Archived: APTs And Nation States


APT groups, operations and malware search engine on Google:

FIN7 : Cisco’s TALOS group are reporting that FIN7 has a new tactic they are using. In their recent blog from Sept . 27, TALOS reports that the gang is leveraging a newly discovered RTF document family in phishing campaigns. Stats bear out that phishing has escalated to the chief point of compromise in over 60% of attacks. This latest tactic lets the gang “execute a series of scripting languages containing multiple obfuscation mechanisms and advanced techniques to bypass traditional security mechanisms”. So an embedded object executes scripts to launch malware



FIN7 Spear Phishing, Carbanak and the SEC: (March 7, 2017): FireEye identified a spear phishing campaign in late February that targeted people who were filing with the US SEC. They were able to identify the group as FIN7, who are financially motivated and use spear phishing to spread malware. Often they target retail and hospitality through POS malware. The attack involves a malicious document dropped by a VBS script. This installs a PowerShell backdoor which is a new malware family dubbed POWERSOURCE by FireEye. It is heavily obfuscated and a modified version of the current tool DN_TXT_Pwnage. This uses DNS TXT records which make detection and hunting for C+C harder, a rising trend. FireEye does not yet have the objective of FIN7 in this current campaign, but they have previously used Carbanak in their engagements.


Dec 30 Carbanak Pivots to the Hospitality Sector
Carbanak has taken its hold on banking and ATMs. Now it’s found a new playground. The hospitality sector is ripe for the picking. Weak defences, unprepared, pretty unsecured.  And a whole lot of money to be made. Which is where Carbanak excels.

Dec 13 BlackEnergy becomes Telebots
All eyes should be on the Ukraine for more reasons than one. ESET claims they believe that BlackEnergy, the group responsible for attacks against the energy sector in the Ukraine, has morphed into Telebots, and are responsible for a series of attacks against “high value targets” in the financial sector in the Ukraine. According to Tripwire, “TeleBots is also an evolution of Sandworm, a Russian espionage gang which exploited CVE-2014-4114 to attack NATO and other Western organizations in 2014 and used KillDisk against several Ukrainian power companies in December 2015.” And it gets better. Guess what they’re using? Killdisk wiper malware. Because wiper malware means never having to say you’re sorry.  But wait – there’s more.  It appears Telebots has helped the Killdisk evolve from wiper malware into ransomware.  We are looking at high level extortion attacks against industry and systems that cannot easily be secured or defended.

Dec 2 Shamoon Wiper malware returns in Saudi attacks: This marks a disturbing trend in the recent and damaging cyber attacks in Saudi Arabia.  Palo Alto Networks and Symantec spotted the attack using Shamoon, or Disstrack,  on a Saudi company.  Shamoon laid waste to data from hard drives in over 30k computers and rewrote the master boot ring in the attacks back in 2012against Saudi Aramco. The threat is back but there is no clear motive, however it is believed to be the original group from  2012 given key similarities. “According to Symantec, this is a carefully planned operation. The malware was configured with passwords that appear to have been stolen from the targeted organizations. Attackers used these credentials to rapidly spread the threat across the targeted organization’s network”

Destructive attacks against Saudi Arabia: It appears state-sponsored hackers have gone after Saudi Arabia in a series of destructive attacks. What is of note is that these have erased data, and affected critical infrastructure in the computers running the country’s airports.  Apparently several government agencies were targeted. Digital evidence indicated Iran was involved but no statements have been made.  The attack on Saudi Aramco in 2012 is another example of the rare case in which cyber weapons are deployed. This case differs in that the weapn was detonated inside the networks of several targets at once. Thousands of computers were destroyed at the HQ of the General Suthority of Civil Aviation for Saudi Arabia, erasing critical data and stopping operations for several days.  However, any indications were not made clear to the outside world and travel was not disrupted. Given the recent election of Trump and the volatility of the region, especially regarding Iran and the nuclear deals, similar attacks could be expected.

Let the Phishing Games Begin!  Hours after Trump’s election, Russian hackers began their phishing pursuits anew against the US.  In a blog post by Steven Adair, security researcher with Volexity, there are reports that five different attacks took place on US-based think tanks and non-governmental organizations (NGOs) by APT29 and CozyBear, aka The Dukes, using compromised email accounts claiming to come from Harvard’s Faculty of Arts and Science. The Dukes malware employs stenography to hide their backdoor, and their anti-VM malware and Powershell scripts enable them to reduce bots and sandboxes and evade analysis. They are looking to gain long-term access into think tanks and NGOs and will continue to launch new attacks for the foreseeable future.