This white paper analyzes the advanced persistent threat (APT) group known as APT28 or Sofacy. It details their targeting of victims in Ukraine, Spain, Russia, Romania, US and Canada for intelligence gathering. The paper describes the attribution of APT28 to Russian-speaking actors based on compilation times and filenames. It then outlines the scanning process used to find new targets, the multi-stage attack flow to compromise systems, and examples of victims identified from stolen emails including political and aerospace industry targets.
This document provides a summary of how search engines work. It discusses how search engines use crawlers or spiders to index webpages, and how they store indexed pages in databases. When a user searches, the search engine checks its database to find relevant pages matching the search terms. The document also describes how search engines determine relevance using algorithms like TF-IDF, and categorizes different types of search engines such as crawler-based, directories, hybrid, and meta search engines.
Logger Brute Force Attack Detection Security Use Case User's Guideprotect724rkeer
This document provides information about using HPE ArcSight Logger to detect brute force attacks through dashboards and reports. It describes the installation process and includes an overview of the key parameters tracked, including login counts, sources, destinations, and user accounts. Dashboards display failed login data for the past 6 hours, while reports allow tracking trends over any time period. The document provides details on the default dashboards and included reports to help identify potential brute force attacks.
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides
The document provides an agenda for a talk on advanced persistent threats (APTs). It introduces APTs and discusses how they have evolved over time from targeting military and intelligence to also targeting private companies. It notes APTs can be opportunistic attacks that utilize social engineering and technical vulnerabilities. The document contrasts APTs with more sophisticated threats known as subversive multi-vector threats that are willing to exploit people, processes, and technologies to achieve their goals. It provides examples of analyzing suspicious foreign network traffic and discusses challenges with identifying and addressing multi-vector threats.
Stuxnet was a cyber attack from 2004-2007 by the US and Israel that used cyber sabotage to physically destroy Iranian nuclear centrifuges at the Natanz facility. Duqu from 2007-2011 was US and Israeli cyber espionage malware targeting industrial control systems. Flame from 2009-2012 was US and Israeli cyber reconnaissance malware that exfiltrated data from computers in Iran, Lebanon, Syria, Sudan and Israel.
Advanced Persistent Threats (APTs) are a serious concern as they represent a threat to an organization’s intellectual property, financial assets and reputation. In some cases, these threats target critical infrastructure and government institutions, thereby threatening the country’s national security itself.
Persistence is Key: Advanced Persistent ThreatsSameer Thadani
This document discusses advanced persistent threats (APTs). APTs are sophisticated cyber attacks that are carried out over an extended period to steal information. They use various techniques to evade detection, like polymorphic shellcode and packet splitting. APTs typically start with reconnaissance, then spear phishing to gain initial access. Attackers establish backdoors, install utilities like keyloggers, and move laterally within the network to exfiltrate data. Nation-states are often behind APTs to gain intelligence or competitive advantages. Organizations should monitor for unusual logins or anomalies to detect signs of an APT attack.
This document categorizes different types of cyber threats by their motive, targets, and capabilities. It identifies nation states during peacetime and wartime, cyber terrorists and insurgents, cyber criminals operating in grey and black markets, criminal organizations, and rogue organizations as the main cyber threat actors. Each threat is described in terms of its typical motives like economic, military, or political goals, preferred targets, and methodology or technical capabilities used to conduct cyber attacks.
With the help of GCHQ and Cert-UK, we've produced this presentation on reducing the impact of normal cyber attacks. It's not meant to be an exhaustive guide on cyber security threats. The presentation isn't tailored to individual needs, and it is not a replacement for specialist cyber security advice.
This document provides a summary of how search engines work. It discusses how search engines use crawlers or spiders to index webpages, and how they store indexed pages in databases. When a user searches, the search engine checks its database to find relevant pages matching the search terms. The document also describes how search engines determine relevance using algorithms like TF-IDF, and categorizes different types of search engines such as crawler-based, directories, hybrid, and meta search engines.
Logger Brute Force Attack Detection Security Use Case User's Guideprotect724rkeer
This document provides information about using HPE ArcSight Logger to detect brute force attacks through dashboards and reports. It describes the installation process and includes an overview of the key parameters tracked, including login counts, sources, destinations, and user accounts. Dashboards display failed login data for the past 6 hours, while reports allow tracking trends over any time period. The document provides details on the default dashboards and included reports to help identify potential brute force attacks.
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides
The document provides an agenda for a talk on advanced persistent threats (APTs). It introduces APTs and discusses how they have evolved over time from targeting military and intelligence to also targeting private companies. It notes APTs can be opportunistic attacks that utilize social engineering and technical vulnerabilities. The document contrasts APTs with more sophisticated threats known as subversive multi-vector threats that are willing to exploit people, processes, and technologies to achieve their goals. It provides examples of analyzing suspicious foreign network traffic and discusses challenges with identifying and addressing multi-vector threats.
Stuxnet was a cyber attack from 2004-2007 by the US and Israel that used cyber sabotage to physically destroy Iranian nuclear centrifuges at the Natanz facility. Duqu from 2007-2011 was US and Israeli cyber espionage malware targeting industrial control systems. Flame from 2009-2012 was US and Israeli cyber reconnaissance malware that exfiltrated data from computers in Iran, Lebanon, Syria, Sudan and Israel.
Advanced Persistent Threats (APTs) are a serious concern as they represent a threat to an organization’s intellectual property, financial assets and reputation. In some cases, these threats target critical infrastructure and government institutions, thereby threatening the country’s national security itself.
Persistence is Key: Advanced Persistent ThreatsSameer Thadani
This document discusses advanced persistent threats (APTs). APTs are sophisticated cyber attacks that are carried out over an extended period to steal information. They use various techniques to evade detection, like polymorphic shellcode and packet splitting. APTs typically start with reconnaissance, then spear phishing to gain initial access. Attackers establish backdoors, install utilities like keyloggers, and move laterally within the network to exfiltrate data. Nation-states are often behind APTs to gain intelligence or competitive advantages. Organizations should monitor for unusual logins or anomalies to detect signs of an APT attack.
This document categorizes different types of cyber threats by their motive, targets, and capabilities. It identifies nation states during peacetime and wartime, cyber terrorists and insurgents, cyber criminals operating in grey and black markets, criminal organizations, and rogue organizations as the main cyber threat actors. Each threat is described in terms of its typical motives like economic, military, or political goals, preferred targets, and methodology or technical capabilities used to conduct cyber attacks.
With the help of GCHQ and Cert-UK, we've produced this presentation on reducing the impact of normal cyber attacks. It's not meant to be an exhaustive guide on cyber security threats. The presentation isn't tailored to individual needs, and it is not a replacement for specialist cyber security advice.
Security assessment for financial institutionsZsolt Nemeth
Group-IB is a cybersecurity company founded in 2003 in Russia that provides services such as security analysis, penetration testing, computer forensics, incident response, and malware intelligence. It has expanded internationally and now has over 60 employees. The company operates the first 24/7 cybersecurity response team in Eastern Europe called CERT-GIB. Group-IB works with many financial institutions and has expertise in vulnerabilities specific to the banking/e-commerce sector.
This document presents a simulation modeling approach to represent computer networks and intrusion detection systems to efficiently simulate cyber attack scenarios. The simulation model allows a user to construct a representative computer network, setup cyber attacks on target machines, and evaluate information fusion methods. In conclusions, the Cyber Attack Simulator is capable of generating intrusion detection system alert files and ground truths based on the specified network configuration and attacks.
As the number and severity of cyber-crimes continues to grow, it’s important to understand the steps cyber-criminals take to attack your network, the types of malware they use, and the tools you need to stop them. The basic steps of a cyber attack include reconnaissance (finding vulnerabilities); intrusion (actual penetration of the network); malware insertion (secretly leaving code behind);
and clean-up (covering tracks).
Malware comes in various forms, some more nefarious than others, ranging from annoying sales pitches to potentially business-devastating assaults. Dell SonicWALL offers comprehensive solutions to counter every stage of cyber attacks and eliminate every type of malware from disrupting your business network.
Monty McDougal, Cyber Engineering Fellow, Intelligence, Information and Services, Raytheon
Advanced Persistent Threat Life Cycle Management
This presentation will cover the full Advanced Persistent Threat (APT) Life Cycle and Management of the resulting intrusions. It will cover both what the APTs are doing as attackers and what we as defenders should be doing for both the APT Mission Flows and the Computer Network Defense (CND) Mission Flows.
