data to cloud services, for instance via the WebDAV protocol (facilitates collaboration between users in editing and managing documents and files stored on web servers).

These in turn have resulted in many corporations banning public cloud services such as Dropbox from their networks. However, this remains an effective method of bypassing intrusion detection systems and DNS blacklists.

What to expect: In 2015, more groups to adopt use of cloud services  in order to make exfiltration stealthier and harder to notice.

New APTs from unusual places as more countries join the cyber arms race

In February 2014, we published research into Careto/Mask, an extremely sophisticated threat actor that appears to be fluent in Spanish, a language rarely seen in targeted attacks. In August, we also released a report on Machete, another threat actor using the Spanish language.

Before that, we were accustomed to observing APT actors and operators that are fluent in relatively few languages. Additionally, many professionals do not use their native language, preferring instead to write in perfect English.

In 2014, we observed a lot of nations around the world publicly expressing an interest in developing APT capabilities:

What to expect: Although we haven't yet seen APT attacks in Swedish, we do predict that more nations will join the "cyber-arms" race and develop cyber-espionage capabilities.

Use of false flags in attacks

Attackers make mistakes. In the vast majority of the cases we analyze, we observe artifacts that provide clues about the language spoken by the attackers. For instance, in the case of RedOctober and Epic Turla, we concluded that the attackers were probably fluent in the Russian language. In the case of NetTraveler we came to the conclusion that attackers were fluent in Chinese.

In some cases, experts observe other meta features that could point toward the attackers. For example, performing file timestamp analysis of the files used in an attack may lead to the conclusion in what part of the world most of the samples were compiled.

However attackers are beginning to react to this situation. In 2014 we observed several "false flag" operations where attackers delivered "inactive" malware commonly used by other APT groups. Imagine a threat actor of Western origin dropping a malware commonly used by a "Comment Crew," a known Chinese threat actor. While everyone is familiar with the "Comment Crew" malware implants, few victims could analyze sophisticated new implants. That can easily mislead people into concluding that the victim was hit by the Chinese threat actor.

What to expect: In 2015, with governments increasingly keen to "name and shame" attackers, we believe that APT groups will also carefully adjust their operations and throw false flags into the game.

Threat actors add mobile attacks to their arsenal

Although APT groups have been observed infecting mobile phones, this hasn't yet become a major trend. Perhaps the attackers wish to get data that isn't usually available on mobiles, or maybe not all of them have access to the technologies that can infect Android and iOS devices.

In 2014 we saw several new APT tools designed for infecting mobiles, for instance Hacking Team's Remote Control System mobile modules.

Additionally, during the Hong Kong protests in October 2014, attacks were seen against Android and iOS users which appear to be connected to APT operations.

Although a mobile phone might not have valuable documents and schematics, or geopolitical expansion plans for next 10 years, they can be a valuable source of contacts as well as listening points. We observed this with the RedOctober group, which had the ability to infect mobile phones and turn them into "Zakladka's", mobile bugs.

What to expect: In 2015, we anticipate more mobile-specific malware, with a focus on Android and jailbroken iOS.

APT+Botnet: precise attack + mass surveillance

In general, APT groups are careful to avoid making too much noise with their operations. This is why the malware used in APT attacks is much less widespread than common crimeware such as Zeus, SpyEye and Cryptolocker.

In 2014 we observed two APT groups (Animal Farm and Darkhotel) using botnets in addition to their regular targeted operations. Of course, botnets can prove to be a vital asset in cyberwar and can be used to DDoS hostile countries; this has happened in the past.  We can therefore understand why some APT groups might want to build botnets in addition to their targeted operations.

In addition to DDoS operations, botnets can also offer another advantage - mass surveillance apparatus for a "poor country". For instance, Flame and Gauss, which we discovered in 2012, were designed to work as a mass surveillance tool, automatically collecting information from tens of thousands of victims. The information would have to be analyzed by a supercomputer, indexed and clustered by keywords and topics; most of it would probably be useless. However, among those hundreds of thousands of exfiltrated documents, perhaps one provides key intelligence details, that could make a difference in tricky situations.

What to expect: In 2015 more APT groups will embrace this trend of using precise attacks along with noisy operations and deploy their own botnets.

Targeting of hotel networks

The Darkhotel group is one of the APT actors known to have targeted specific visitors during their stay in hotels in some countries. Actually, hotels provide an excellent way of targeting particular categories of people, such as company executives. Targeting hotels is also highly lucrative because it provides intelligence about the movements of high profile individuals around the world.

