Malware RSS Feed
For a long time we´ve been interested in operational security (OPSEC), and although you can find tons of cool technical tips about protecting digital information, we always felt that something was missing. After all, we live in a physical, or analog world as well as a digital one, and we have encounters with other real people. After asking around, we found that one of the biggest worries of our technical community was how to behave during these interactions. So we decided to work on creating some realistic and easy to remember tips for exactly these situations.Threat modeling
OPSEC is all about hiding information from your adversaries. We categorized our adversaries into just two groups: those who have resources and those who don´t. Plain and simple.
The first group comprises intelligence agencies, military organizations and the big bad boys. The second contains the rest. Important: no resources is not the same as no danger, but they are less able to track you unless you give away information for free.
Our tips are focused on encounters with the first group, since that is more likely to happen.Recruitment
Agencies are always on the look-out for new assets to recruit – this is what they've been doing for centuries.
It all starts with the spotting process, identifying an asset who could meet their requirements based on the position and access to information. Next they profile the target, partly using OSINT. After that it's time to choose between the carrot and the stick, and pick out the most effective motivators on offer: money, blackmail, ideology, sex, etc.
Then some guy will approach us, maybe in person, maybe through LinkedIn. He'll probably pose as some businessman who will pay us a lot for nothing much, just a few easy reports from time to time.
When this happens we want to get to the Termination phase ASAP, ideally after being written off as a waste of time and effort.
We can just say "No", but they may keep increasing the pressure. On the other hand, we can refuse while providing alternatives, redirecting the request to another person ready to handle this.
Create a protocol for yourself and your organization in order to handle these situations effectively, minimizing the researcher ´s exposure. Be prepared in advance for situations where we are more vulnerable.Borders
Crossing an international border can be one of the most vulnerable places. Somehow they are like a parallel dimension: although you are physically in one territory, the laws are just different, or maybe even non-existent.
We´ve learnt a few things regarding borders: there is always some exception to the law that officers might use in extreme scenarios. You can find legal advice here https://www.eff.org/wp/defending-privacy-us-border-guide-travelers-carrying-digital-devices>. However this is what you should NOT do:
- Regardless of whether you consent to a search or not, do NOT stop the officer if he starts checking your stuff. This is a felony.
- You don´t have to answer questions, but if you decide to do so, do not lie to the officer. Again, a felony.
This is our advice about how to react in a situation like this. These rules will provide you with peace of mind, help you stay calm and not freak out. Hopefully they will stop you overreacting, making things worse and talking too much, starting with: "I have nothing to hide, let me explain …".
- Be cooperative.
- Don´t make things worse.
- Have your story prepared and be ready to back it up.
- Golden rule: Don´t bring any valuable content with you! You should encrypt, upload and retrieve on arrival at your destination.
Sometimes we could find ourselves going to a meeting in a strange country with a suspicion that something is not quite right. Some advice for this:
- Don´t go alone.
- Don´t rely on your host for transport
- Plan exit routes and "safe" places, have your contacts ready.
In some cases the meeting itself won´t be the "trap"; it's just an excuse to get you to leave your computer in a known location the hotel, or in a cloakroom.
It is always a good idea to let someone know where you are going and tell them to react if you don´t ping them in a reasonable period of time. This also lets your adversaries know that you are ready – a simple casual comment will do the job.
Another concern is physical surveillance. To be honest, if this is done by sophisticated professionals there isn't much we can do about it and we probably won't even notice. But remember – don't try anything stupid; you're not James Bond. Acting like it's a movie can only make things worse.
If you are very concerned, escalate the situation and involve the person in your company who is responsible for dealing with local contacts. If you feel uncomfortable, move to a public place or directly move to your embassy.Conclusions
You've probably already spotted a common theme in most of all these situations. First, keep calm and do not make things worse. You can rely on a third party to send in the cavalry when you need it. This is why your company should provide you with a single person to contact when you're in trouble. Also you might need international legal support.
However the key lesson is: do your homework. If you travel abroad, spend some time finding local contacts, get the telephone number and directions for your embassy, plan your meetings, let other people know where you are and make sure they are ready to act quickly in certain situations. Have your travel laptop ready and consider what information you bring with you. If you remember your lessons, you will be fine.