#ALSummit: Live Cyber Hack DemonstrationAlert Logic
James Brown (VP Technology Solutions Group, Alert Logic), Stephen Coty (Chief Security Evangelist, Alert Logic), and Paul Fletcher (Security Evangelist, Alert Logic)'s live hack demonstration at the NYC Alert Logic Cloud Security Summit on June 14, 2016.
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersOllie Whitehouse
This short 45 minutes presentation is aimed at ICS/SCADA and general IT engineers who want to understand basic concepts related to the much discussed threat that is APT.
The audience is first introduced to the concepts, who employs APTs before going into how they manifest before finally closing out with mitigation and defense strategies.
Models of Escalation and De-escalation in Cyber ConflictZsolt Nemeth
The cyber insecurity conundrum cuts across all things digital or networked. How can we prioritize defensive efforts across such a vast domain? This talk will describe a framework for engineering systems and policymaking based on the work factors for cyber attack and defense. After developing the work factor concept, it will be illustrated in several examples
The Rise of Engineering-Driven Analytics by Loren ShureBig Data Spain
1) Engineering-driven analytics is becoming more pervasive as data sources, computing power, and machine learning techniques expand.
2) MATLAB provides tools for engineering-driven analytics including support for engineering data types, machine learning algorithms, and model deployment in embedded systems.
3) Examples demonstrate how MATLAB has been used for applications in building energy optimization, automotive emergency braking, manufacturing quality control, and medical diagnostics.
This document provides an overview of techniques for identifying Advanced Persistent Threats (APTs). It discusses 5 styles of techniques: network traffic analysis, network forensics, payload analysis, endpoint behavior analysis, and endpoint forensics. For each style, it provides examples of specific techniques. It emphasizes that effective APT protection requires combining techniques from different styles and approaches. The information is intended to be informative but does not constitute an explicit recommendation of any product or approach.
This document summarizes different types of cyber attacks. It describes web-based attacks like SQL injection, cross-site scripting, and denial of service attacks. It also outlines system-based attacks such as viruses, worms, and trojan horses. Additionally, it covers methods that can assist attacks, including spoofing, sniffing, and port scanning. The goal of the document is to provide an overview of common cyber attacks and threats that exist in the cyber world.
As we get to know what life in the digital domain is like, one of the revelations we've had is that many large and plenty of smaller organisations are targets of espionage, of the nefarious APT.
During the last decade, it has become gospel to wait, watch, analyse and learn if you detect such an attacker in your infrastructure. Why? Because you get one chance to do the eviction of the attacker right. And if you fail, all your efforts will eventually have been for nothing.
But for how long should you wait and watch? When have you watched long enough? When have you learned enough? And how do you make that decision?
That is the challenge I hope the Cyber Threat Intelligence Matrix can help you face in a more structured manner.
Looking to understand how hackers and other attackers use cyber technology to attack your network and your executives? This slide set provides an overview and details the anatomy of a cyber attack, and the strategies you can use to manage and mitigate risk.
APT 28 :Cyber Espionage and the Russian Government?anupriti
Russia may be behind a long-standing, careful campaign designed to steal sensitive data relating to governments, militaries and security firms worldwide.This presentation based on a report made public by FireEye brings an over view of their opinion.....uploaded here just for general info to understand how its all happening!!!!
APT28 A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS.docxfestockton
APT28:
A WINDOW INTO RUSSIA’S CYBER
ESPIONAGE OPERATIONS?
SPECIAL REPORT
SECURITY
REIMAGINED
2 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
EXECUTIVE SUMMARY ................................................................................................................................................................................................................................................................................... 3
APT28 TARGETING REFLECTS RUSSIAN INTERESTS ........................................................................................................................................................................ 6
APT28 interest in the Caucasus, Particularly Georgia ........................................................................................................................................................... 7
APT28 Targeting of the Georgian Ministry of Internal Affairs (MIA) ....................................................................................... 8
APT28 Targeting of the Georgian Ministry of Defense ....................................................................................................................................... 9
APT28 Targeting a Journalist Covering the Caucasus ...................................................................................................................................... 10
APT28’s Other Targets in the Caucasus ....................................................................................................................................................................................... 11
APT28 Targeting of Eastern European Governments and Militaries ................................................................................................... 12
APT28 Targeting of NATO and Other European Security Organizations .................................................................................... 14
APT28 Targets European Defense Exhibitions ............................................................................................................................................................... 16
Other APT28 Targets Are Consistent With Nation State Interests ........................................................................................................ 17
APT28 MALWARE INDICATES SKILLED RUSSIAN DEVELOPERS ........................................................................................................................ 19
Modular Implants Indicate a Formal Development Environment............................................................................................................... 24
APT28 Malware Indicates Russian Speakers in a Russian Time Zone ................................................................................................ 25
Compile Times Align with Working Hours in Moscow and St. Petersburg ......................... ...
APT28 A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS.docxjewisonantone
APT28:
A WINDOW INTO RUSSIA’S CYBER
ESPIONAGE OPERATIONS?
SPECIAL REPORT
SECURITY
REIMAGINED
2 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
EXECUTIVE SUMMARY ................................................................................................................................................................................................................................................................................... 3
APT28 TARGETING REFLECTS RUSSIAN INTERESTS ........................................................................................................................................................................ 6
APT28 interest in the Caucasus, Particularly Georgia ........................................................................................................................................................... 7
APT28 Targeting of the Georgian Ministry of Internal Affairs (MIA) ....................................................................................... 8
APT28 Targeting of the Georgian Ministry of Defense ....................................................................................................................................... 9
APT28 Targeting a Journalist Covering the Caucasus ...................................................................................................................................... 10
APT28’s Other Targets in the Caucasus ....................................................................................................................................................................................... 11
APT28 Targeting of Eastern European Governments and Militaries ................................................................................................... 12
APT28 Targeting of NATO and Other European Security Organizations .................................................................................... 14
APT28 Targets European Defense Exhibitions ............................................................................................................................................................... 16
Other APT28 Targets Are Consistent With Nation State Interests ........................................................................................................ 17
APT28 MALWARE INDICATES SKILLED RUSSIAN DEVELOPERS ........................................................................................................................ 19
Modular Implants Indicate a Formal Development Environment............................................................................................................... 24
APT28 Malware Indicates Russian Speakers in a Russian Time Zone ................................................................................................ 25
Compile Times Align with Working Hours in Moscow and St. Petersburg ..........................
Network security is main concern now-a-days and
Snort is one of the advanced techniques that is used to tackle
rising security threats over the internet. Snort is kind of Network
Intrusion Detection System that allows user to write their own
rules to detect different attacks over the network on the basis of
their signatures and further gives freedom to users to handle
these attacks in different ways. MIT-DARPA 1999 dataset (which
consists of both normal and abnormal traffic) is used for
evaluation of Snort in this paper. This evaluation is done with the
help of the proposed detection rules. In this paper we have
detected all kinds of attacks i.e. DOS, U2R, R2L, Probe and data
attacks. These proposed rules results are further compared to the
Detection Scoring Truth of DARPA 1999 dataset.
APT29 is a Russian state-sponsored hacking group known as Cozy Bear that has been operating since at least 2008. It is highly sophisticated with extensive operational security and regularly improves its tactics. APT29 targets governments, militaries, think tanks, and other private companies worldwide to conduct cyber espionage in support of Russian government objectives. While no public reports have directly attributed zero-day exploits to APT29, security researchers have warned they actively scan for vulnerabilities as part of their operations.
Siber güvenlik şirketi Kaspersky'nin yayınladığı rapora göre; Carbanak adındaki kötü amaçlı bir yazılımı kullanan hackerlar, 30 farklı ülkedeki 100 bankanın bilgisayarlarına ulaşarak müşteri hesaplarından en az 300 milyon dolar çaldılar. http://www.indir.com/
Security assessment for financial institutionsZsolt Nemeth
Group-IB is a cybersecurity company founded in 2003 in Russia that provides services such as security analysis, penetration testing, computer forensics, incident response, and malware intelligence. It has expanded internationally and now has over 60 employees. The company operates the first 24/7 cybersecurity response team in Eastern Europe called CERT-GIB. Group-IB works with many financial institutions and has expertise in vulnerabilities specific to the banking/e-commerce sector.
