Iranian hackers intensify their cyber operations
Security consultants and intelligence businesses are observing a major intensification of the cyber espionage campaigns linked to Iran-based hackers.
Just a few days in the past, security researchers at Palo Alto Networks had uncovered a brand new cyber espionage marketing campaign linked to Iran that focused a number of organizations within the Middle East. Threat actors hit quite a few organizations within the vitality, authorities, and know-how industries, all of the victims are situated or have an curiosity in Saudi Arabia.
The hacking marketing campaign was dubbed Magic Hound, and in response to the analysts, it dates again a minimum of mid-2016.
It is fascinating to notice that hackers behind the Magic Hound marketing campaign used a variety of customized instruments and an open-source, cross-platform distant entry instrument (RAT) dubbed Pupy.
“According to the developer, PupyRAT is a “multi-platform (Windows, Linux, OSX, Android), multi-function RAT and post-exploitation tool mainly written in Python.” CTU™ evaluation confirms that PupyRAT can provide the risk actor full entry to the sufferer’s system.” reads the evaluation revealed by SecureWorks.
The hackers’ arsenal contains completely different households of customized instruments, together with droppers, downloaders, executable loaders, doc loaders and IRC bots.
“Unit 42 has discovered a persistent attack campaign operating primarily in the Middle East dating back to at least mid-2016 which we have named Magic Hound. This appears to be an attack campaign focused on espionage. Based upon our visibility it has primarily targeted organizations in the energy, government, and technology sectors that are either in in or business interests in Saudi Arabia.” reads the evaluation revealed by PaloAlto Networks.
“Link analysis of infrastructure and tools also revealed a potential relationship between Magic Hound and the adversary group called “Rocket Kitten” (AKA Operation Saffron Rose, Ajax Security Team, Operation Woolen-Goldfish) in addition to an older assault marketing campaign referred to as Newscasters.”
Experts at SecureWorks are additionally monitoring the exercise of the Iranian risk actor; they linked the attacker to a nation-state group of hackers tracked as COBALT GYPSY that’s related to the Government of Teheran.
The approach utilized by hackers isn’t subtle; hackers used spear-phishing messages with Word and Excel paperwork embedding malicious macros. When the victims open the doc and allow the macro, a malicious payload is downloaded and executed.
“The downloaded document attempts to run a macro that then runs a PowerShell command. This command downloads two additional PowerShell scripts that install PupyRAT, an open-source remote access trojan (RAT),” reads the evaluation revealed by SecureWorks.
The malicious paperwork used within the assaults seem like vacation greeting playing cards, job affords, and official authorities paperwork from the Ministry of Health and the Ministry of Commerce in Saudi Arabia.
Figure 1 – Malicious paperwork used within the Magic Hound Campaign (SecureWorks)
In January 2017, a cyber espionage group linked to the Iranian Government has been utilizing an unsophisticated pressure of malware, dubbed MacDownloader, to steal credentials and different information from Mac computer systems.
The malicious code was found and analyzed by the malware researchers Claudio Guarnieri and Collin Anderson. The security duo found that the malicious code was disguised by nation-state hackers as a Flash Player replace and a Bitdefender Adware Removal Tool.
The assaults noticed by the researchers principally focused the protection industrial base sector, however the identical risk actors additionally used the identical malware in a focused assault in opposition to a human rights advocate.
The malicious code doesn’t seem like subtle, in response to the security duo it was “poorly” developed the tip of 2016 and its code was copied from different sources.
The downside is that even when the code could be very easy, on the time of writing the evaluation, MacObtain was undetected by virus scanning engines on VirusTotal. More than a month later, lower than half of the distributors was in a position to detect the bogus Flash Player and Bitdefender apps as a risk.
Once the MacDownloader infects a tool, the malware collects details about the host, together with passwords saved within the Keychain.
“MacDownloader seems to be poorly developed and created towards the end of 2016, potentially a first attempt from an amateur developer. In multiple cases, the code used has been copied from elsewhere. The simple activity of downloading the remote file appears to have been sourced from a cheat sheet. The main purpose of MacDownloader seems to be to perform an initial profiling of the infected system and collection of credentials from macOS’s Keychain password manager – which mirrors the focus of Windows malware developed by the same actors.” reads the evaluation revealed by the security duo.
The consultants found a primary pattern of the malware on a pretend web site of the aerospace agency United Technologies Corporation, that’s the identical web site that was used previously to unfold a Windows malware and the Browser Exploitation Framework (BeEF).
