: Iranian advanced malware expertise
Iranian advanced malware expertise

Iranian Advanced Malware Targets Human Rights Organizations

: Iranian advanced malware expertise
Iranian advanced malware expertise

This article is based on a presentation at BlackHat USA 2016 by security researchers Claudio Guarnieri and Collin Anderson from Amnesty International and the Penn University -USA-. Their presentation indicated that the Iranian regime is targeting human rights organizations. Attacks in July and August 2016 against bloggers and foreign policy institutions involved advanced social engineering and technical spearphishing operations against them. 

On August 4, 2016, the Gmail account of an unknown individual was compromised in order to conduct spearphishing campaigns against targets related to Iran, Saudi Arabia and Palestine. The spearphishing attempt posed as a message from the Director of United for Iran, a U.S. based human rights organization, claiming that the organization had developed a secure communications tool for activists. The message was sent from an account created under her name on email provider Mail.com, a recent common tactic, with a link to a file hosted on Dropbox and an additional credential phishing attempt. Once the observed Gmail account was under their control, the actors then forwarded malware to over a hundred of their contacts, ranging from an address for the United Nations Refugee Agency in Turkey to a site contact for Reza Pahlavi, the son of the deposed Shah Mohammad Reza Pahlavi.

 

Also found were similar spearphishing attempts posing as popular software, including TeamSpeak, Mozilla Firefox, and video game services company Multiplay. Other cases have included documents with embedded malware.

The software is a primary stage dropper that provides reconnaissance and remote access for further intrusions.
The dropper and the social engineering tactics came out a series of documents that were sent to European human rights advocates in July. These documents were similarly sent from an impersonation account for popular organizations created on Mail.com, under the pretense of important news. The malware was embedded as an object in the document that would be activated when the target clicked on an icon, typically posing as an Excel file or an image, which the message would claim were lists of names or other items known to the target.

The Android platform is being used by Iranian attackers to target dissidents and independent media outside of Iran. Included in that report was one popular tool, DroidJack, which masqueraded as a secure communications tools.


On August 28, this RAT -Remote Access Trojan- was used once again to target journalists and the foreign policy establishment, when the Telegram of one famous journalist was compromised – in this case, posing as an additional set of stickers for Telegram. In this case, the RAT appeared to provide the intruders a vector to access Telegram credentials for individuals outside of Iran. The Android malware mirrored a sustained campaign that the researchers had begun monitoring, including both agents impersonating TeamSpeak. Again, in the case of the Telegram sticker incident, Android malware was sent alongside a custom Windows agent.

The targeting and use of custom Windows malware and the DroidJack APKs on one fictitious download site makes the researchers believe a different group is behind the attempts. These campaigns have occurred alongside Rocket Kitten infrastructure, but are conducted in a more professional manner, representing either a subgroup or a separate effort. The effort may also be connected to other known groups based on some indicators, so attribution was made pointing outside of their Iranian origin and alignment with state interests.
The distributed set of victims of the malware, primarily Iranians inside of the country, and institutions in the Arabic-speaking Middle East and North Africa and the malware also aligns with observed patterns in the targeting of credential phishing engineering activities by the group.

Malware and attacker details

The malware heavily relies on using social engineering techniques for success against victims. With the TeamSpeak.EXE payload, once the bundle is executed it installs and launches the first stage of the malware.
The general purpose of the first stage is to collect information on the infected system, send this information to a remote location. The malware then downloads further malicious software to the target system and the exfiltrated information is then categorized by an identifier which is the combination name and the hard disk volume serial number.
The second stage of the malware profiles the target system by collecting an extensive amount of details, including information on the hardware, the networking, processes, and services -the malware makes use of WMI during this process-. The profile of the target system is then transmitted to the Command and Control -C&C- server via HTTP request, with the data being encrypted & stored in a folder called SysInfo.txt

The attackers may then decide which infected computers to compromise further with the second stage piece of malware, typically downloaded with the filename of contask.exe, which appeared to function as a second-stage dropper. This dropper is mostly used just to connect to a second Command & Control server located at 5.152.202.53 download and execute a copy of Metasploit Meterpreter in order to grant a reverse shell to the attackers.
Once executed, this "Strealer" stage of the malware first checks whether it is installed with persistence or not -detecting if the malware would be wiped by use of a non-persistent virtual machine -VM- for example- If the malware does detect a non-persistent operating system -OS-, it would not continue. In the case of a persistent OS using Mozilla Firefox web browser, the malware is stored in the location %AppData%\Local\Mozilla\Profiles\ and starts a new process from there.

