This week, we have a bit of a theme as we look at Playing Cat and Mouse, RATs and CopyKitten - Be Vigilant!
Playing Cat & Mouse: Introducing the Felismus Malware
For the past several weeks, a low-profile piece of malware has piqued our interest for several reasons: few samples appear to be available in the wild; there is no previous documentation referring to the Command and Control domains and IP addresses it uses (despite the domains appearing to be at least twelve months old); and, if its compilation timestamps are to be trusted, the campaign itself may have been active for at least six months before samples started to surface... The primary samples examined appear in the wild with filenames mimicking that of Adobe's Content Management System  and offers a range of commands typical of Remote Access Tools: file upload, file download, file execution, and command execution.
OilRig Campaign Analysis
The earliest instance where a cyberattack was attributed to the OilRig campaign was in late 2015. To date, two periods of high activity have been identified following the initial attack. These were in May and October 2016. All known samples from these periods used infected Excel files attached to phishing emails to infect victims. Once infected, the victim machine can be controlled by the attacker to perform basic remote-access Trojan-like tasks including command execution and file upload and download.
Jerusalem Post and other Israeli websites compromise by Iranian threat actor CopyKitten
On 29 March 2017 the German Federal Office for Information Security (BSI) said in a statement that the website of Israeli newspaper Jerusalem Post was manipulated and linked to a harmful third party. Below is a Google translation of the statement: After the cyberattack on the German Bundestag in 2015, some protective functions that the BSI has established for government networks have also been adopted by the German Bundestag for its own networks. Since the beginning of January 2017, the BSI, as the national cyber security agency, has been in close contact with the German Bundestag, due to the network traffic of the German Bundestag. At the request of the German Bundestag the BSI analyzed these problems in network traffic. The technical analyzes have been completed. The website of the Jerusalem Post was manipulated and linked to a harmful third party. Within the framework of the analyzes, however, the BSI has not discovered any malicious software; infections are also not known to the BSI.
Carbon Paper: Peering into Turlas second stage backdoor
The Turla espionage group has been targeting various institutions for many years. Recently, several new versions of Carbon has been detected, a second stage backdoor in the Turla group arsenal. Last year, a technical analysis of this component was made by Swiss GovCERT.ch as part of their report detailing the attack that a defense firm owned by the Swiss government, RUAG, suffered in the past. This blog post highlights the technical innovations that we found in the latest versions of Carbon we have discovered.
Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations
From September 2016 through late November 2016, a threat actor group used both the Trochilus RAT and a newly idenfied RAT we’ve named MoonWind to target organizations in Thailand, including a utility organization. The name ‘MoonWind’ was chosen based on debugging strings observed within the samples, as well as the compiler used to generate the samples. The attackers compromised two legitimate Thai websites to host the malware, which is a tactic this group has used in the past. Both the Trochilus and MoonWind RATs were hosted on the same compromised sites and used to target the same organization at the same time. The attackers used different command and control servers (C2s) for each malware family, a tactic we believe was meant to thwart attempts to tie the attacks together using infrastructure alone. The compromised websites are the site for a group of information technology companies in Thailand, and all the tools were stored in the same directory.
How Cyber Propaganda Influenced Politics in 2016
A collection of domains registered by Pawn Storm/Sofacy/APT28/Fancy Bear to target organisations.
The US was allegedly hacked by Pawn Storm, a threat actor group known for targeting people and organizations that might be perceived as a threat to Russia. For example, between 2014 and 2016 Pawn Storm set up dedicated campaigns against the armed forces of at least a dozen countries. Pawn Storm’s activities show that foreign and domestic espionage and influence on geopolitics are the group’s main motives, and not financial gain.
Compared to other botnet malware families such as Necurs or Andromeda, which have millions of bots, GhostAdmin is just making its first victims. Despite the currently low numbers, GhostAdmin can grow to those figures as well, if its author ever wanted to run a spam botnet like Necurs and Andromeda. In its current form, GhostAdmin and its botmaster seem to be focused on data theft and exfiltration.
Dimnie: Hiding in Plain Sight
In mid-January reports of open-source developers receiving malicious emails became of focus for our researchers. Multiple owners of Github repositories received phishing emails. Though there were multiple waves of messages following a similar tactic, each one carried the same malicious .doc file as an attachment. This file contained embedded macro code that executed a commonly observed PowerShell command to download and execute a file.
APT29 Domain Fronting With TOR
Russian nation-state attackers APT29 employing domain fronting techniques for stealthy backdoor access to victim environments for at least two years. There has been considerable discussion about domain fronting following the release of a paper detailing these techniques. Domain fronting provides outbound network connections that are indistinguishable from legitimate requests for popular websites. APT29 has used The Onion Router (TOR) and the TOR domain fronting plugin meek to create a hidden, encrypted network tunnel that appeared to connect to Google services over TLS. This tunnel provided the attacker remote access to the host system using the Terminal Services (TS), NetBIOS, and Server Message Block (SMB) services, while appearing to be traffic to legitimate websites. The attackers also leveraged a common Windows exploit to access a privileged command shell without authenticating.