The malware researchers linked the MacDownloader with the exercise of an Iranian risk actor recognized as Charming Kitten (aka Newscaster and NewsBeef).
The Newscaster hacker group made the headlines in 2014 when consultants at iSight issued a report describing essentially the most elaborate net-based spying marketing campaign organized by Iranian hackers utilizing social media.
Iranian Hackers used a community of pretend accounts (NEWSCASTER community) on principal social media to spy on US officers and political workers worldwide, that is reported in an evaluation achieved by iSIGHT Partners. The Charming Kitten group can also be recognized for the abuse of Open Source Security Tools, together with the BeEF.
The evaluation of the malware revealed that the authors have tried to implement distant replace and persistence capabilities, however each options don’t work.
“It appears that the application contains an unused attempt to install persistent access to the victim host. One segment provides a poorly-implemented shell script to save a response from the C2 and mark it for persistence by writing an entry in the /etc/rc.common file. In theory, every time the infected computer would start up, the shell script would be launched to download a file from a remote location, check if it changed from the previous iteration, and if so execute that new implant. While we haven’t managed to obtain a proper response from the server before it was taken offline, our initial investigation did not find a subsequent implant,” states the evaluation.
The consultants have collected proof that hyperlinks the malware to different Iranian risk actors, together with the Iran Cyber Security Group and Flying Kitten (aka Rocket Kitten).
Figure 2 – MacDownloader Malware
“Of particular note are wireless networks named Jok3r and mb_1986. Jok3r corresponds with a member of a defacement group, Iran Cyber Security Group, who continues to be fairly active in vandalizing sites. Iran Cyber Security Group also, as with many other defacement groups later identified as involved in state-aligned campaigns, purports to provide commercial security services and penetration testing training,” states the report.
“The “mb_1986″ wireless name is more interesting, as it provides a connection to earlier Iranian campaigns, overlapping with the Flying Kitten actor group and subsequent malware activity in summer 2014.”
Iranian OilRig APT is again
The OilRig APT is among the hottest hacker group linked to the Iranian Governments that has been round since a minimum of 2015. The group performed quite a few cyber assaults in opposition to authorities businesses, monetary establishments and know-how corporations in Saudi Arabia, Israel, the United Arab Emirates, Lebanon, Kuwait, Qatar, the United States, and Turkey.
Experts from Palo Alto Networks have been monitoring the exercise of the group over time; hackers performed quite a few spear-phishing assaults utilizing weaponized Microsoft Excel spreadsheets tracked as “Clayslide” and a backdoor referred to as “Helminth.”
In January, the consultants at ClearSky reported a brand new string of cyber assaults that focused a number of Israeli organizations, together with IT distributors, the nationwide postal service, and monetary establishments.
The state-sponsored hackers arrange a pretend Juniper Networks VPN portal and used compromised electronic mail accounts from IT distributors to lure victims to it.
The hackers used the e-mail accounts of the IT distributors to ship messages containing hyperlinks to the pretend VPN portal to the victims.
“The email was sent from a compromised account of an IT vendor. Similar emails were sent from other IT vendors in the same time period, suggesting the attackers had a foothold within their networks, or at least could get access to specific computers or email accounts.” reads the evaluation from ClearSky.
Figure three – Bogus VPN Website
When the victims click on on the hyperlink are redirected to the rogue Juniper web site that shows customers the directions to put in a reliable VPN consumer that packaged with the Helminth malware.
The attackers signed the trojanized VPN consumer with a legitimate code-signing certificates issued by Symantec to a US-based software program firm referred to as AI Squared. The researchers additionally found a second pattern of the Helminth malware signed with one other certificates.
“Another Helminth pattern, 1c23b3f11f933d98febfd5a92eb5c715, was signed with a special AI Squared code signing certificates:
Serial quantity:62 E0 44 E7 37 24 61 2D 79 4B 93 AF 97 46 13 48
This suggests that the attackers had obtained a maintain of an AI Squared signing key, doubtlessly after compromising their community. Alternatively, the attackers may need obtained Symantec to challenge them a certificates underneath AI Squared’s identify,” states the evaluation.
The OilRig group used 4 domains apparently belonging to Oxford University (together with oxford-symposia[.]com, oxford-careers[.]com, oxford[.]in and oxford-employee[.]com).
In one case, the risk actors arrange a pretend Oxford convention registration web site to instruct guests to put in a instrument wanted for pre-registration that hides a malicious code signed with an AI Squared certificates.
