Attacks against Israeli & Palestinian interests

27 April 2015

 View Tom Lancaster's profile on LinkedIn

This short report details the techniques being used in a series of attacks mostly against Israel-based organisations. The decoy documents and filenames used in the attacks suggest the intended targets include organisations with political interests or influence in Israel and Palestine. Although we are unable to link this campaign to any already documented in open source, it bears similarities to some described by others previously[1],[2].

The earliest samples in the campaign we have identified date back to the summer of 2014. The number of samples discovered and relatively small scale of infrastructure suggest the attackers have limited resources with which to conduct attacks.

Introduction

Our investigation begins by taking a look at the following file: ecc240f1983007177bc5bbecba50eea27b80fd3d14fd261bef6cda10b8ffe1e9. According to the analysis published on malwr.com[3], this file was originally named ‘Israel Homeland Defense Directory 2015 _Secured_.exe’ and, once executed, the following decoy document was presented:        

1

The initial file in this case is a self-extracting RAR file that contains three components, including a decoy document (in this case, the PDF shown above) and the malware.

Further inspection of the malware extracted showed it wasn’t a family our analysts recognised. This, coupled with the nature of the decoy document used, led us to take a more in depth look at the malware, and associated infrastructure.

We’d like to give special thanks to Eyal Sela of ClearSky Security for his collaborative efforts in this research.

Delivery

The most common way this malware packaged is via a self-extracting RAR file; however the attackers also appear to have used a number of other solutions to drop their malware, including a Visual Basic based wrapper and an Auto-IT based wrapper.

In terms of how the malware is delivered, it’s most likely that it’s done via spearphishing. For example, there are also several occasions where the VirusTotal ‘ITW’ tab suggests that the original dropper was available to download on a 3rd party website. In the case of the sample discussed in the introduction we can see:

2

Pomf.se is a relatively low-profile file sharing/hosting website currently based in Sweden. The use of low-key file-sharing sites appears to be a feature of the campaign as far as we can tell, with a few other similar sites being used in the same way.

This, in conjunction with the nature of the related files we have discovered (all of them are directly executable files) means it is likely that the malware is primarily delivered via spear phishing attempts, rather than any other method.

DownExecute – Brief Analysis

In this analysis, we’ll go over the file with a SHA256 hash of ecc240f1983007177bc5bbecba50eea27b80fd3d14fd261bef6cda10b8ffe1e9.

We’ve chosen to refer to the malware as ‘DownExecute’ due to the .pdb string left in the malware (leaving debug paths in malware seems to be very fashionable at the moment…):

3

All variants of the DownExecute’ malware we’ve identified come packaged in the following fashion:

4

From the samples we have analysed so far, the decoy application included is never used by the binary, and is presumably included so that anyone taking a cursory look at the file will conclude it is in fact the real deal.  Whilst the cURL[4] binary included is used for internet connectivity but it’s currently unclear why the attackers chose to use this method of adding connectivity to their file.

Some of the binaries are also self-signed:

  5

So what can this malware do? Not all that much – it’s just a downloader.

Before execution, the malware makes a couple of checks to avoid analysis, including checking for the presence of a debugger using IsDebuggerPresent as well as checking for the presence of VirtualBox by looking for the device name \\.\VBoxMiniRdrDN:

  6

The malware also checks for the presence of several anti-virus solutions, as well for any processes including the word ‘security’:

7

The malware then proceeds to decrypt some basic configuration data, including the command & control domain, and information about the origin of the infection, tracked via ID:

   8

Meanwhile, the malware begins calling home, whilst also keeping a log of its actions in a plaintext file that is created in the same folder as where the binary was executed from.

  9

After successful compromise…

It appears as though the clue for the main functionality of this malware is in its name (it downloads, and then executes) files, as it offers little else for the attacker. The DownExecute malware is used as a way for the attackers to gain an initial foothold on the victim machine. The basic information reported back by the malware would also certainly allow the attacker a way to triage infections to ensure they had reached their intended victim rather than a researcher.

We don’t have great visibility into post-compromise activity at this stage; however there are a number of other malware samples which communicate with the same infrastructure as the DownExecute samples. It’s not unreasonable to infer that if these are more fully featured backdoors, that they are likely the 2nd stage malware families used in conjunction with DownExecute. Specifically, we’ve observed the well-documented Xtreme RAT and Poison Ivy malware families in use with the same domain names as DownExecute. The Poison Ivy passwords observed for the group were ‘admin2014’ and ‘[email protected]#$%”.