Compromising a hotel reservation system is an easy way to conduct reconnaissance on a particular target. It also allows the attackers to know the room where the victim is staying, opening up the possibility of physical attacks as well as cyber-attacks.

It isn't always easy to target a hotel. This is why very few groups, the elite APT operators, have done it in the past and will use it as part of their toolset.

What to expect: In 2015, a few other groups might also embrace these techniques, but it will remain beyond the reach of the vast majority of APT players.

Commercialization of APT and the private sector

Over the last few years, we published extensive research into malware created by companies such as HackingTeam or Gamma International, two of the best known vendors of "legal spyware". Although these companies claim to sell their software only to "trusted government entities", public reports from various sources, including Citizen Lab, have repeatedly shown that spyware sales cannot be controlled. Eventually, these dangerous software products end up in the hands of less trustworthy individuals or nations, who can use them for cyber-espionage against other countries or their own people.

The fact is that such activities are highly profitable for the companies developing the cyber-espionage software. They are also low risk because – so far – we have not seen a single case where one of these companies was convicted in a cyber-espionage case. The developers of these tools are usually out of the reach of the law, because the responsibility falls with the tool users, not the company that develops and facilitates the spying.

What to expect: It's a high-reward, low risk business that will lead to the creation of more software companies entering the "legal surveillance tools" market. In turn, these tools will be used for nation-on-nation cyber-espionage operations, domestic surveillance and maybe even sabotage.

Conclusions

In general, 2014 was a rather sophisticated and diverse year for APT incidents. We discovered several zero-days, for instance CVE-2014-0515 which was used by a group we call "Animal Farm". Another zero-day we discovered was CVE-2014-0487, used by the group known as DarkHotel. In addition to these zero-days, we observed several new persistence and stealth techniques, which in turn resulted in the development and deployment of several new defense mechanisms for our users.

If we can call 2014 "sophisticated", the word for 2015 will be "elusive". We believe that more APT groups will become concerned with exposure and they will take more advanced measures to hide from discovery.

Finally, some of them will deploy false flag operations. We anticipate these developments and, as usual, will document them thoroughly in our reports.

Cloud Atlas: RedOctober APT is back in style

Malware Alerts - Wed, 12/10/2014 - 05:03

Two years ago, we published our research into RedOctober, a complex cyber-espionage operation targeting diplomatic embassies worldwide. We named it RedOctober because we started this investigation in October 2012, an unusually hot month.

After our announcement in January 2013, the RedOctober operation was promptly shut down and the network of C&Cs was dismantled. As usually happens which these big operations, considering the huge investment and number of resources behind it, they don't just "go away" forever. Normally, the group goes underground for a few months, redesigns the tools and the malware and resume operations.

See:

Since January 2013, we've been on the lookout for a possible RedOctober comeback. One possible hit was triggered when we observed Mevade, an unusual piece of malware that appeared late in 2013. The Mevade C&C name styles as well as some other technical similarities indicated a connection to RedOctober, but the link was weak. It wasn't until August 2014 that we observed something which made us wonder if RedOctober is back for good.

Meet Cloud Atlas

In August 2014, some of our users observed targeted attacks with a variation of CVE-2012-0158 and an unusual set of malware. We did a quick analysis of the malware and it immediately stood out because of certain unusual things that are not very common in the APT world.

Some of the filenames used in the attacks included:

  • FT - Ukraine Russia's new art of war.doc
  • Катастрофа малайзийского лайнера.doc
  • Diplomatic Car for Sale.doc
  • МВКСИ.doc
  • Organigrama Gobierno Rusia.doc
  • Фото.doc
  • Информационное письмо.doc
  • Форма заявки (25-26.09.14).doc
  • Информационное письмо.doc
  • Письмо_Руководителям.doc
  • Прилож.doc
  • Car for sale.doc
  • Af-Pak and Central Asia's security issues.doc

At least one of them immediately reminded us of RedOctober, which used a very similarly named  spearphish: "Diplomatic Car for Sale.doc". As we started digging into the operation, more details emerged which supported this theory.

Perhaps the most unusual fact was that the Microsoft Office exploit didn't directly write a Windows PE backdoor on disk. Instead, it writes an encrypted Visual Basic Script and runs it.

Cloud Atlas exploit payload - VBScript

This VBScript drops a pair of files on disk - a loader and an encrypted payload. The loader appears to be different every time and internal strings indicate it is "polymorphically" generated. The payload is always encrypted with a unique key, making it impossible to decrypt unless the DLL is available.