The purpose of Strealer is to steal credentials and cookies from web browsers. Strealer knows how to locate, read stored credentials and cookies from Internet Explorer, Firefox, Chrome, and Opera. These stolen credentials are normally stored in a JSON-AppData%\Local\Mozilla\Profiles\Log under names such as chromeLogins.sql and chromeCookies.sql.
The malware also has a generic keylogger and clipboard stealer, which are used with the traditional GetClipboardData GetKeyboardState/GetKeyState techniques. The intercepted keystrokes and clipboard are logged in a dedicated file normally located at \Local\Mozilla\Profiles\Log\kgservice.sql; the logs are then collected and posted to another C&C server located at update-finder.com

The attackers interacted with infected computers using a Meterpreter shell, which was a “honeypot.” The researchers setup a realistic VM honeypot appearing to show someone belonging to a human rights organization. The researchers downloaded publicly available reports, created a realistic folder structure, and installed various softwares that typical people would infected the honeypot workstation with the dropper, let it report back to its C&C and waited for activity. Shortly after, the researchers observed activity on the system.
The attackers connected through their Metasploit reverse shell, installed a copy of their Strealer backdoor and started exfiltrating data from the honeypot, while the researchers pretended to keep working on document reports from various human rights organizations, and speaking with fictitious other persons about an upcoming campaign.

The indicators of compromise on a system look like the following:

Payload:

a62dde31eecf650c2dd39eeda9daf8fd35b1dff5330e72035d1846579ea838dc newlity.exe
1a24714fd99030bd63804ab96fc2612f148a5f08d1c2845152c3a0e168600db9 private_chat.exe
e6cd39cf0af6a0b7d8129bf6400e671d5fd2a3797b92e0fe4a8e93f3de46b716 multiplay-register.exe
13c462f6606c20d23796d6b937b0fa6887029dc68f2a3376cc3fa1e068a833e9 TeamSpeak.EXE

Downloader:

e6cd39cf0af6a0b7d8129bf6400e671d5fd2a3797b92e0fe4a8e93f3de46b716 dwm.exe/apache-utility.com/utility.exe/microsoft-hotfix.com

Dropper:

b0afef1ee97c8a9a7a7d4a83b5d8aab3a710062d9df98f909a3306c031e2cc21 contask.exe from IP address 5.152.202.53

Strealer:

3a8995413b8e63dca766999c5a3220114e4ab4c446130c5bd7c852a618dd2fa7 mozilla.exe/MozillaService.exe/update-finder.com

The researchers observed some of the reports and documents they had downloaded from the Internet and placed in the workstation were being exfiltrated, quickly created some documents with the CanaryTokens service that had interesting file names similar to human rights issues in Iran, with other original files. CanaryTokens embed remote resources as triggers inside common document types, for example Microsoft Office files, to notify whenever opened and identify from which IP address the connection was made. The attackers exfiltrated the baits, and opened them, resulting in alerts being delivered showing that the source IP address was 5.39.111.23
The IP address from which the bait documents were opened appeared to be a VPN endpoint. The researcher next attempted creating similar bait documents with formats, in order to see if that would trigger different behavior.
The attackers exfiltrated and opened such newer documents possibly from a different location, exposing what the researchers believed to be the attackers actual source IP address which was 81.91.144.20, suggesting the attackers were Iranian, possibly based in the city of Karaj.

Conclusion

The targeting and inclusion of custom Windows malware and the DroidJack APKs on one fictitious download site lead researchers to believe a different group is behind the attempts. These campaigns occurred alongside Rocket Kitten infrastructure, but are conducted in a more professional manner, indicating a subgroup or a separate effort.
The effort may also be connected to other known groups based on some indicators, so the researchers attribute the actors as probably of Iranian origin and they are aligned with the Iranian state's interests.

Why are the mighty Iranian cyber battalions targeting Human Rights groups? The Iranian regime does not like Ahmad Shahid, UN Special Rapporteur on Human Rights. The regime does not like Amnesty International. It does not like Human Rights Watch. This suggests that the cyber soldiers are being directed by the Iranian government to attack people who do not sing to the same melody as them. Iran clearly has social engineering and malware capabilities which are impressively advanced and cannot be ignored.

References

https://iranthreats.github.io/resources/human-rights-impersonation-malware/
https://iranthreats.github.io/us-16-Guarnieri-Anderson-Iran-And-The-Soft-War-For-Internet-Dominance-paper.pdf

Article rating:

vote(s).