This document presents a simulation modeling approach to represent computer networks and intrusion detection systems to efficiently simulate cyber attack scenarios. The simulation model allows a user to construct a representative computer network, setup cyber attacks on target machines, and evaluate information fusion methods. In conclusions, the Cyber Attack Simulator is capable of generating intrusion detection system alert files and ground truths based on the specified network configuration and attacks.
As the number and severity of cyber-crimes continues to grow, it’s important to understand the steps cyber-criminals take to attack your network, the types of malware they use, and the tools you need to stop them. The basic steps of a cyber attack include reconnaissance (finding vulnerabilities); intrusion (actual penetration of the network); malware insertion (secretly leaving code behind);
and clean-up (covering tracks).
Malware comes in various forms, some more nefarious than others, ranging from annoying sales pitches to potentially business-devastating assaults. Dell SonicWALL offers comprehensive solutions to counter every stage of cyber attacks and eliminate every type of malware from disrupting your business network.
Monty McDougal, Cyber Engineering Fellow, Intelligence, Information and Services, Raytheon
Advanced Persistent Threat Life Cycle Management
This presentation will cover the full Advanced Persistent Threat (APT) Life Cycle and Management of the resulting intrusions. It will cover both what the APTs are doing as attackers and what we as defenders should be doing for both the APT Mission Flows and the Computer Network Defense (CND) Mission Flows.
#ALSummit: Live Cyber Hack DemonstrationAlert Logic
James Brown (VP Technology Solutions Group, Alert Logic), Stephen Coty (Chief Security Evangelist, Alert Logic), and Paul Fletcher (Security Evangelist, Alert Logic)'s live hack demonstration at the NYC Alert Logic Cloud Security Summit on June 14, 2016.
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersOllie Whitehouse
This short 45 minutes presentation is aimed at ICS/SCADA and general IT engineers who want to understand basic concepts related to the much discussed threat that is APT.
The audience is first introduced to the concepts, who employs APTs before going into how they manifest before finally closing out with mitigation and defense strategies.
Models of Escalation and De-escalation in Cyber ConflictZsolt Nemeth
The cyber insecurity conundrum cuts across all things digital or networked. How can we prioritize defensive efforts across such a vast domain? This talk will describe a framework for engineering systems and policymaking based on the work factors for cyber attack and defense. After developing the work factor concept, it will be illustrated in several examples
The Rise of Engineering-Driven Analytics by Loren ShureBig Data Spain
1) Engineering-driven analytics is becoming more pervasive as data sources, computing power, and machine learning techniques expand.
2) MATLAB provides tools for engineering-driven analytics including support for engineering data types, machine learning algorithms, and model deployment in embedded systems.
3) Examples demonstrate how MATLAB has been used for applications in building energy optimization, automotive emergency braking, manufacturing quality control, and medical diagnostics.
This document provides an overview of techniques for identifying Advanced Persistent Threats (APTs). It discusses 5 styles of techniques: network traffic analysis, network forensics, payload analysis, endpoint behavior analysis, and endpoint forensics. For each style, it provides examples of specific techniques. It emphasizes that effective APT protection requires combining techniques from different styles and approaches. The information is intended to be informative but does not constitute an explicit recommendation of any product or approach.
This document summarizes different types of cyber attacks. It describes web-based attacks like SQL injection, cross-site scripting, and denial of service attacks. It also outlines system-based attacks such as viruses, worms, and trojan horses. Additionally, it covers methods that can assist attacks, including spoofing, sniffing, and port scanning. The goal of the document is to provide an overview of common cyber attacks and threats that exist in the cyber world.
As we get to know what life in the digital domain is like, one of the revelations we've had is that many large and plenty of smaller organisations are targets of espionage, of the nefarious APT.
During the last decade, it has become gospel to wait, watch, analyse and learn if you detect such an attacker in your infrastructure. Why? Because you get one chance to do the eviction of the attacker right. And if you fail, all your efforts will eventually have been for nothing.
But for how long should you wait and watch? When have you watched long enough? When have you learned enough? And how do you make that decision?
That is the challenge I hope the Cyber Threat Intelligence Matrix can help you face in a more structured manner.
Looking to understand how hackers and other attackers use cyber technology to attack your network and your executives? This slide set provides an overview and details the anatomy of a cyber attack, and the strategies you can use to manage and mitigate risk.
APT 28 :Cyber Espionage and the Russian Government?anupriti
Russia may be behind a long-standing, careful campaign designed to steal sensitive data relating to governments, militaries and security firms worldwide.This presentation based on a report made public by FireEye brings an over view of their opinion.....uploaded here just for general info to understand how its all happening!!!!
APT28 A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS.docxfestockton
APT28:
A WINDOW INTO RUSSIA’S CYBER
ESPIONAGE OPERATIONS?
SPECIAL REPORT
SECURITY
REIMAGINED
2 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
EXECUTIVE SUMMARY ................................................................................................................................................................................................................................................................................... 3
APT28 TARGETING REFLECTS RUSSIAN INTERESTS ........................................................................................................................................................................ 6
APT28 interest in the Caucasus, Particularly Georgia ........................................................................................................................................................... 7
APT28 Targeting of the Georgian Ministry of Internal Affairs (MIA) ....................................................................................... 8
APT28 Targeting of the Georgian Ministry of Defense ....................................................................................................................................... 9
APT28 Targeting a Journalist Covering the Caucasus ...................................................................................................................................... 10
APT28’s Other Targets in the Caucasus ....................................................................................................................................................................................... 11
APT28 Targeting of Eastern European Governments and Militaries ................................................................................................... 12
APT28 Targeting of NATO and Other European Security Organizations .................................................................................... 14
APT28 Targets European Defense Exhibitions ............................................................................................................................................................... 16
Other APT28 Targets Are Consistent With Nation State Interests ........................................................................................................ 17
APT28 MALWARE INDICATES SKILLED RUSSIAN DEVELOPERS ........................................................................................................................ 19
Modular Implants Indicate a Formal Development Environment............................................................................................................... 24
APT28 Malware Indicates Russian Speakers in a Russian Time Zone ................................................................................................ 25
Compile Times Align with Working Hours in Moscow and St. Petersburg ......................... ...
APT28 A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS.docxjewisonantone
APT28:
A WINDOW INTO RUSSIA’S CYBER
ESPIONAGE OPERATIONS?
SPECIAL REPORT
SECURITY
REIMAGINED
2 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
EXECUTIVE SUMMARY ................................................................................................................................................................................................................................................................................... 3
APT28 TARGETING REFLECTS RUSSIAN INTERESTS ........................................................................................................................................................................ 6
APT28 interest in the Caucasus, Particularly Georgia ........................................................................................................................................................... 7
APT28 Targeting of the Georgian Ministry of Internal Affairs (MIA) ....................................................................................... 8
APT28 Targeting of the Georgian Ministry of Defense ....................................................................................................................................... 9
APT28 Targeting a Journalist Covering the Caucasus ...................................................................................................................................... 10
APT28’s Other Targets in the Caucasus ....................................................................................................................................................................................... 11
APT28 Targeting of Eastern European Governments and Militaries ................................................................................................... 12
APT28 Targeting of NATO and Other European Security Organizations .................................................................................... 14
APT28 Targets European Defense Exhibitions ............................................................................................................................................................... 16
Other APT28 Targets Are Consistent With Nation State Interests ........................................................................................................ 17
APT28 MALWARE INDICATES SKILLED RUSSIAN DEVELOPERS ........................................................................................................................ 19
Modular Implants Indicate a Formal Development Environment............................................................................................................... 24
APT28 Malware Indicates Russian Speakers in a Russian Time Zone ................................................................................................ 25
Compile Times Align with Working Hours in Moscow and St. Petersburg ..........................
Network security is main concern now-a-days and
Snort is one of the advanced techniques that is used to tackle
rising security threats over the internet. Snort is kind of Network
Intrusion Detection System that allows user to write their own
rules to detect different attacks over the network on the basis of
their signatures and further gives freedom to users to handle
these attacks in different ways. MIT-DARPA 1999 dataset (which
consists of both normal and abnormal traffic) is used for
evaluation of Snort in this paper. This evaluation is done with the
help of the proposed detection rules. In this paper we have
detected all kinds of attacks i.e. DOS, U2R, R2L, Probe and data
attacks. These proposed rules results are further compared to the
Detection Scoring Truth of DARPA 1999 dataset.