We observed several different spear-phishing documents that drop uniquely named payloads. For instance, the "qPd0aKJu.vbs" file MD5:

E211C2BAD9A83A6A4247EC3959E2A730 drops the following files:

DECF56296C50BD3AE10A49747573A346 - bicorporate - encrypted payload
D171DB37EF28F42740644F4028BCF727 - ctfmonrn.dll - loader

The VBS also adds a registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ setting the key "bookstore" to the value "regsvr32 %path%\ctfmonrn.dll /s", which ensures the malware runs every time at system boot.

Some of the DLL names we observed include:

f4e15c1c2c95c651423dbb4cbe6c8fd5 - bicorporate.dll
649ff144aea6796679f8f9a1e9f51479 - fundamentive.dll
40e70f7f5d9cb1a669f8d8f306113485 - papersaving.dll
58db8f33a9cdd321d9525d1e68c06456 - previliges.dll
f5476728deb53fe2fa98e6a33577a9da - steinheimman.dll

Some of the payload names include:

steinheimman
papersaving
previliges
fundamentive
bicorporate
miditiming
damnatorily
munnopsis
arzner
redtailed
roodgoose
acholias
salefians
wartworts
frequencyuse
nonmagyar
shebir
getgoing

The payload includes an encrypted configuration block which contains information about the C&C sever:

The information from the config includes a WebDAV URL which is used for connections, a username and password, two folders on the WebDAV server used to store plugins/modules for the malware and where data from the victim should be uploaded.

C&C communication

The Cloud Atlas implants utilize a rather unusual C&C mechanism. All the malware samples we've seen communicate via HTTPS and WebDav with the same server "cloudme.com", a cloud services provider. According to their website, CloudMe is owned and operated by CloudMe AB, a company based in Linköping, Sweden.

(Important note: we do not believe that CloudMe is in any way related to the Cloud Atlas group - the attackers simply create free accounts on this provider and abuse them for command-and-control).

Each malware set we have observed so far communicates with a different CloudMe account though. The attackers upload data to the account, which is downloaded by the implant, decrypted and interpreted. In turn, the malware uploads the replies back to the server via the same mechanism. Of course, it should be possible to reconfigure the malware to use any Cloud-based storage service that supports WebDAV.

Here's a look at one such account from CloudMe:

The data from the account:

The files stored in the randomly named folder were uploaded by the malware and contain various things, such as system information, running processes and current username. The data is compressed with LZMA and encrypted with AES, however, the keys are stored in the malware body which makes it possible to decrypt the information from the C&C.

We previously observed only one other group using a similar method – ItaDuke – that connected to accounts on the cloud provider mydrive.ch.

Victim statistics: top 5 infected countries CloudAtlas RedOctober Russia 15 35 Kazakhstan 14 21 Belarus 4 5 India 2 14 Czech Republic 2 5 Similarities with RedOctober

Just like with RedOctober, the top target of Cloud Atlas is Russia, followed closely by Kazakhstan, according to data from the Kaspersky Security Network (KSN). Actually, we see an obvious overlap of targets between the two, with subtle differences which closely account for the geopolitical changes in the region that happened during the last two years.

Interestingly, some of the spear-phishing documents between Cloud Atlas and RedOctober seem to exploit the same theme and were used to target the same entity at different times.

Cloud Atlas RedOctober

Both Cloud Atlas and RedOctober malware implants rely on a similar construct, with a loader and the final payload that is stored encrypted and compressed in an external file. There are some important differences though, especially in the encryption algorithms used – RC4 in RedOctober vs AES in Cloud Atlas.

The usage of the compression algorithms in Cloud Altas and RedOctober is another interesting similarity. Both malicious programs share the code for LZMA compression algorithm. In CloudAtlas it is used to compress the logs and to decompress the decrypted payload from the C&C servers, while in Red October the "scheduler" plugin uses it to decompress executable payloads from the C&C.

It turns out that the implementation of the algorithm is identical in both malicious modules, however the way it is invoked is a bit different, with additional input sanity checks added to the CloudAtlas version.

Another interesting similarity between the malware families is the configuration of the build system used to compile the binaries. Every binary created using the Microsoft Visual Studio toolchain has a special header that contains information about the number of input object files and version information of the compilers used to create them, the "Rich" header called so by the magic string that is used to identify it in the file.