Figure four – OilRig arrange a pretend Oxford convention
Back in December 2015, the consultants from Symantec revealed an in depth evaluation of the cyber espionage marketing campaign performed by two Iran-based hacker teams, dubbed Cadelle and Chafer, which used the backdoor.Cadelspy and backdoor.Remexi to spy on Iranian people and Middle Eastern organizations.
The IP tackle 184.108.40.206 reported within the evaluation of Symantec belonging to the C&C infrastructure utilized by the Chafer group is similar utilized by the OilRig.
“Backdoor.Remexi, one of many malware in use by Chafer, had the next command and management host:
Interestingly, IP tackle 220.127.116.11, which function a command and management tackle for an OilRig associated pattern (3a5fcba80c1fd685c4b5085d9d474118), was pointed to by 87pqxz159.dockerjsbin[.]com as effectively.”
This circumstance means that the Chafer and OilRig are the identical Iranian entity.
Iranian hackers behind the Magic Hound marketing campaign linked to Shamoon
The dreaded Shamoon malware, aka Disttrack, made the headlines within the final a part of 2016.
On December 2016, security consultants from Palo Alto Networks and Symantec each monitored a brand new wave of cyber assault on a single Saudi firm.
We met the Shamoon malware for the primary time on August 15th, 2012, when the Saudi Arabia’s oil firm, Saudi Aramco introduced that its techniques and its inside community had been victims of a cyber-attack. According to the corporate, Shamoon contaminated greater than 30,000 workstations.
The new variant of Shamoon, so-called Shamoon 2, can rewrite the MBR on affected computer systems with a picture of a three-year-old Syrian boy named Alan Kurdi that lay useless on a Turkish seashore.
“Why Shamoon has suddenly returned again after four years is unknown. However, with its highly destructive payload, it is clear that the attackers want their targets to sit up and take notice,” reported Symantec.
Just a few weeks later, in January, researchers at Palo Alto Networks found a brand new pressure of the Shamoon 2 malware that was concentrating on virtualization merchandise.
The researchers at IBM’s X-Force Incident Response and Intelligence Services (IRIS) have now revealed an in depth evaluation of the assault chain of the Shamoon malware, which is taken into account a weapon used within the data warfare between Saudi Arabia and Iran.
The IBM’s X-Force consultants have recognized the servers used to ship the Shamoon 2 variant and had been in a position to break into considered one of them gathering extra data on the risk.
“This research led them to believe that the actor using Shamoon in recent attacks relied heavily on weaponized documents built to leverage PowerShell to establish their initial network foothold and subsequent operations:” IBM experiences.
- Attackers ship a spear phishing electronic mail to staff of the goal group. The electronic mail comprises a Microsoft Office doc as an attachment.
- Opening the attachment from the e-mail invokes PowerShell and allows command line entry to the compromised machine.
- Attackers can now talk with the compromised machine and remotely execute instructions on it.
- The attackers use their entry to deploy further instruments and malware to different endpoints or escalate privileges on the community.
- Attackers research the community by connecting to further techniques and finding essential servers.
- The attackers deploy the Shamoon malware.
- A coordinated Shamoon outbreak begins, and laptop laborious drives throughout the group are completely wiped.
Figure 5 – Shamoon 2 assault
The attackers launched a spear-phishing marketing campaign in opposition to the potential targets; they used to impersonate a trusted individual, for instance, the Saudi Arabia’s Ministry of Commerce and Investment or the Egyptian software program firm IT Worx.
The messages include a Word doc marked as a resume, medical paperwork, or password coverage tips, anyway one thing of curiosity for the potential sufferer.
The paperwork embrace a malicious macro that’s used to start out the assault when the sufferer executes it. The execution of the macro launches two completely different Powershell scripts.
- The first script downloads and executes one other PowerShell script from the 18.104.22.168:3485/eiloShaegae1 by way of HTTP. The second script creates a reminiscence buffer utilizing the VirtualAlloc library name, fetches shell code from 22.214.171.124:4443/0w0O6 by way of HTTP, copies it into the buffer, and executes the code utilizing CreateThread. This thread then creates one other buffer, fills it with a PowerShell script from 126.96.36.199:4443/0w0O6 by way of HTTP, and runs that.