Last July, we published details on Crouching Yeti (aka Energetic Bear), an advanced threat actor involved in several APT campaigns.
A quick summary:
- Campaign status: Active
- Discovery: January 2014
- Targeted platforms: Windows
- First known sample: 2010
- Number of targets: 2,001-3,000
- Top target countries : United States, Spain, Japan, Germany, France, Italy, Turkey, Ireland, Poland, China
- Propagation method: Social engineering, Exploit, Watering hole attack, Trojanized software installers
- Purpose/functions: Data theft
- Special features : Interest in OPC/SCADA. Trojanized software used to administer remote OPC servers as well as modules to scan networks for OPC servers.
- Targets: Industrial/machinery, Manufacturing, Pharmaceutical, Construction, Education, Information technology
- Artifacts/attribution : Russian-speaking authors
This post is an update about the operational status of the campaign described in the original "Crouching Yeti" report.
Since the beginning of the research, we've been monitoring some of the C2 servers used by the components used in the attack – the Havex Trojan, the Sysmain Trojan and the ClientX backdoor. The following analysis is based on data gathered until March 04, 2015
C2 and victims:
Overall, we successfully monitored 69 C2 server (unique domains), receiving hits from 3699 victims (unique IDs of the Trojan/backdoor) connecting from 57796 different IP addresses. We gathered four additional C2s since the publication of the first report (65 in the last report).
Based on the graph below, the top five C2 servers share most of the unique victims :
Although the trendline shows a decreasing number of hits on the C2, there are still >1.000 unique victim connections per day. These top five C2s with most of the victims coincides with the activity analyzed in the previous research and publication.
Another interesting figure is the number of hits by date which shows a decreasing trend:
The following figure shows the entire picture regarding Crouching Yeti victim country distribution including all the malware (Havex, ClientX,Sysmain) reporting to the C2s on which we have visibility. The graph contains the total dataset (inluding data for the previous report as well as the gathered during this period) and contains all the unique IP addresses observed. Be aware that there are some unique IDs using several IP addresses probably pertaining to infected computers used by travellers.
This shows the big (and updated) picture regarding Crouching Yeti victims by country. Spain, Poland and Greece are in the Top 3. Japan and especially the United States have significantly reduced position (less victims) since the last report, contrary to Poland and Italy that increased position remarkably (more victims reporting to the C2).
The most widely used Trojan on these C2 server is Havex with 3375 unqiue victims. Sysmain counts 314 and ClientX 10 (as in the last year's report). For Havex, version 024 is still the most widespread, followed by version 043. This is consistent with the trend observed in our last publication.
The following two graphs show the distribution of victims per malware type. We decided to divide the identified versions in two groups for purposes of clarity. The series names Report contains the data published in the first Crouching Yeti release (blue) and the Update (red) series contains the data analyzed.
During this period, the first subset shows an increase for almost all the included versions except for Havex-038 and Havex-01D which showed bigger activity in the first Crouching Yeti release . On the other hand, Havex-043 has the most significant increase during this period.
For the second subset, the picture looks pretty similar (global increase) except for Havex-01d which shows a decrease during this period.
Already before and also after the announcements around this actor other researcher digged into. Therefore the datasets are cleaned but may still include few research based non-victim systems.
The following graphs shows the operating system distribution amongst Havex victims during this period:
Apart from the increase of the category "unknown", there are no substantial differences when comparing the data analyzed in the first report :
In order to complement the data from the C2, we extracted some stats for the most relevant Trojans used by the Crouching Yeti operators. Almost all of them shows a residual impact during 2015. Nevertheless, we notice some very specific peaks during this month, especially for the Trojan.Win32.Ddex verdict. This component is a simple downloader with the functionality similar to the Havex component. All the detections are located within the Russian Federation.
In conclusion, the data analyzed during this period show us that Crouching Yeti's impact continues to increase in terms of infected victims reporting to the C2s, although internal data from KSN shows a different picture (residual number of infections). In this update, we did not see relevant changes in the infrastructure or in the C2 activity.
Taking into account the nature of this threat actor and the operational status of the infrastructure, it is likely the operators already switched infrastructure, techniques and targets.
We will continue to track this threat actor and providing updates accordingly.