37. Russian to Confusion with Irfan Asrar
Coming up this week on Breaking Badness. Today we discuss: Iowa Caucus App Struggles, Beyond a Shadow of a Doubt, My Neighbor Pterodo, and our fun new game, two truths and a lie.
Here are a few highlights from each article we discussed:
- More testing should have been done not only on the app but also how it would react in areas where the infrastructure was not ideal for operations with the ability to upload content through other secured means.
- The developers should have attempted to check the integrity of the device prior to the installation i.e was there a strong password set on the device, does it have a virus, or was it jailbroken. Ideally, a locked down device that cannot be used for any other purpose then the core functionality related to the app should have been provided maintaining a chain of custody.
- From text in the app, there are several links here that look like it was not vetted or possibly rushed into production. including a link to a personal website.
- The app was easily obtained and distributed globally as a result of an upload to a service called VirusTotal.
- The fact that we could get it to run on a sandbox (virtual android phone) means anyone could attempt to reverse engineer the app.
- We also had a request from cybersecurity researchers globally looking for independent confirmation the copy of the app they obtained was legit or a fake (researchers as far as China/Eastern Europe have a copy of the app).
- The data exposed from reverse engineering the app could be used in the next caucus to target the infrastructure supporting the app (DDos attacks etc).
- What you are seeing here is the app running on a virtual android phone and right next to it is information from VirusTotal where it was eventually uploaded to.
- The information on the site matched up with the previous information reported publicly such as the developer name Jimmy Hickey and the name of the company is Shadow INC.
- There are multiple strings in here (text content used in the app that can be used to display information or information used in the app to contact site) including a link to a personal website that shows it was rushed out and possibly not vetted
- Our biggest concerns come from the fact that we could very easily attempt to run the app in a virtual environment and dynamically attempt to identify the sites the app was reaching out to; which could be used to target the services and cause disruption.
- The other concern we see is that once installed, the user has the option to keep the app even after the job is done, again opening up the possibility of the app.
- Based on the information we were able to gauge, the app could have been vetted better to identify potential issues including talking into account rural infrastructure etc.
- Moving forward, other states should have the app distributed on lock down devices that have been vetted by the DHS as well as independent security agencies. Make sure the app has a built-in integrity check that ensures if the devices are compromised or jail broken the app refuses to run.
- Gamaredon group is a group that targets Ukraine almost exclusively. They’ve been known to go after military and security targets. That leads a lot of people to think that they are a) a Russian-backed group and b) relatively new in their approach since they are kind of gaining maturity over time and Ukraine being Russia’s cyber playground means they’re probably doing some testing. They first popped onto my radar when I saw some research on a rare Linux desktop malware from them back in 2019 from Intezer. Linux Desktop malware is the rarest of breeds since less than 1% of desktop users are on Linux so targeting those users means you must be going after a specific subset—in this case it looked like it must be some target that uses the GNOME desktop environment since that’s how the malware spread. Anyways, up until that point they had been using mostly off the shelf tools and now there are more and more custom pieces of malware being attributed to the group. That jump in matury is always interesting and why this is interesting in the swath of other news this week.
- In terms of recent campaigns, the big one that’s being reported on is targeting Ukraine’s ground forces academy, but Sentinel Labs who spotted this new version of their signature Pterodo malware said they are seeing the spyware across tons of Ukrainian targets.
- The modified Pterodo malware has self-extracting zip archives, drops some .NET magic, macros, then exfiltrates data through a set of NGINX forwarders pointed at by dynamic DNS providers. For those that don’t know those are free services that let you beacon out from a host and a DNS record then gets set to follow your server as the IP changes. Pretty easy to follow actually in a passive DNS data set like what’s in our Iris Investigate product. You know how I love that data set. Anyways, then it’s the usual spyware, data and user credentials thieving.
- These campaigns are always impactful. If it is a Russian group like most people suspect and they are developing custom malware and testing it in Ukraine then it’s likely to continue to improve. As for direct impact to most companies—I’d say that unless you’re a Ukrainian state target you shouldn’t be too worried. Plenty of possibilities for them as they improve to shift their targets to other Russian interests though.
- Enjoy some more pDNS fun in my recent blog: Finding Additional Indicators With a SeaTurtle Deep Dive in Passive DNS Within DomainTools Iris Investigate
Two Truths and a Lie
Introducing our newest segment on Breaking Badness. We are going to play a game you are all likely familiar with called two truths and a lie, with a fun twist. Each week, one us with come prepared with three article titles, two of which are real, and one is, you guessed it, A LIE.
You’ll have to tune in to find out!
This Week’s Hoodie/Goodie Scale
Iowa Caucus App Struggles, Beyond a Shadow of a Doubt
[Chad]: 8/10 Hoodies
[Irfan]: 8/10 Hoodies
My Neighbor Pterodo
[Chad]: 9/10 Hoodies
[Irfan]: 9/10 Hoodies
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!