APT29 is a Russian state-sponsored hacking group known as Cozy Bear that has been operating since at least 2008. It is highly sophisticated with extensive operational security and regularly improves its tactics. APT29 targets governments, militaries, think tanks, and other private companies worldwide to conduct cyber espionage in support of Russian government objectives. While no public reports have directly attributed zero-day exploits to APT29, security researchers have warned they actively scan for vulnerabilities as part of their operations.
Siber güvenlik şirketi Kaspersky'nin yayınladığı rapora göre; Carbanak adındaki kötü amaçlı bir yazılımı kullanan hackerlar, 30 farklı ülkedeki 100 bankanın bilgisayarlarına ulaşarak müşteri hesaplarından en az 300 milyon dolar çaldılar. http://www.indir.com/
Carbanak is a banking malware that infects systems through spear phishing emails containing malicious attachments or drive-by downloads. Once installed, it establishes a connection to command and control servers and steals credentials, screenshots, and video from infected machines. The attackers use this information to manually move within networks and compromise critical banking systems, allowing them to conduct fraudulent financial transactions and transfer stolen funds internationally. Over 100 banks across Russia, the US, Germany, China, and Ukraine have been impacted, resulting in estimated losses of over $1 billion. The attackers appear to still be actively targeting new victims globally.
Carbanak is a banking malware that infects systems through spear phishing emails containing malicious attachments or drive-by downloads. Once installed, it establishes a connection to command and control servers and steals credentials, screenshots, and video from infected machines. The attackers use this information to manually move within networks and compromise critical banking systems, allowing them to conduct fraudulent financial transactions and transfer stolen funds internationally. Over 100 banks across Russia, the US, Germany, China, and Ukraine have been impacted, resulting in estimated losses of over $1 billion. The attackers appear to still be actively targeting new victims globally.
Big Data Security Analytic Solution using SplunkIJERA Editor
Over the past decade, usage of online applications is experiencing remarkable growth. One of the main reasons for the success of web application is its “Ease of Access” and availability on internet. The simplicity of the HTTP protocol makes it easy to steal and spoof identity. The business liability associated with protecting online information has increased significantly and this is an issue that must be addressed. According to SANSTop20, 2013 list the number one targeted server side vulnerability are Web Applications. So, this has made detecting and preventing attacks on web applications a top priority for IT companies. In this paper, a rational solution is brought to detect events on web application and provides Security intelligence, log management and extensible reporting by analyzing web server logs.
Invesitigation of Malware and Forensic Tools on Internet IJECEIAES
Malware is an application that is harmful to your forensic information. Basically, malware analyses is the process of analysing the behaviours of malicious code and then create signatures to detect and defend against it.Malware, such as Trojan horse, Worms and Spyware severely threatens the forensic security. This research observed that although malware and its variants may vary a lot from content signatures, they share some behaviour features at a higher level which are more precise in revealing the real intent of malware. This paper investigates the various techniques of malware behaviour extraction and analysis. In addition, we discuss the implications of malware analysis tools for malware detection based on various techniques.
Comparative Analysis of Digital Forensic Extraction Toolsijtsrd
Computer forensics Process collecting and examining information present in digital format in civil, criminal, or administrative proceedings for use as evidence. It is also a from data recovery, which involves the recovery of data from a system that has been erased by error or lost during a server crash. Tools are designed to extract evidence from the computer and it is the role of the investigator to check whether the crime or policy violation has been committed by the suspect. Investigators use various kinds of tools based on the area or the kind of information which is lost such as digital data, network compromise, cyber breach, web data, email and many more. Varun H M | Dr. Uma Rani Chellapandy | Srividya B G "Comparative Analysis of Digital Forensic Extraction Tools" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-1 , December 2020, URL: https://www.ijtsrd.com/papers/ijtsrd37980.pdf Paper URL : https://www.ijtsrd.com/computer-science/computer-security/37980/comparative-analysis-of-digital-forensic-extraction-tools/varun-h-m
1) Reveelium is a threat detection software that monitors log and time series data from various sources to detect anomalies and suspicious behaviors.
2) It analyzes this data using machine learning algorithms and provides visualizations of detected threats, including threat objects that correlate individual alerts into behavioral scenarios.
3) Reveelium's interface displays threats in various views including by entity, by threat type, and overlaid on a network topology to help users investigate suspicious activity.
A STATIC MALWARE DETECTION SYSTEM USING DATA MINING METHODSijaia
This document presents a static malware detection system using data mining techniques. The system extracts raw features from Windows Portable Executable (PE) files including PE header information, DLLs, and API functions. It then selects important features using Information Gain and reduces dimensions using Principal Component Analysis. Three classifiers (SVM, J48, Naive Bayes) are trained on the transformed feature vectors to classify files as malicious or benign. When evaluated on a dataset of over 247,000 files, the system achieved a detection rate of 99.6%.
Internet Relay Chat, or IRC, is a protocol that allows users that connect to Internet Relay Chat Servers to have conversation with others in real time. Users connect to IRC Servers using an IRC Client. Commercial chat client’s like yahoo! and google chat are quite popular in wide use. To other chat clients were worth exploring. These tools are arguably better suited for criminal activity. IRC is one such tool. There are basically two options available to investigators involved in an IRC occurrence. They can look at log files on servers or clients or they can monitor transmission directly. In this paper we have been using X Chat application for the IRC Forensic Investigation. We capture the IRC Client’s packets and analyze that packets.
Automatic crime report classification through a weightless neural networkZhongLI28
For the PDF part, copyright belongs to the original author. If there is any infringement, please contact us immediately, we will deal with it promptly.
Abstract: The exponential growth of the internet and new technology lead today's world in a hectic situation both positive as well as the negative module. Cybercriminals gamble in the dark net using numerous techniques. This leads to cybercrime. Cyber threats like Malware attempt to infiltrate the computer or mobile device offline or internet, chat(online), and anyone can be a potential target. Malware is also known as malicious software is often used by cybercriminals to achieve their goal by tracking internet activity, capturing sensitive information, or blocking computer access. Reverse engineering is one of the best ways to prevent and is a powerful tool to keep the fight against cyber attacks. Most people in the cyber world see it as a black hat—It is said as being used to steal data and intellectual property. But when it is in the hands of cybersecurity experts, reverse engineering dons the white hat of the hero. Looking at the program from the outside in –often by a third party that had no hand in writing the code. It allows those who practice it to understand how a given program or system works when no source code is available. Reverse engineering accomplishing several tasks related to cybersecurity: finding system vulnerabilities, researching malware &analyzing the complexity of restoring core software algorithms that can further protect against theft. It is hard to hack certain software.
Keywords: Malware, threat, vulnerablity, detection, reverse engineering, analysis.
Title: Malware analysis and detection using reverse Engineering
Author: B.Rashmitha, J. Alwina Beauty Angelin, E.R. Ramesh
International Journal of Computer Science and Information Technology Research
ISSN 2348-1196 (print), ISSN 2348-120X (online)
Vol. 10, Issue 2, Month: April 2022 - June 2022
Page: (1-4)
Published Date: 01-April-2022
Research Publish Journals
Available at: www.researchpublish.com
You can Direct download full research paper at given below link:
https://www.researchpublish.com/papers/malware-analysis-and-detection-using-reverse-engineering
Academia Link: https://www.academia.edu/76069664/Malware_analysis_and_detection_using_reverse_Engineering_Available_at_www_researchpublish_com_journal_name_International_Journal_of_Computer_Science_and_Information_Technology_Research
Additional Data Session Statistical Data Distinguish between full.docxwrite4
Full content data provides the most detailed information including the ability to analyze specific protocols and IP addresses. Session data includes source and destination IP/port numbers and timestamps to summarize exchanges between systems. Statistical data allows you to review and summarize collections of data to identify intrusions and validate a network baseline. The document discusses the differences between full content, session, and statistical data in network security monitoring and provides examples of tools that can be used to collect each type.
Identifying Malicious Data in Social MediaIRJET Journal
This document discusses two approaches for identifying malicious data in social media: Shannon entropy and power law distribution. The Shannon entropy approach calculates the entropy of features like source/destination IP addresses and port numbers to detect anomalous network traffic patterns. The power law distribution approach models malware propagation across networks and finds that malware distribution transitions from exponential to power law over time. Experimental results on social media datasets found the Shannon entropy approach could detect malware based on the number of applications installed, while power law distribution identified good and malicious files shared between users. Both techniques aim to improve detection of malicious content shared over social networks.