Command & Control Infrastructure

10

The vast majority of infrastructure in terms of hostnames observed associated with these attacks have been dynamic DNS domains, primarily associated with no-ip.com. This provider is popular with several Middle Eastern threat actors tracked by PwC’s intelligence team. In terms of the size of the infrastructure used in the campaign using the tools described, it’s also fairly small, as shown on our Maltego graph.

The attackers have made an unusual choice with respect to the hosting providers used for the malicious infrastructure. Most of the domains at the time of writing, and indeed historically, have pointed to IP address space owned by Host Sailor, geo-located in Belize. Many of the threat actors in the Middle East that we’re familiar with have extremely volatile IP hosting, owing to the fact that the infrastructure is likely to be hosted on their own networks. This remote hosting therefore somewhat bucks the trend of some of the other actors we see from the region.

Inferred Targeting

As we have mentioned in a number of our other reports[5], attackers often use C&C domains which contain phrases relevant to their targets so as to make them appear legitimate. With this in mind we performed some simple analysis on the domain names used in this campaign to identify legitimate organisations being impersonated. For a full list of C&Cs used, please see Appendix B.

Domain name

Legitimate Entity

Description

Rotter2.sytes.net

rotter.net

Israeli news outlet

haartezenglish.strangled.net

haaretz.co.il

Israeli news outlet

wallanews.sytes.net

walla.co.il

Israeli news outlet

ynet.sytes.net

ynet.co.il

Israeli news outlet

safar.selfip.com

Safar

Islamic 2nd month

depka.sytes.net

debka.com

Israeli news outlet

As shown, there appears to be a theme here, with a number of Israeli news organisations being used as C&C themes and hence probably being targeted. So do we believe this campaign is focused only at Israeli companies? Perhaps not entirely.

Targeting

Whilst there are a number of documents clearly aimed at Israeli nationals , using political and military themes, one of the lures[6] included an Arabic language decoy document pictured below:

10

The document in question discusses an alleged leak of information relating to Abbas, leader of the Palestine Liberation Organization. Whilst this is a subject which is clearly of key interest to all parties in the region, the fact the attackers sent an Arabic language version of the story may indicate that the recipient was expected to be fluent in Arabic, and possibly therefore less likely to be Israeli, but rather someone from another adjacent region.

Conclusion

Whilst, in this case, we’re unable to attribute this set of activity to a specific group or entity in the Middle East, it does bear a significant resemblance to many attacks seen from the Middle East that have been previously documented. Specifically, the following aspects of this campaign remind us of existing write-ups on Middle Eastern campaigns:

  • Consistent use of  the dynamic DNS provider no-ip.com and associated domains:  it’s unclear why there is a preference for this, however in several ‘how-to’ videos on Arabic language underground forums the video creators recommend using no-ip.com as opposed to other dynamic DNS providers;
  • Use of publically available  malware: many groups operating in the Middle East use malware families (such as Poison Ivy/Xtreme RAT) which are publically available rather than developing their own binaries;
  • Variety of targeting: the targeting seems entirely restricted to Middle Eastern issues and, whilst there appears to be a heavy focus on Israel in the decoy documents we’ve observed, there is the possibility that Palestinians have been targeted as well. This is consistent with the complex relationships between the different nations and political groups in the region;
  • Password schema: In their August 2013 blog[7], FireEye noted that a group they refer to as MoleRats used Poison Ivy and Xtreme RAT, in conjunction with a password of “[email protected]#GooD#@!” The keyboard walk used for the symbols “[email protected]#” across the top of a keyboard is similar to the password observed in some of our Poison Ivy samples.

The fact that the attackers chose to develop their own dropper may be indicative that their biggest problem when conducting network intrusions is getting their foot in the door – particularly as it seems as though they still prefer the more fully featured Poison Ivy and Xtreme RAT backdoors as 2nd stage malware families.

When we pivoted and looked for the earliest examples of the DownExecute malware, the first samples we could find were compiled in June 2014. We have no reason to believe in this case that the threat actor has tampered with the compile time on any samples, as all other samples discovered were identified shortly after they were compiled. As such we believe the campaign using this downloader malware has been on-going for approximately 12 months.

