Introduction
\nRecently, Check Point researchers spotted a targeted attack against officials within government finance authorities and representatives in several embassies in Europe. The attack, which starts with a malicious attachment disguised as a top secret US document, weaponizes TeamViewer, the popular remote access and desktop sharing software, to gain full control of the infected computer.
\nBy investigating the entire infection chain and attack infrastructure, we were able to track previous operations that share many characteristics with this attack’s inner workings. We also came across an online avatar of a Russian speaking hacker, who seems to be in charge of the tools developed and used in this attack.
\nIn this article, we will discuss the infection chain, those targeted, the tools used and a possible attribution to one of the hackers behind the attack.
\n\n
The Infection Chain
\n\nThe infection flow starts with an XLSM document with malicious macros, which is sent to potential victims via e-mail under the subject “Military Financing Program”:
\nEmail subject: military financing program
\nFile name: “Military Financing.xlsm”
\nSHA-256:
\nefe51c2453821310c7a34dca30540
\n21d0f6d453b7133c381d75e3140901efd12
\n
\n
\n
\n
\n
\n
\n
\n
\n
Fig 1: Decoy document
\n\n
The well-crafted document bears the logo of the U.S Department of State, and is marked as Top Secret. Although the attackers have worked hard to make the document appear convincing, they seem to have overlooked some Cyrillic artifacts (such as the Workbook name) that were left in the document, and could potentially reveal more information about the source of this attack.
\n\nFig 2: The infection chain
\n\n
Once the macros are enabled, two files are extracted from hex encoded cells within the XLSM document:
\nThe malicious TeamViewer DLL (TV.DLL) is loaded via the DLL side-loading technique, and is used to add more “functionality” to TeamViewer by hooking windows APIs called by the program.
\n\n
Modified functionality includes:
\n\n\n
Fig 3: MoveFileW function hook: adds payload “execute” and “inject” functionality.
\n\n
The following is a demonstration of how it actually works:
\n\nFig 4: Remote payload execution demo
\n\n
\n
Victims
\nAs described in the infection flow, one of the first uses of the AutoHotKey scripts is to upload a screenshot from the compromised PC.
\nThe directory which those screenshots were uploaded to was left exposed, and could have been viewed by browsing to the specific URL:
\n\nFig 5: Open directory with victims’ screenshots
\n\n
However, those screenshot files were deleted periodically from the server, and eventually the “open directory” view was disabled.
\nUntil that time, we were able to ascertain some of the victims of these attacks, as most of the screenshots included identifying information.
\nFrom the targets we have observed in our own telemetry, as well as the information we have gathered from the server, we were able to compose a partial list of countries, where officials were targeted:
\nIt is hard to tell if there are geopolitical motives behind this campaign by looking solely at the list of countries it was targeting, since it was not after a specific region and the victims came from different places in the world.
\nNevertheless, the observed victims list reveals a particular interest of the attacker in the public financial sector, as they all appear to be handpicked government officials from several revenue authorities.
\n\n
Previous Campaigns
\nWhile all campaigns observed from this threat actor utilized a trojanized version of TeamViewer, the features of the malicious DLL have changed, and the first stage of the infection has evolved over time.
\nDelivery
\nThe initial infection vector used by the threat actor also changed over time, during 2018 we have seen multiple uses of self-extracting archives instead of malicious documents with AutoHotKey, which displayed a decoy image to the user.
\nFor example, the self-extracting archive “Положение о прокуратуре города(приказом прокурора края)_25.12.2018.DOC.exe” (translated into “Regulations on the city prosecutor’s office (by order of the regional prosecutor)_25.12.2018.DOC.exe”) displays the following image:
\n\nFig 6: SFX archive decoy image
\n\n
This image shows officials from Kazakhstan, and was taken from the website of Kazakhstan’s Ministry of Foreign Affairs. The original name of the executable and the decoy content it displays seem to suggest that it was targeting Russian speaking victims.
\nThere were also other instances in which related campaigns were after Russian speakers, one of the weaponized Excel documents had instructions on how to enable content for the macros to run in fluent Russian:
\n\nFig 7: Russian decoy document
\n\n
SHA-256: 67d70754c13f4ae3832a5d655ff8ec2c0fb3caa3e50ac9e61ffb1557ef35d6ee
\nAfterwards, it would display finance-related Russian content:
\n\nFig 8: Russian decoy document – after macros are enabled
\n\n
Although both examples of the different delivery methods described above show an exclusive targeting of Russian speakers, the recurring financial and political themes that they use highlight the attacker’s interest in the financial world once more.