This joint cybersecurity advisory was coauthored by CISA, FBI, and HHS to describe tactics and techniques used by cybercriminals against healthcare organizations, notably to infect systems with ransomware like Ryuk and Conti. The advisory finds that malicious actors are targeting the healthcare sector with TrickBot and BazarLoader malware, often leading to ransomware attacks, data theft, and service disruptions. It provides technical details on these threats and indicators of compromise to help healthcare providers detect and prevent such attacks.
A Literature Review On Cyber Forensic And Its Analysis ToolsSamantha Vargas
This document discusses cyber forensics and analysis tools. It begins with an abstract that outlines how digital forensics is used to investigate cyber attacks and acquire electronic evidence in a way that is admissible in court. It then provides details on common digital forensics procedures like isolating devices, making copies of storage media, and using recovery software to examine copies searching for deleted, encrypted, or damaged files. The document also summarizes several research papers on topics like recovering encryption keys from memory dumps, decrypting encrypted drives, analyzing computer usage policies and violations, collecting evidence from attacker and victim machines, using clustering algorithms to analyze unstructured text in investigations, and analyzing encrypted volumes and memory to obtain digital evidence.
Similar to Bitdefender in depth-analysis cyber espionage (20)
Ready to Unlock the Power of Blockchain!Toptal Tech
Imagine a world where data flows freely, yet remains secure. A world where trust is built into the fabric of every transaction. This is the promise of blockchain, a revolutionary technology poised to reshape our digital landscape.
Toptal Tech is at the forefront of this innovation, connecting you with the brightest minds in blockchain development. Together, we can unlock the potential of this transformative technology, building a future of transparency, security, and endless possibilities.
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
HijackLoader Evolution: Interactive Process HollowingDonato Onofri
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
1. White Paper
APT28 Under the Scope
A Journey into Exfiltrating Intelligence
and Government Information
2. [2]
White Paper
Contents
Preface...................................................................................................................................................3
Targeted victims................................................................................................................................ 4
Attribution.............................................................................................................................................5
Scanning for new targets............................................................................................................... 6
Attack flow...........................................................................................................................................7
Attacked victims................................................................................................................................ 9
Appendix 1 (Target campaigns)....................................................................................................11
Appendix 2 - The probing process.............................................................................................13
Appendix 3 - APT28 related tools..............................................................................................19
Appendix 4 (First stage component).......................................................................................20
Appendix 5 (Second Stage Component)..................................................................................21
Appendix 6 - Additional module................................................................................................24
Authors:
• Răzvan BENCHEA – Team leader of Malware Research
• Cristina VATAMANU – Senior Malware Researcher
• Alexandru MAXIMCIUC – Senior Malware Researcher
• Victor LUNCAŞU – Junior Malware Researcher
3. [3]
White Paper
The discovery of Stuxnet in the nuclear processing plant in Natanz, Iran laid the ground
for a new family of cyber-attacks: advanced persistent threats. Although the term has
since become highly popular, state-sponsored cyber-intelligence operations have been
carried out since long before the advent of Stuxnet or Flamer; less known advanced
persistent threats such as APT28 (or Sofacy) have been covertly running in Europe
since 2007.
Preface
When it was initially coined, the term “Advanced Persistent Threat” was used to define an attack that, unlike regular commercial-grade
malware, would focus on a particular target, its network topology and defenses. The purpose of this type of attack is exfiltration of sensitive
data over a long period of time or silently crippling their industrial processes. In recent years, APTs have started to define persistent
attacks launched by foreign state adversaries that no security company or victim government would explicitly name for fear of economic
or political repercussions. Another aspect that makes calling on attacking states is the difficulty in attribution: the Internet has no physical
boundaries and the technical skills of the attacking parties can make it look as the attack was launched by a rival state.
To connect the dots between an identified attack and the state actor(s) behind it, companies like Bitdefender look for solid evidence inside
the APT code or in the used communication infrastructure. The following report is a technical investigation of some particularities in the
APT28 payload implementation that allowed us to link the threat to its operators.
4. [4]
White Paper
Targeted victims
Our recent investigation into the Sofacy operations revealed that the cyber-group is extremely active and focused on specific regions. The
primary targets of APT28 are potential victims in several countries such as Ukraine, Spain, Russia, Romania, the United States and Canada.
A particular interest was found for Ukraine. Between Tuesday, 10th of February and Saturday, 14th of February 2015, the APT28 team
scanned 8,536,272 IPs for possible vulnerabilities.
Coincidentally, during this period, in Minsk, the political leaders of Belarus, Russia, Germany, France and Ukraine were participating in a
summit, discussing the ceasefire in the Donbass region in the east of Ukraine.
After February 14th,
the APT28 operators shifted their attention to Spain.
The map of affected countries is illustrated in Figure 1.
Figure 1
It is currently unknown what criteria the APT28 operators used to select targets, but our research identified that they are picked from a list of
vulnerable IP addresses prepared beforehand. The same research shows all targets belong to different categories: political ([removed]),
e-crime services, telecommunication services or aerospace industry.
More information about the victims can be found in Appendix 1.
5. [5]
White Paper
Attribution
We have reasons to believe that the operators of the APT28 network are either Russian citizens or citizens of a neighboring country that
speak Russian. Our assumption is supported by different markers identified during analysis.
When we first analyzed the pool of files we had collected on APT28, we counted the number of binaries compiled between 08:00 and 18:00
on working days (Monday to Friday) for every time zone. It was revealed that UTC+4 stands out, as 88% of files are compiled during this
interval. Out of the other countries sharing the same time zone (Russia, Georgia, Azerbaijan), Russia is the only country that possesses the
necessary skills and resources to pull off this kind of attack.
In the graphic below (Figure 2) the samples are grouped by the hour they were compiled (UTC+4). It can be seen that most were compiled
between 08:00 and 18:00.
Figure 2
Another clue that supports the assumption that the authors are from a Russian-speaking country is found in a hacking tool
designed to grant system privileges. This tool was found along with files related to APT28 files. The header of the file called xp.exe
(78450806E56B1F224D00455EFCD04CE3) features a hardcoded path to a debug file (C:UsersПользовательDesktopcve-2014-4076
cve-19abdbaDebugCVE-2014-4076.pdb). The string Пользователь translates to users in Russian.
We have reasons to believe that this file is part of the same APT28 attack since it had its modification/creation time modified to 14/04/2008,
16:00, just like most of the other APT28 files used in the attack. All files used in the attack were compiled after 2013. Changing the date was
just a measure to throw off any victim who would perform a shallow search for new files, should they have any doubts about the security
of their system.
6. [6]
White Paper
Scanning for new targets
One of the main purposes of the server we analyzed is to automate the process of finding new victims that can be marked as “vulnerable.”
This is done by exhaustively scanning and probing a pre-determined pool of IP addresses contained in a range. The server-side application
has four main components, as follows:
a python script (gen_ip.py) that generates random IPs from a certain class
a database (shodb) for centralizing all the data
the scan bots that probe and screen potential victims
a Django (sho) application for bot administration and reporting.
Rather than taking a “shotgun” approach, the APT28 victims are hand-picked. The script has a hard-coded list of IP classes; it iterates
through these subnets and generates a list of random IPs within the range. If the operators scanned all IPs within the range, it would
increase the chances of the attacked party noticing their systems are actively probed from the outside. After the random generation
process completes, these IPs are added to the database. Each IP address is then given a priority level.
At the time of writing, the database contains the 58,624 IPs related to the incident described in Appendix 1. All these IP addresses have the
same priority level, set to 1.
The scanning bots are individual systems, all situated in different networks. We presume this was a necessary approach to make the
scanning process look organic. If a single IP or a set of IPs from the same network would scan entire subnets, it would raise suspicions or
trip intrusion detection systems and their activity would likely be interrupted.
To get their scan jobs, each bot would authenticate to the server via cookies. Upon successfully authenticating, the scan bot receives a
list of maximum 16 IPs per request. For each IP, it will scan certain ports using the nmap tool (Appendix 1). If it finds open ports, it then
contacts the server and the information retrieved by nmap is saved in the database. Subsequently, the respective IP address is marked as
vulnerable. The process is described in the figure below (Figure 3):
Figure 3
7. [7]
White Paper
The Django application represents a wrapper over the database and can be used to manage the bots and monitor their activity.