0 Comments

Write a Comment

:
Hosein)root Discovers XSS Vulnerability on Google Earth

On 25 November Hosein)root who asked ICNA publish his true name as Amir Hossein Sharbati on CX...


0 Comments | Read more +
:
35/000 Characters Tweet Shocks German Hackers!

Thinking that a person could send a tweet with more than 280 characters is more or less like a...


0 Comments | Read more +
:
4TT4CK3R Identifies Flaw in University of Tehran Website

Vulnerability researcher 4TT4CK3R discovered on 23 August a cross-ste scripting vulnerability ...


0 Comments | Read more +
: 4tt4ck3r Find Vuln In United Kingdom Government
4tt4ck3r Finds Flaw in UK Government Websites

Iranian hacker 4tt4ck3r has previously found Reflected XSS -Cross Site Script...


0 Comments | Read more +
: TYRANT Ransomware
Iranian TYRANT Ransomware

A new type of ransomware have been discovered on October 16 2017 which appear...


0 Comments | Read more +
: IoT Security Research Expertise
Iranian Expertise in IoT Security Research

Iranian academic security researchers at the ITRC (Information Technology Research Cen...


0 Comments | Read more +
: Mohammad Rezania -LinX64-
Android Security and Forensic Science by LinX64

A good article by Iranian academic is important step forward for people to understand security...


0 Comments | Read more +
: http://offsec.ir/writeups
OFFSEC Team Ice CTF Results

Offsec Research CTF Team: "Thinking out of t...


0 Comments | Read more +
:
Defacement of Hafez Institute of Higher Education by UnSec Team

ICNA was contacted yesterday, 19 October, by UnSec Team member Mostafa Asadi concerning the ha...


0 Comments | Read more +
:
Manoto Defaced by Cluwix

We can see in the picture that website of Manoto TV show "Stage" was hacked by Black Hat Hacke...


0 Comments | Read more +
: Eagle Security Team
Eagle Security Team Deface Shahrood University of Technology

MR 7KH4T of Iranian hacking group Eagle Security Team is mak...


0 Comments | Read more +
: MR.IMAN
Iranian Black Hat Hackers Mass Deface Iran Sites

Hackers of the team Iranian Black Hat Hackers has make deface of many Iranian...


0 Comments | Read more +
: Iranian Cyber News Agency
New Website

Welcome to Iranian Cyber News Agency website.

New sections now include Vulnerability N...


0 Comments | Read more +
خبرگزاری سایبر ایران

در ب...


0 Comments | Read more +
:
SMS Virus Developed by Iranian Hacker Claims 100/000 Victims in Iran

In recent weeks a story that has attracted attention of many people has been the development a...


0 Comments | Read more +
: Atash Security Group
Atash Security Group Attack Irancell

The hacker and administrator Omid Killer of the Iranian hacker group ...


0 Comments | Read more +
: Eagle Security Team
Eagle Security Team Hack Saudi Sites

Latest Iranian cyber news from the Eagle Security Team shows that hackers hav...


0 Comments | Read more +
: Lord Hacking Team
Lord Hacking Team Attack Google Telegram & Acunetix

Iranian hackers of Lord Hacking Team is claim attack against:

  • ...

0 Comments | Read more +
: Fake ANF News App
Open Source Research Company Claims Iranian Government Targets Iranian Citizens with Malwareware

Open source research company Check Point Research claims that what it called Iranian governmen...


0 Comments | Read more +
Twitter: Twitter Message
Hackers Take Down Mahan Air Website

It can be seen from Twitter posts that website of Mahan Air was hacked by Iranian group XileRe...


0 Comments | Read more +
U.S-INDICTED MABNA GROUP DIRECTED BY MINISTRY OF INTELLIGENCE

Previous, ICNA has reported on U.S. indictments and accusations of Iranian hackers and other c...


0 Comments | Read more +
A Vaccination Called Filtering

We took this text from the Telegram Channel of Iran Security Team Official Channel (


0 Comments | Read more +
:
IEDB Holds Gatherings Nationwide

In recent weeks and months users and friends of the hardworking IEDB team which has very activ...


0 Comments | Read more +
: Eagle Security Team
Eagle Team

The Iranian Eagle Security Team security researchers is make exposed many SQL...


0 Comments | Read more +
: Kheshtak Security Team
Kheshtak Security Team - Story Continues

More than ever in the 21st century, knowledge is power and information is the force that contr...


0 Comments | Read more +
:
Termint Security Team Have New Website

Although they have history going back a few momnths the Termint Security Team...


0 Comments | Read more +