- The second script creates a reminiscence buffer utilizing the VirtualAlloc library name, fetches shell code from 188.8.131.52:4443/0w0O6 by way of HTTP, copies it into the buffer, and executes the code utilizing CreateThread. This thread then creates one other buffer, fills it with a PowerShell script from 184.108.40.206:4443/0w0O6 by way of HTTP, and runs that, too.
“Based on observations associated with the malicious document, we observed subsequent shell sessions probably associated with Metasploit’s Meterpreter that enabled deployment of additional tools and malware preceding deployment of three Shamoon-related files: ntertmgr32.exe, ntertmgr64.exe and vdsk911.sys,” continues the report.
The researchers recognized two net domains used to host malicious executables and launch the assaults.
- Ntg-sa[.]com that spoofs the legit ntg.sa.com area of Saudi petrochemical help agency Namer Trading Group.
- maps-modon[.]membership that spoofs maps.modon.gov.sa, which is related to the Saudi Industrial Property Authority.
This data is treasured for system directors that would verify any connection to those domains and block it.
The consultants exploited the contaminated machine for reconnaissance, gathering data on the goal community and stealing delicate data. Once accomplished this section the attackers deploy the Shamoon payload.
Saudi Arabia is warning native organizations concerning the Shamoon malware; consultants imagine that the risk actor behind these operations will proceed its exercise quickly disappearing and altering tactic.
The consultants at IBM X-Force made an fascinating discovery, a few of the domains used within the Magic Hound marketing campaign had been noticed within the Shamoon 2 assaults.
According to the consultants at Palo Alto Networks an IRC bot used within the Magic Hound marketing campaign is similar to a bit of malware utilized by Newscaster, aka Charming Kitten and NewsBeef, the Iranian actor that focused people within the U.S., Israel and different international locations utilizing pretend social media profiles.
Iranian hackers seem very lively on this interval, each Charming Kitten and Rocket Kitten actors had been talked about in an evaluation of the MacDownloader malware used to exfiltrate information from Mac computer systems.
Let’s shut with a fast take a look at the cyber-attacks detected by the researchers over time:
|February 2016||Iranian hackers compromised former IDF chief’s laptop||According to a report revealed by the Israel’s Channel 10, tons of of Israel’s present and former prime security officers have been focused by Iranian hackers.|
|December 2015||Iranian hackers penetrated computer systems of a small dam in NY
||Iranian hackers penetrated the economic management system of a dam close to New York City in 2013, elevating considerations concerning the security of US essential infrastructure.|
|December 2015||Cadelle and Chafer, Iranian hackers are monitoring dissidents and activists
||Symantec has uncovered Cadelle and Chafer teams, two Iran-based hacking groups that had been monitoring dissidents and activists.|
|November 2015||Facebook first found spear phishing assaults of Iranian hackers on State Department staff
||Facebook was the primary firm to note the intrusion of Iranian Hackers within the e-mail accounts of US State Department officers targeted on Iran. The assaults appeared politically motivated and aimed to assemble information about US-Iranian twin residents in Iran.|
|November 2015||New perception on the Rocket Kitten Iranian hacking crew
||Experts from Check Point agency revealed a brand new report on the Rocket Kitten APT that embrace extra perception into the actions of the group.|
|October 2015||Iranian Cleaver hackers exploit LinkedIn for cyber espionage
||The Cleaver group managed a well-developed community of pretend LinkedIn profiles for cyber espionage goal.|
|June 2015||Thamar Reservoir – Iranian hackers goal entities within the Middle East
||Security consultants at ClearSky revealed a report on the cyber espionage marketing campaign dubbed Thamar Reservoir that’s concentrating on entities within the Middle East.|
|December 2014||Iranian Hackers worn out machines at Sands Corp Casino
||Bloomberg revealed that Iranian hackers used Visual Basic malware to wipe out information from company techniques at Las Vegas Sands Corp|
|December 2014||Operation Cleaver – Iranian hackers goal industries worldwide
||Security agency Cylance revealed that Iranian hackers goal airways, vitality, protection corporations worldwide as a part of the Operation Cleaver marketing campaign.|
|May 2014||Ajax Security Team lead Iran-based hacking teams||FireEye revealed a report titled “Operation Saffron Rose” to doc the actions of the Iranian hacking group named Ajax Security Team
|May 2014||Iranian hackers behind most elaborate spying marketing campaign on social media
||Iranian Hackers use a community of pretend accounts (NEWSCASTER community) on principal social media to spy on US officers and political workers worldwide, that is reported in an evaluation achieved by iSIGHT Partners.|