The main statistics displayed at the time of the writing are illustrated in table below (Figure 4):
Figure 4
The scan bots are geographically distributed as follows: 3 in the United States, 3 in United Kingdom and 3 in Bulgaria (Figure 5):
Figure 5
More information is provided in Appendix 2.
Attack flow
The APT28 group relies on three distinct attack vectors to infect their targets: spear phishing e-mails with crafted Word and Excel documents
attached, phishing websites hosted on typosquatted domains and malicious iFrames leading to Java and Flash zero-day exploits.
The client usually gets infected by accessing an URL hosting an exploit kit. Upon successful exploitation, a first stage dropper (in our case
the name is runrun.exe) is written to the disk. Its main purpose is to drop a file (api-ms-win-downlevel-profile-l1-1-0.dll)
and execute it using rundll32.exe. This, in turn, contacts the C&C server and downloads the second stage component.
The second component is installed using the same method as described above. First, a dropper is executed (winloat.exe) which writes
one of the key components of the attack (advstoreshell.dll) to the disk, along with a configuration file (msd). The configuration
file contains essential information such as a list of three servers that the backdoor will try to contact (win*********ore.net
,micro********er.com and 1***.net), the interval between requests and a flag that indicates whether key logging should be
activated or not.
At this point, the attacker takes control of the machine and deploys different tools and components to achieve his goal. In the case we
8. [8]
White Paper
analyzed, the attacker downloaded 3 hacking tools:
1. A tool to dump passwords from logged-in users (run.exe)
2. A tool that exploits a privilege escalation vulnerability (CVE-2014-4076) to gain system privileges (xp.exe)
3. A tool that acts as a proxy and allows the attacker to contact the system even if it is behind a router (svehost.exe)
An additional component is also downloaded (pr.dll) that is a modular component used to upload stolen data to the C&C.
The attacked flow is described in the figure below (Figure 6):
Figure 6
More information about the tools used is provided in Appendix 3. The first stage component and the second stage component are further
discussed in Appendix 4 and Appendix 5, respectively. Finally, the additional module (pr.dll) is analyzed in Appendix 6.
Right after deploying their payloads, the attacking party changed the time stamps of all the files downloaded by the second stage dropper
to 14/04/2008, 16:00. This technique allowed the attackers to hide the files in case victims would suspect the attack and attempt to list
new files written on the disk.
First stage Dropper (runrun.exe)
vTools:
xp.exe
run.exe
svehost.exe
Additional
Module:
Pr.dll
First stage downloader (api-ms-win-downlevel-profile-l1-1-0.dll)
Second stage dropper (winloat.exe)
Backdoor and Second stage downloader (advstoreshell.dll)
9. [9]
White Paper
The table below shows the compilation date and the file creation time for each of the files involved in the attack.
File Name Compilation Date Creation Time
%allusersappdata%xp.exe 12/03/2015 12:54:57 14/04/2008 16:00
%allusersappdata%run.exe 05/04/2013 12:51:41 14/04/2008 16:00
%allusersappdata%svehost.exe 22/04/2015 11:49:54 14/04/2008 16:00
%localappdata%Microsoft Helpadvstorshell.dll 30/04/2015 13:13:13 14/04/2008 16:00
%allusersappdata%msd 14/04/2008 16:00
%allusersappdata%Pr.dll 13/05/2015 22:05:57 14/04/2008 16:00
%temp%winloat.exe 30/04/2015 14:24:54 13/05/2015 17:23
%temp%api-ms-win-downlevel-profile-l1-1-0.dll 08/05/2015 13:39:32 13/05/2015 16:22
%temp%runrun.exe 08/05/2015 13:45:31 13/05/2015 16:22
Table 1
The latest creation date is 13/05/2015, which hints at the date the attack happened. Given that it took almost an hour from the moment the
first downloader got written to the disk to the arrival of the second stage downloader, this process was likely carried out manually by a human
operator. An important observation is that all of the components, except one, had been compiled before the attack. “%allusersappdata%
Pr.dll” is the only file that was compiled 5 hours after the compromise. This suggests this file was specifically built for the target.
Attacked victims
The victims we have identified belong to different industries and sectors. Our research shows that the attack targeted political figures,
government institutions, telecommunication and e-crime services, as well as aerospace companies from Germany, Ukraine, Russia and
Romania.
Some of the victims could be identified by analyzing the information stored on the central server we have investigated. The stored
information contained traces of stolen information in the form of e-mails. Some were reported by our internal systems.
The e-mails we have identified on the central server revealed victims from the first two categories.
Political figures
On 13th
May 2015 two .pst files named ‘C:ProgramDatabackup.pst’ and ‘C:ProgramDatabackup2.pst’ were copied to
the server. The e-mails seem to be addressed to the [redacted].
Aerospace industry
On July 9th
2015, fourteen archives were copied on the server. Among them were two .dbx (Outlook Express database) files. The e-mails
seem related to [redacted].
On June 18th the file “F:Outlook ExpressAC_VTS_ÐÊÒ.dbx” was transferd to the central server. The emails belong to [removed]
Also on June 18th,
the file “F:Outlook ExpressKydla.dbx” was transfered on the server. The emails belong to [redacted]Second stage dropper (winloat.exe)
10. [10]
White Paper
All these victims seem related to the aerospace industry or aircraft research programs. The context also supports the Russian origin, given
the huge media coverage of the Russian “smartplane” PAK FA T-50 Fighter and America’s F-35. We presume the APT28 authors
might have attempted to explore new technologies being developed in the aerospace industry for integration.
Our internal services also flagged a number of computers as under attack, such as those belonging to [redacted]. In Romania, these
flagged computers are part of government infrastructures or are closely related to the Romanian government.
11. [11]
White Paper
Appendix 1 (Target campaigns)
Analyzing the APT28 command and control server identified two ongoing attempts to find new victims.
The process consists of scanning the ports of a large IP list, extracted from a database. The port scanning process is carried out via
the free tool “nmap”. If one of the ports is found open, the IP is marked as “vulnerable” and the corresponding information is saved. The
command used for probing is illustrated in figure below:
Figure 7
Where:
-T5: scan will map a host in very little time, provided you are on a very fast network or don’t mind losing some information along the way.
-p: scan specific ports
-sV: detect remote services (server / daemon) version numbers
-O: identify a remote host apps and OS
--version-light: enable light mode that makes version scanning much faster, but it is slightly less likely to identify services
--script=banner: shows ftp banner responses
--script=http-headers: performs a HEAD request for the root folder (“/”) of a web server and displays the HTTP headers returned.
-oX: logs the results of the scan in XML form into the file specified as an argument
-iL: reads target specifications from a given configuration file rather than from the command line; the file should contain a list of host or
network expressions separated by spaces, tabs or newlines.
The first attempt we have identified started on 10th
of February 2015 when a list of 8.762.102 IPs were scanned. Out of this large list,
1.712.363 IPs were marked as “vulnerable.” The probing process lasted until February 14th. Most of the IPs were from Ukraine (8.536.272
scanned, 1.704.837 found vulnerable).
nmap
-T5
-p 21,22,23,25,80,110,143,443,465,993,995,8080,7071,3389,5900
-sV
-O
--version-light
--script=banner
--script=http-headers
-oX out_name
-iL targets_file
12. [12]
White Paper
The number of scanned IPs is exhaustive, almost equal to the total number of IPs allocated to Ukraine. Searching through the major events
regarding Ukraine in that time frame, we realized that the probing took place during the summit in Minsk regarding the ceasefire in the
Donbass region of Eastern Ukraine. On February 11,
the leaders of Belarus, Russia, Germany, France and Ukraine met to negotiate the new
set of peace measures that were announced on February 12 and signed on February 15.
The targeted countries in these campaigns are illustrated in table below (Table 2):
Country Number of vulnerable IPs
Ukraine 1704837
Russian Federation 4666
Romania 1287
Bulgaria 1272
United States 150
Canada 149
Italy 2
Table 2
On February 14, a backup of the database was saved in a file (file.csv) and the attacker’s focus moved from Ukraine to Spain.
On February 16,a new attempt to find new victims was made. The new database was loaded with 58,624 new IP addresses, out of which
6,146 were found vulnerable after probing. The targeted countries in this case are illustrated in Table 3:
Country Number of vulnerable IPs
Spain 5511
United Kingdom 584
Portugal 47
United States 2
Mexico 2
Table 3
Since in this second attempt the set of IPs is rather small, we presume that this attack was highly targeted to specific institutions. By
analyzing the target IP ranges, we were able to identify some of the victims.