\n\n
The Payload
\nThroughout the campaigns multiple changes to the functionality of the malicious TeamViewer DLL, were introduced. Below are the feature highlights of each version:
\nFirst Variant (?-2018)
\n\n
Second Variant (2018)
\nFig 9: Help commands found in malicious DLL
\n
\n
Third Variant – as observed in the current campaign (2019)
\n\n
Attribution
\nAlthough in such campaigns it is usually unclear who is behind the attack, in this case we were able to locate a user who appears to be behind the aforementioned activity active in several online forums, or is at least the creator of the tools used in the attack.
\nBy following the trail from the previous campaigns we were able to find a `CyberForum[.]ru` user that goes by the name “EvaPiks”.
\nIn multiple instances, the user would suggest, or be advised by other users to use, some of the techniques we witnessed throughout the campaigns.
\nThe following are translated snippets from some of the threads in the forum:
\n\nFig 10: EvaPiks – suggested macro code
\n\n
The macro code suggested by EvaPiks in the above thread was actually used in the latest attack, and some of the variable names such as “hextext” were not even changed.
\nIn the following screenshot, we see EvaPiks suggesting a Delphi code snippet that “works great”:
\n\nFig 11: EvaPiks – suggested PHP code
\n\n\n
Fig 12: Panel URL found in DLL code
\n\n
In addition to the similar Delphi usage, the URL mentioned in the forum `(newpanel_gate/gate.php)` was used in one of the attacks.
\nBack in 2017, EvaPiks was the one seeking advice on the forum, with questions about API function call interception:
\n\n\n
Fig 13: EvaPiks – seeking Delphi hooking advise on the forums
\n\n\n
Fig 14: Hooks found in DLL code
\n\n
The same hooking technique of `CreateMutexA` and `SetWindowTextW` functions was utilized in the sample we have observed as well.
\nAn additional screenshot from the forum reveals how EvaPiks is experimenting with new features, some of which were integrated into the malicious DLLs:
\n\nFig 15: EvaPiks – development PC screenshot from the forums
\n\n
Besides `CyberForum[.]ru`, we also found out that this avatar was active on an illegal Russian carding forum, strengthening the notion that their forum activity is not for “educational purposes” only:
\n\nFig 16: EvaPiks – complaining about a fellow user on a carding forum
\n\n
The Attack Infrastructure
\nAt one point or another, all the samples observed utilized the same web hosting company: HostKey, except some of the samples from the first variant. [see appendix B for a list of URLs]
\nAdditionally, we observed the following login panels, on the C&C servers utilized by the malicious DLLs:
\n\nFig 17: “Cyber Industries” login panel hosted on 193.109.69[.]5
\n\n\n
Fig 18: login panel hosted on 146.0.72[.]180
\n\n
Summary
\nOn the one hand, from the findings we have described, this appears to be a well thought-out attack that carefully selects a handful of victims and uses tailored decoy content to match the interests of its target audience.
\nOn the other hand, some aspects of this attack were carried out with less caution, and have exposed details that are usually well disguised in similar campaigns, such as the personal information and online history of the perpetrator, as well as the outreach of their malicious activity.
\nThe malicious DLL allows the attacker to send additional payloads to a compromised machine and remotely run them. Since we were not able find such a payload and know what other functionalities it introduces besides the ones provided in the DLL, the real intentions of the latest attack remain unclear.
\nHowever, the activity history of the developer behind the attack in underground carding forums and the victim’s characteristics may imply that the attacker is financially motivated.
\n———————————————————————————————————————————————————————————————————————-
\nCheck Point’s SandBlast
\nThe malware used in this attack was caught using Check Point’s Threat Emulation and Threat Extraction.
\nThreat Emulation is an innovative zero-day threat sandboxing capability, used by SandBlast Network to deliver the best possible catch rate for threats, and is virtually immune to attackers’ evasion techniques. As part of the Check Point SandBlast Zero-Day Protection solution, Threat Emulation prevents infections from new malware and targeted attacks. The Threat Extraction capability removes exploitable content, including active content and embedded objects, reconstructs files to eliminate potential threats, and promptly delivers sanitized content to users to maintain business flow.