 

Appendix A – Samples

SHA256

8993a516404c0dd62692f3ce5055d4ddee7e29ad4bb6aa29f67114eeeaee26b9

bfe727f2f238f11eb989e5b76efd24ad2b41df3cf7dabf7077dfaace834e7f03

dad34d2cb2aa9662d4a4148481ae018f5816498f30cc7aee4919e0e9fe6b9e08

2cb9df0d52d09c98f0a97ce71eb8805f224945cadab7d615ef0257b7b09c80d3

f53fd5389b09c6ad289736720e72392dd5f30a1f7822dbc8c7c2e2b655b4dad9

1d533ddaefc7859a3f6c6751114e895b7aa5935eb0ed68b01ec61aa8560ae3d9

95b2f926ae173ab45d6dac4039f0b91eb24699e6d11b621bbcebd860752e5d5e

da63f6392ce6af83f6d944fa1bd3f28082345fec928647ee7ef9939fac7b2e6c

a7aeeead233fcdfe1c7475db982497a82d8ae745ec1c58bd87215e8869c3f9e4

2eb7aa306551d693691d14558c5dc4f6d80ef8f69cf466149fbba23953c08f7f

e945b055fb4057a396506c74f73b873694125e6178a40d10cabf24b2d89d598f

c9e084eb1ce1066ee063f860c13a8f7d2ead97495036855fc956dacc9a24ea68

047e8d542e2fcdf0f4dd45e2b19848771d01abc90d161d05242b79c52cdd248d

25e6bf67410dffb95c527c19dcff5223dbc3bf4c987650e45fbea1267072e8ff

b0edbd0f44df72e0fad3fb73948444a4df5143ed954c9116eb1a7b606841f187

da63f6392ce6af83f6d944fa1bd3f28082345fec928647ee7ef9939fac7b2e6c

de3e25a69ba43b9f236e544ece7f2da82a4fafb4489ad2e263754d9b9d88bc5c

ecc240f1983007177bc5bbecba50eea27b80fd3d14fd261bef6cda10b8ffe1e9

f969bf3b7a9821b3b2d5de889b5af7af25972b25ba59e4e9439f87fe90f1c404

14be3a9a2a4261cb365915e720486a0632dbebb06fe68fb669ae67aa9b18507b

488ba22d6cb8c9b0310c58fa4c4739692cdf45676c3164b357314322542f9dff

b3a47e0bc0af49b46bc0c1158089bf200856ff462a5334df2b5c11e69c8b1ada

324ce011b913feec4adb916f32c743a243f07dccb51b49c0122c4fa4a8e2bded

d6df5943169b48ac58fc28bb665fe8800c265b65fff8a2217b70703a4d3a7277

88e7a7e815565b92af81761ae7b9153b7507677df3d3b77e8ce68787ad1826d4

f51d4155534e10c09b531acc41458e8ff3b7879f4ee7d3ee99f16180c4caf0ee

b3a47e0bc0af49b46bc0c1158089bf200856ff462a5334df2b5c11e69c8b1ada

bc846caa05939b085837057bc4b9303357602ece83dc1380191bddd1402d4a2b

 

Appendix B – C&C Infrastructure

Value

Value Type

cbbnews.tk

Domain

haartezenglish.redirectme.net

Domain

wallanews.sytes.net

Domain

kaliob.selfip.org

Domain

deapka.sytes.net

Domain

download.likescandy.com

Domain

orango.redirectme.net

Domain

ynet.sytes.net

Domain

kaswer12.strangled.net

Domain

nazer.zapto.org

Domain

rotter2.sytes.net

Domain

kaswer13.zapto.org

Domain

tango.zapto.org

Domain

kolabdown.sytes.net

Domain

rotter2.publicvm.com

Domain

safar.selfip.com

Domain

bandao.publicvm.com

Domain

safari.linkpc.net

Domain

thenewupdate.chickenkiller.com

Domain

backjadwer.bounceme.net

Domain

ajaxo.zapto.org

Domain

downloadskype.cf

Domain

redirectlnk.redirectme.net

Domain

thenewupdatee.redirectme.net

Domain

chromeupdt.tk

Domain

duntat.zapto.org

Domain

ynet.ignorelist.com

Domain

haartezenglish.strangled.net

Domain

gaonsmom.redirectme.net

Domain

store-legal.biz

Domain

fastbingcom.sytes.net

Domain

downloadlog.linkpc.net

Domain

downloadmyhost.zapto.org

Domain

depka.sytes.net

Domain

wallanews.publicvm.com

Domain

noredirecto.redirectme.net

Domain

safara.sytes.net

Domain

help2014.linkpc.net

Domain

totoman.no-ip.biz

Domain

lilian.redirectme.net

Domain

webfile.myq-see.com

Domain

185.33.168.150

IPv4 Address

185.45.193.4

IPv4 Address

167.114.62.213

IPv4 Address

131.72.136.11

IPv4 Address

131.72.136.171

IPv4 Address

192.253.246.169

IPv4 Address

198.105.122.96

IPv4 Address

131.72.136.124

IPv4 Address

107.168.129.29

IPv4 Address

198.105.122.9

IPv4 Address

 