The decision logic related to which victims should be infected is unknown to us at the time of writing, but we presume the vulnerable
targets are next engaged by a human attacker rather than in an automated way.
13. [13]
White Paper
Appendix 2 - The probing process
The screening process for finding new possible victims is carried out via multiple bots managed by a central command and control server.
The operational flow can be broken down as follows:
1. Generating new victims
Potential victims are identified by port-scanning a list of IPs belonging to different subnets. This list is generated by a script, gen_ip.py,
which iterates through IP classes and randomly picks IPs for port-probing. At the time of writing, the script has 11 IP classes hardcoded,
which leads us to believe that victim organizations are picked manually.
The script generates random integer numbers that represent IPs belonging to these classes. The fact that it doesn’t iterate consecutively
through all the IPs shows that the attackers have taken all precautions not to trigger alarms in the victims’ intrusion detection system -
scanning all the IPs from a subnet may raise suspicions.
All generated IPs are added to a database on the central server. Most of these IPs are from Spain and belong to political institutions
([redacted]), telecommunication companies and public affairs institutions.
2. Centralizing all information
The command and control server’s most important asset is the shodb database. After restoring the database, the following relations were
found (Figure 9):
Figure 9
- The sho_bot table contains information regarding the active bots (Table 5)
id uid code_id info last_activity
8 345051441193 1 2015-02-12 16:09:53.698382+02
9 345051780961 1 2015-02-12 16:09:55.111999+02
7 345051783097 1 2015-02-12 16:09:59.12588+02
5 161343679352 1 2015-02-12 16:10:01.145779+02
6 161343570082 1 2015-02-12 16:10:01.382175+02
4 345051780666 1 2015-02-12 16:10:01.405667+02
3 161340745510 1 2015-02-12 16:10:02.940085+02
14. [14]
White Paper
id uid code_id info last_activity
1 207376762666 1 2015-02-12 16:10:09.403215+02
2 345051770354 1 2015-02-12 16:10:09.97157+02
Table 4
There are 9 bots, each one identified through a cookie (uid). This cookie is used by the bot to register on the main server. If the server has
a reference to that cookie, the process continues. The priority (code_id) is set to 1 for all the bots. The info table column is empty for
all the entries.
- sho_cookie table contains information about the bots’ activity (Table 6)
id cookie active bot_id last_activity ip_addr get_num
24 5PZLO3CDVTIN3VXCKTKEACIOC8960CDI t 2
2015-02-12
16:09:05.202448 87.***.***.18 3
12 LZJMU3UUCWTR3B3MDQZUHHP12T9RF2Y1 t 3
2015-02-10
19:36:45.144918 5.***.***.223 3
22 5FIRR9LY5PAWAJE0ROJ0WJT2UE2XTYRD t 5
2015-02-10
22:02:36.856878 5.***.***.160 3
26 VL1JCPSHSJGENP71CCLF9AOLUYXJN8IJ t 8
2015-02-12
16:08:57.869532 192.*.**.215 3
25 6DFLVNT0E6GFQGIOWLL2BNE378KYF5OG t 1
2015-02-12
16:08:59.608116 23.**.**.98 3
23 R814WUWHBFEJZP8K4RMFCUTP49U90IQO t 6
2015-02-10
22:03:17.29154 5.***.***.150 3
7 345051770354 t 2
2015-06-06
07:02:03.173137 87.***.***.18 8285348
9 207376762666 t 1
2015-06-09
00:28:13.25646 23.**.**.98 7046287
20 9DPR3K6NI77WU48S1ECAH61YYUZE2QAJ t 7
2015-02-12
16:09:00.011016 87.***.***.155 3
31 STGKT18882NZTA24YP9FCFNPE6EBCFBO t 5
2015-04-18
05:36:10.383518 5.***.***.160 3
33 UB7M7VLR5I8S4V8H4CCKNEWG9JHD89QD t 3
2015-04-18
05:53:33.533398 5.***.***.223 3
19 7JU8XX4IEKOIAYVBVM27IYS6G39ZINYO t 9
2015-02-12
16:08:54.475175 5.**.***.36 3
35 UO2D3O5H91BMZZYNN7T8Q5ZA9BE0XIKM t 1
2015-06-09
00:28:13.257237 23.**.**.98 3
21 S7JWM4N6LFBX18NFL21J15JYLWFBQYTZ t 4
2015-02-12
16:09:05.202402 87.***.***.12 3
15. [15]
White Paper
id cookie active bot_id last_activity ip_addr get_num
2 345051441193 t 8
2015-03-17
07:46:35.012289 192.*.**.215 3073574
32 CLQS319XK8UBN6AMNPZOG89J2YHNUWB4 t 6
2015-04-18
05:31:43.481397 5.***.***.150 3
8 161340745510 t 3
2015-04-18
05:53:33.532651 5.***.***.223 5445010
4 345051780666 t 4
2015-03-18
09:40:52.701857 87.***.***.12 2344761
3 345051783097 t 7
2015-02-14
15:26:34.879942 87.***.***.155 208586
30 W301ZX83BLGN0BAY6XU8QANKYOJYHKPT t 4
2015-03-18
09:40:52.702595 87.***.***.12 3
5 161343679352 t 5
2015-04-18
05:36:10.382767 5.***.***.160 5651159
28 HPKFFT7ACLL89YLIXCYD9WFSZTLOZI3A t 8
2015-03-17
07:46:35.013037 192.*.**.215 3
29 XWUHUJ3P6SEV02UN9O4C188MQGBTM2TL t 7
2015-02-14
15:26:34.880691 87.***.***.155 3
27 7CH9P1PGXHPWH9J1ENU8XPAL27RC0GCL t 9
2015-03-04
11:47:35.429737 5.**.***.36 3
34 7SEE8AJRY56OOCAHURYT14FSYIRJ69VX t 2
2015-06-06
07:02:03.173882 87.***.***.18 3
6 161343570082 t 6
2015-04-18
05:31:43.480646 5.***.***.150 6785223
1 345051780961 t 9
2015-03-04
11:47:35.428945 5.**.***.36 1664623
Table 6
The cookie column represents the authentication code, last_activity is the last date when the bot has reached the server, ip_addr
is IP of the bot, and get_num column represents the number of connections done by the bot with the central server.
This research also shows that the bots are duplicated and that there are two types of cookies: one using letters and numbers and one
using only numbers. The activity of the first type is very poor (3 connection for each cookie), which leads us into believing that, over time,
there were two versions of bots and plugins running in parallel. This can be explained also by the fact that the first type of cookie doesn’t
appear in the sho_bot table.
- sho_ip table contains the list of IPs generated by the gen_ip.py script
- sho_plugin table contains code, not data. It stores the script plugin-nmap-0.43.py. This script’s main role is to
fetch the targeted IPs (up to 16 IPs per request) and execute the scanning command (Figure 10)
16. [16]
White Paper
Figure 10
After parsing the nmap results, the data is sent back to the server and saved to the database in the sho_ip table.
- sho_code table contains code, not data. It stores the scan-bot-03.py script. This script describes the behavior
of the system. The bot connects to the server and registers itself using a cookie. Once authenticated, the bot requests the last
version of the code from the sho_code table (update mechanism) and the last version of the plugin (sho_plugin) that has to
be executed. Once updated, it starts a list of threads that will use the latest plugin to scan the targeted IPs.
- sho_log table is empty
- sho_setting table is empty
A Django application is also running on the server. It serves as an administrative and reporting interface for the bots and targets. The
figure below (figure 11) illustrates the admin panel. This interface allows a human operator to view statistics, add users, targets or bots
or delete them.
18. [18]
White Paper
The interface is very simple, representing just a wrapper over the database (figure 12: add user (up) add targets (below)):
Figure 12
1. The bots
The machines used to scan the potential victims are in different networks. This helps the attackers conceal that scans originating from
these IPs are part of the same operation. The table below shows the IPs of the bots found in the database at the time of writing (Table 7):
BOT IP Country
192.*.**.215 US
5.**.***.36 US
87.***.***.155 UK
5.***.***.160 Bulgaria
5.***.***.150 Bulgaria
87.***.***.12 UK
5.***.***.223 Bulgaria
23.**.**.98 US
87.***.***.18 UK
Table 7
19. [19]
White Paper
Appendix 3 - APT28 related tools
Proxy tool (svehost.exe)
This executable file can be either used with arguments passed via the command line or without. When executed without arguments, it
attempts to contact the IP address: 176.**.***.10 on port 443.