\n\n
IOCs
\nDLLs
\n`013e87b874477fcad54ada4fa0a274a2
\n799AB035023B655506C0D565996579B5
\ne1167cb7f3735d4edec5f7219cea64ef
\n6cc0218d2b93a243721b088f177d8e8f
\naad0d93a570e6230f843dcdf20041e1e
\n1e741ebc08af09edc69f017e170b9852
\nc6ae889f3bee42cc19a728ba66fa3d99
\n1675cdec4c0ff49993a1fcbdfad85e56
\n72de32fa52cc2fab2b0584c26657820f
\n44038b936667f6ce2333af80086f877f`
Documents
\n`4acf624ad87609d476180ecc4c96c355
\n4dbe9dbfb53438d9ce410535355cd973`
C&Cs
\n`1c-ru[.]net/check/license
\nintersys32[.]com/3307/
\n146.0.72[.]180/3307/
\n146.0.72[.]180/newcpanel_gate/gate.php
\n185.70.186[.]145/gate.php
\n185.70.186[.]145/index.php
\n193.109.69[.]5/3307/gate.php
\n193.109.69[.]5/9125/gate.php`
\n
Appendix A: Yara Rule
\n`rule \"TeamViwer_backdoor\"\n{\n\nmeta:\ndate = \"2019-04-14\"\ndescription = \"Detects malicious TeamViewer DLLs\"\n\nstrings:\n\n// PostMessageW hook function\n$x1 = {55 8b ec 8b 45 0c 3d 12 01 00 00 75 05 83 c8 ff eb 12 8b 55 14 52 8b 55 10 52 50 8b 45 08 50 e8}\n\ncondition:\nuint16(0) == 0x5a4d and $x1\n}`\n\n
\n
Appendix B: Online services of interest
\nBanks
\n`bankofamerica.com,pacwestbancorp.com,alipay.com,cbbank.com,firstrepublic.com,chase.com
\ncitibank.com,bankamerica.com,wellsfargo.com,citicorp.com,pncbank.com,us.hsbc.com,bnymellon.com
\nusbank.com,suntrust.com,statestreet.com,capitalone.com,bbt.com,tdbank.com,rbs.com,regions.com
\n53.com,ingdirect.com,keybank.com,ntrs.com,www4.bmo.com,usa.bnpparibas.com,mufg.jp,aibgroup.com
\ncomerica.com,zionsbank.com,mibank.com,bbvabancomerusa.com,huntington.com,bank.etrade.com,synovus.com
\nbancopopular.com,navyfcu.org,schwab.com,rbcbankusa.com,colonialbank.com,hudsoncitysavingsbank.com,db.com
\npeoples.com,ncsecu.org,associatedbank.com,bankofoklahoma.com,mynycb.com,firsthorizon.com,firstcitizens.com
\nastoriafederal.com,firstbankpr.com,commercebank.com,cnb.com,websterbank.com,fbopcorporation.com
\nfrostbank.com,guarantygroup.com,amtrust.com,nypbt.com,wbpr.com,fult.com,penfed.org,tcfbank.com,lehman.com
\nbancorpsouthonline.com,valleynationalbank.com,thesouthgroup.com,whitneybank.com,susquehanna.net,citizensonline.com
\nucbh.com,raymondjames.com,firstbanks.com,wilmingtontrust.com,bankunited.com,thirdfederal.com,wintrustfinancial.com
\nsterlingsavingsbank.com,boh.com,arvest.com,eastwestbank.com,efirstbank.com,theprivatebank.com,flagstar.com
\nbecu.org,umb.com,firstmerit.com,corusbank.com,svb.com,prosperitybanktx.com,washingtonfederal.com
\nucbi.com,metlife.com,ibc.com,cathaybank.com,trustmark.com,centralbancompany.com,umpquabank.com
\npcbancorp.com,schoolsfirstfcu.org,mbfinancial.com,natpennbank.com,fnbcorporation.com,fnfg.com,golden1.com
\nhancockbank.com,firstcitizensonline.com,ubsi-wv.com,firstmidwest.com,oldnational.com,ottobremer.org
\nfirstinterstatebank.com,northwestsavingsbank.com,easternbank.com,suncoastfcu.org,santander.com
\neverbank.com,bostonprivate.com,firstfedca.com,english.leumi.co.il,aacreditunion.org,rabobank.com
\nparknationalbank.com,provbank.com,alliantcreditunion.org,capitolbancorp.com,newalliancebank.com
\njohnsonbank.com,doralbank.com,fcfbank.com,pinnaclebancorp.net,providentnj.com,oceanbank.com
\nssfcu.org,capfed.com,iberiabank.com,sdccu.com,americafirst.com,hncbank.com,bfcfinancial.com
\namcore.com,nbtbank.com,centralpacificbank.com,banksterling.com,bannerbank.com,firstmerchants.com,communitybankna.com
\nhsbc.com,rbs.co.uk,bankofinternet.com,ally.com,bankofindia.co.in,boi.com.sg,unionbankofindia.co.in,bankofindia.uk.com
\nunionbankonline.co.in,hdfcbank.com,axisbank.com,icicibank.com,paypal.com,pnm.com,wmtransfer.com,skrill.com,neteller.com
\npayeer.com,westernunion.com,payoneer.com,capitalone.com,moneygram.com,payza.com`
\n
Crypto Markets
\n`blockchain.info,cryptonator.com,bitpay.com,bitcoinpay.com,binance.com,bitfinex.com,okex.com
\nhuobi.pro,bitflyer.jp,bitstamp.net,kraken.com,zb.com,upbit.com,bithumb.com,bittrex.com,bitflyer.jp