Appendix C – Signatures

Yara

 

rule DownExecute_A

{

meta:

       author = "PwC Cyber Threat Operations :: @tlansec"

       date = "2015-04"

       reference = "http://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html"

       description = “Malware is often wrapped/protected, best to run on memory”

      

strings:

       $winver1 = "win 8.1"

       $winver2 = "win Server 2012 R2"

       $winver3 = "win Srv 2012"

       $winver4 = "win srv 2008 R2"

       $winver5 = "win srv 2008"

       $winver6 = "win vsta"

       $winver7 = "win srv 2003 R2"

       $winver8 = "win hm srv"

       $winver9 = "win Strg srv 2003"

       $winver10 = "win srv 2003"

       $winver11 = "win XP prof x64 edt"

       $winver12 = "win XP"

       $winver13 = "win 2000"

      

       $pdb1 = "D:\\Acms\\2\\docs\\Visual Studio 2013\\Projects\\DownloadExcute\\DownloadExcute\\Release\\DownExecute.pdb"

       $pdb2 = "d:\\acms\\2\\docs\\visual studio 2013\\projects\\downloadexcute\\downloadexcute\\downexecute\\json\\rapidjson\\writer.h"

       $pdb3 = ":\\acms\\2\\docs\\visual studio 2013\\projects\\downloadexcute\\downloadexcute\\downexecute\\json\\rapidjson\\internal/stack.h"

       $pdb4 = "\\downloadexcute\\downexecute\\"

      

       $magic1 = "<Win Get Version Info Name Error"

       $magic2 = "[email protected]$sw0rd$nd"

       $magic3 = "[email protected]"

       $magic4 = "|*|123xXx(Mutex)xXx321|*|6-21-2014-03:06PM" wide

      

       $str1 = "Download Excute" ascii wide fullword

       $str2 = "EncryptorFunctionPointer %d"

       $str3 = "%s\\%s.lnk"

       $str4 = "Mac:%s-Cpu:%s-HD:%s"

       $str5 = "feed back responce of host"

       $str6 = "GET Token at host"

       $str7 = "dwn md5 err"

      

condition:

       all of ($winver*) or

       any of ($pdb*) or

       any of ($magic*) or

       2 of ($str*)

}

 

Network IDS


alert http any any -> any any (msg:"--[PwC CTD] -- Unclassified Middle Eastern Actor - DownExecute URI (/dw/gtk)";  flow:established,to_server; urilen:7; content:"/dw/gtk"; http_uri;  depth:7; content:"GET" ; http_method; content:!"User-Agent:"; http_header; content:!"Referer:"; http_header; reference:md5,4dd319a230ee3a0735a656231b4c9063; classtype:trojan-activity; metadata:tlp WHITE,author @ipsosCustodes; sid:99999901; rev:2015200401;)

 

alert http any any -> any any (msg:"--[PwC CTD] -- Unclassified Middle Eastern Actor - DownExecute URI (/dw/setup)";  flow:established,to_server; urilen:>8; content:"/dw/setup"; http_uri;  depth:9; content:"POST" ; http_method; reference:md5,4dd319a230ee3a0735a656231b4c9063; classtype:trojan-activity; metadata:tlp WHITE,author @ipsosCustodes; sid:99999902; rev:2015200401;)

 

alert http any any -> any any (msg:"--[PwC CTD] -- Unclassified Middle Eastern Actor - DownExecute Headers";  flow:established,to_server; urilen:>7; content:"Accept */*";  http_client_body; content:"Content-Type: multipart/form-data\; boundary=------------------------"; http_header; content: "ci_session="; http_cookie; depth:11; content: "POST"; http_method; content:!"Referer:"; http_header; content:!"User-Agent:"; http_header; reference:md5,4dd319a230ee3a0735a656231b4c9063; classtype:trojan-activity; metadata:tlp WHITE,author @ipsosCustodes; sid:99999903; rev:2015200401;)

 


 

[1] https://github.com/kbandla/APTnotes/blob/master/2012/Cyberattack_against_Israeli_and_Palestinian_targets.pdf

[2] https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html

[3] https://malwr.com/analysis/N2I1YmExMjNkMmM3NGQwMThlNjg5YmI4OGY3Mjc3ZmI

[4] http://curl.haxx.se

[6] ca78b173218ad8be863c7e00fec61f2f

[7] https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html

Twitter
LinkedIn
Facebook
Google+

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated and will not appear until the author has approved them.