We have been able to identify several RedOctober binaries that have "Rich" headers describing exactly the same layout of VC 2010 + VC 2008 object files. Although this doesn't necessarily mean that the binaries were created on the same development computer, they were definitely compiled using the same version of the Microsoft Visual Studio up to the build number version and using similar project configuration.

Number of object files, CloudAtlas loader Number of object files, Red October Office plugin Number of object files,Red October Fileputexec plugin HEX compiler version Decoded compiler version 01 01 01 009D766F VC 2010 (build 30319) 01 01 01 009B766F VC 2010 (build 30319) 22 2E 60 00AB766F VC 2010 (build 30319) 5B 60 A3 00010000 – 05 07 11 00937809 VC 2008 (build 30729) 72 5C AD 00AA766F VC 2010 (build 30319) 20 10 18 009E766F VC 2010 (build 30319)

To summarize the similarities between the two:

Cloud Atlas RedOctober Shellcode marker in spearphished documents PT@T PT@T Top target country Russia Russia Compression algorithm used for C&C communications LZMA LZMA C&C servers claim to be / redirect to BBC (mobile malware) BBC Compiler version VC 2010 (build 30319) VC 2010 (build 30319) (some modules)

Finally, perhaps the strongest connection comes from targeting. Based on observations from KSN, some of the victims of RedOctober are also being targeted by CloudAtlas. In at least one case, the victim's computer was attacked only twice in the last two years, with only two malicious programsRedOctober and Cloud Atlas.

These and other details make us believe that CloudAtlas represents a rebirth of the RedOctober attacks.

Conclusion

Following big announcements and public exposures of targeted attack operations, APT groups behave in a predictable manner. Most Chinese-speaking attackers simply relocate C&C servers to a different place, recompile the malware and carry on as if nothing happened.

Other groups that are more nervous about exposure go in a hibernation mode for months or years. Some may never return using the same tools and techniques.

However, when a major cyber-espionage operation is exposed, the attackers are unlikely to completely shut down everything. They simply go offline for some time, completely reshuffle their tools and return with rejuvenated forces.

We believe this is also the case of RedOctober, which makes a classy return with Cloud Atlas.

Kaspersky products detect the malware from the Cloud Atlas toolset with the following verdicts:

Exploit.Win32.CVE-2012-0158.j
Exploit.Win32.CVE-2012-0158.eu
Exploit.Win32.CVE-2012-0158.aw
Exploit.MSWord.CVE-2012-0158.ea
HEUR:Trojan.Win32.CloudAtlas.gen
HEUR:Trojan.Win32.Generic
HEUR:Trojan.Script.Generic
Trojan-Spy.Win32.Agent.ctda
Trojan-Spy.Win32.Agent.cteq
Trojan-Spy.Win32.Agent.ctgm
Trojan-Spy.Win32.Agent.ctfh
Trojan-Spy.Win32.Agent.cter
Trojan-Spy.Win32.Agent.ctfk
Trojan-Spy.Win32.Agent.ctfj
Trojan-Spy.Win32.Agent.crtk
Trojan-Spy.Win32.Agent.ctcz
Trojan-Spy.Win32.Agent.cqyc
Trojan-Spy.Win32.Agent.ctfg
Trojan-Spy.Win32.Agent.ctfi
Trojan-Spy.Win32.Agent.cquy
Trojan-Spy.Win32.Agent.ctew
Trojan-Spy.Win32.Agent.ctdg
Trojan-Spy.Win32.Agent.ctlf
Trojan-Spy.Win32.Agent.ctpz
Trojan-Spy.Win32.Agent.ctdq
Trojan-Spy.Win32.Agent.ctgm
Trojan-Spy.Win32.Agent.ctin
Trojan-Spy.Win32.Agent.ctlg
Trojan-Spy.Win32.Agent.ctpd
Trojan-Spy.Win32.Agent.ctps
Trojan-Spy.Win32.Agent.ctpq
Trojan-Spy.Win32.Agent.ctpy
Trojan-Spy.Win32.Agent.ctie
Trojan-Spy.Win32.Agent.ctcz
Trojan-Spy.Win32.Agent.ctgz
Trojan-Spy.Win32.Agent.ctpr
Trojan-Spy.Win32.Agent.ctdp
Trojan-Spy.Win32.Agent.ctdr
Trojan.Win32.Agent.idso
Trojan.Win32.Agent.idrx
HEUR:Trojan.Linux.Cloudatlas.a
Trojan.AndroidOS.Cloudatlas.a
Trojan.IphoneOS.Cloudatlas.a

 

Parallel research:

Pages

Subscribe to RIT Information Security aggregator