\netherdelta.com,hitbtc.com,poloniex.com,coinone.co.kr,wex.nz,gate.io,exmo.com,exmo.me,yobit.net
\nkorbit.co.kr,kucoin.com,livecoin.net,cex.io,c-cex.com,localbitcoins.net,localbitcoins.com,luno.com
\nallcoin.com,anxpro.com,big.one,mercatox.com,therocktrading.com,okcoin.com,bleutrade.com,exchange.btcc.com
\nbitkonan.com,coinbase.com,bitgo.com,greenaddress.it,strongcoin.com,xapo.com
\nelectrum.org,etherscan.io,myetherwallet.com,bitcoin.com`
\n
Online Shops
\n`ebay,amazon,wish.com,aliexpress,flipkart.com,rakuten.com,walmart.com
\ntarget.com,bestbuy.com,banggood.com,tinydeal.com,dx.com,zalando,jd.com
\njd.id,gearbest.com,lightinthebox.com,miniinthebox.co`
\n
\n
\n","status":"PUBLISHED","fileName":null,"link":"https://research.checkpoint.com/2019/finteam-trojanized-teamviewer-against-government-targets/","tags":[],"score":0.0014913339400663972,"topStoryDate":null},{"id":"1202","type":"Blog_Publication","name":"DressCode Android Malware Discovered on Google Play","author":"Jeff Zacuto","date":1472696100000,"description":"The Check Point mobile threat prevention research team discovered a new Android malware on Google Play, called \"DressCode,\" which was embedded into more than 40 apps, and found in more than 400 additional apps on third party app stores. Check Point notified Google about the malicious apps,","content":"
The Check Point mobile threat prevention research team discovered a new Android malware on Google Play, called “DressCode,” which was embedded into more than 40 apps, and found in more than 400 additional apps on third party app stores. Check Point notified Google about the malicious apps, and some have already been removed from Google Play.
\nThe oldest apps were uploaded to Google Play on April 2016, where they remained undetected until recently. Some of the apps reached between 100,000 and 500,000 downloads each. Between 500,000 and 2,000,000 users downloaded the malicious apps from Google Play.
\n\nSimilar to Viking Horde, DressCode creates a botnet that uses proxied IP addresses, which Check Point researchers suspect were used to disguise ad clicks and generate false traffic, generating revenue for the attacker. A botnet is a group of devices controlled by hackers without the knowledge of their owners. The bots can be used for various reasons based on the distributed computing capabilities of all the devices. The larger the botnet, the greater its capabilities.
\nOnce installed on the device, DressCode initiates communication with its command and control server. Currently, after the initial connection is established, the C&C server orders the malware to “sleep,” to keep it dormant until there’s a use for the infected device. When the attacker wants to activate the malware, he can turn the device into a socks proxy, rerouting traffic through it.
\nBelow are pictures of additional samples of the DressCode Malware, as found on Google Play:
\n\n\n
So, why should you be concerned about such malware?
\nBoth Viking Horde and DressCode malware create botnets which can be used for various purposes, and even to infiltrate internal networks. Since the malware allows the attacker to route communications through the victim’s device, the attacker can access any internal network to which the device belongs. This can compromise security for enterprises and organizations.
\nTo demonstrate how this could be achieved, Check Point researchers created a video , showing how attackers could potentially use the DressCode malware to access an internal network and retrieve sensitive files from it.
\n\nAppendix – Package names found on Google Play
\nThe post DressCode Android Malware Discovered on Google Play appeared first on Check Point Blog.
\n","status":"PUBLISHED","fileName":"301444640","link":"http://blog.checkpoint.com/2016/08/31/dresscode-android-malware-discovered-on-google-play/","tags":[],"score":0.0014617997221648693,"topStoryDate":null}],"mapData":null,"topMalwareFamilies":null};