It can also be started with the following command line:
svehost.exe start <ipaddress> <port>
The file uses an old version of the OpenSSL library (OpenSSL 1.0.1e). In fact, the reason this file is 1038 kilobytes in size is because of the
inclusion of this library.
The main purpose of the tool is to allow an attacker to contact systems behind a router, which otherwise would not be accessible from
outside the network.
Privilege escalation tool (xp.exe)
The tool is built around a vulnerability discovered in 2014 (CVE-2014-4076) and works by sending a specially crafted package to the .
TCP device through the use of DeviceIoControl function. The vulnerability was fixed in late 2014.
The tool works by receiving one executable file as argument. The tool will then run this executable file with system privileges.
The file is compiled using the debug configuration. Because of this, a path to a pdb file is also hardcoded into the file. The path references
C:UsersПользовательDesktopcve-2014-4076cve-19abdbaDebugCVE-2014-4076.pdb
The string Пользователь means users in Russian. This is one of the reasons we suspect the authors are Russian speakers.
Password dumping tool (run.exe)
This seems to be based on the source of a public tool (mimikatz) for dumping passwords out of WDigest through LSASS. More information
about the tool can be found by visiting the author’s page: http://blog.gentilkiwi.com/mimikatz.
The file was compiled on 05/05/2013 and does not contain any version info. This suggests the authors used a custom build.
The tool receives a file as argument. The retrieved password will then be dumped into the file passed as argument.
20. [20]
White Paper
Appendix 4 (First stage component)
This is the first component that gets on the computer after infection. Its purpose is to contact the C&C server and ask for further instructions.
The first stage payload is made of two items: a dropper and a first stage backdoor. The dropper, which in our case is named runrun.
exe, has embedded the file api-ms-win-downlevel-profile-l1-1-0.dll in the data section. The dropper uses many custom
encryption algorithms to protect itself from reverse-engineering.
The following algorithm (Algorithm 1) is used to decrypt its APIs:
Algorithm1:
The payload (api-ms-win-downlevel-profile-l1-1-0.dll) is encrypted using RTL and a custom encryption algorithm that uses
a 10 byte key (Algorithm 2):
Algorithm2:
The dropped file is a downloader that contacts the C&C to get the second stage component. It contacts the domain: www.msc****vw.com
and the IP address: 91.***.**.249.
The requests are performed via GET over HTTP. They are randomly generated. Each request has 1 to 5 groups of 1 to 6 randomly generated
chars and numbers. Each group is separated by a slash. An example of a request is given below:
/ue/VHghm/ihXAIK/qpi/1c9.xml/?XK1=VrLYQndXGXwzURh9RBE=
The xml extension present above is actually picked from 4 available extensions (xml, pdf, html, zip).
The final argument is an encrypted key, probably used by the downloader to authenticate itself to the server.
This file works as a rudimentary backdoor that has the following commands available:
• Download
• Execute
• Delete files
Since it took more than an hour for the second stage component to be downloaded to the infected system, we presume this is downloaded
manually.
b[idxbuff+1] = b[idxbuff+1] ^ b[idxbuff] ^ key[(idxbuff+1)%keylen]
)unsigned char encrypt1(int pos
{
;xor = 0
)++for(int i=0;i<key_length;i
;)xor ^= key[i] + (unsigned char)(i*pos
return xorl
}
21. [21]
White Paper
Appendix 5 (Second Stage Component)
The purpose of the second stage component is to open a backdoor to allow the attacker to assess the target and download additional
components.
a. Dropper:
As the First Stage Component, the important file is being installed using a dropper. (winloat.exe)
The main steps followed by the dropper are:
1. Decrypt its overlay (containing the backdoor: advstoreshell.dll and the configuration file: msd)
2. Write payload on disk
3. Call the InitW method of advstoreshell.dll
b. Configuration File:
To encrypt/decrypt the configuration file and the APIs used by advstoreshell.dll the component uses a custom stream cypher with
key length of 6. The function given below is used to retrieve the corresponding byte used to XOR at an index in the buffer.
Algorithm 3:
unsigned char decrypt(unsigned char key[6], uint32& buffer_pos)
{
ixk = buffer_pos % 6 +2;
ixb = (unsigned char)(ixk);
buffer_pos++;
v_10 = key[(ixk -2)%6]^byte((uint32(ixb)*uint32(key[ixk-2])) >> 7)
v_11 = key[(ixk+1)%6] ^ ixb;
xc = (key [ixk%6] & v_11) + v10;
return xc
}
22. [22]
White Paper
The configuration file (msd) file is encrypted using the algorithm described above and is 122 bytes long. It contains the following information:
Timeout1 Timeout2
Computer
Name
Two domain
names Campaign id ? ?
Keylogging
flag
Main
domain
name
Where:
• Timeout1 = 60000 ; represents the number of miliseconds until timeout is reached when contacting the C&C
• Timeout2 = 60000 ; represents the number of miliseconds until timeout is reached when using contacting the C&C using encryption
• Computer name = DAE13WS01204030501 ; The name of the infected computer
• DomainName1= micro**********ter.info
• DomainName2=dri********te.info
• Campaign id = rhbp ; we are still investigating the meaning of this field, but it is very likely a campaign identifier
• ? = 1000 ; we are still investigating the role of this field, although preliminary information leads us to believe that it is used as a counter
• ? = 600000; we are still investigating the meaning of this field, but it is very likely another timeout value
• Keylogging flag = 1; this indicates whether the backdoor should intercept keystrokes and send them to the C&C server.
• Main domain name = 1***.net ; this is the first domain that the malware tries to connect
c. Backdoor Component:
The most important component of APT28 is the backdoor, in this case, the file called advstoreshell.dll. This file reads the configuration
file (msd) and contacts the C&C servers indicated in the configuration file. It can also read the configuration file from the registry. The
configuration stored in the registry is probably obtained via update from one of the C&C servers.
On the system we have analyzed, there were two configurations:
1. The first one being the msd file that was located in the same path with advstoreshell.dll
2. The second one was found in registry (HKCUSoftwareMicrosoftWindowsCurrentVersionExplorer
Path). It contains almost the same data as the msd file except for the first two domain names that are changed to win[redacted]
ore.net and micr[redacted]er.com.
This was the only component that was set to run at startup. This was achieved by creating the value AdvancedStorageShell in HKCU
SoftwareMicrosoftWindowsCurrentVersionRun with the contents:
“RUNDLL32.EXE “C:Documents and Settings<user-name>Local SettingsApplication DataMicrosoft Helpadvstorshell.dll”, InitW”
23. [23]
White Paper
The backdoor is highly advanced and supports 26 commands. We analyzed some of the supported commands, while the analysis for the
rest is still in progress.
5 find file
6 get file content and timestamps
9 enumerate registry keys and values
10 set registry value
11 delete registry value
13 start process using CreateProcess
14 kill process by id
16 start process using cmd /c
17 list drives and types
19 read file from offset
21 get system info (run systeminfo in cmd)
25 create thread
When running a command using the cmd /c option, the output is saved in a file named tmp.dat
Communication between this component and the C&C server is carried out on port HTTP (443). If this is not possible, it attempts to
connect on port 80. In some cases, the communication is encrypted using 3DES and RSA.
One important function of this backdoor is that it can load external components. It can achieve this goal by calling the init function of
any dll. This is how the s plugin is loaded.
24. [24]
White Paper
Appendix 6 - Additional module
The final component installed by APT28 is a module named pr.dll. This file was compiled 5 hours after the system was compromised.
This discrepancy in time prompts us that the file is individually crafted for each target system.
The file seems to be a modular framework that can accommodate different modules. It stores its configuration in an encrypted format, and
saves it in the Registry key “HKUS-1-5-19_ClassesSoftwareMicrosoftMediaPlayer{some_clsid}chnnl” .
Once executed, the malware checks for the presence of a mutex (XSQWERSystemCriticalSection_for_1232321) to make sure that another
instance of itself is not already running. After that, it contacts the server (the IP: 198.[redacted].74 or the domain name sec[redacted]win.
com). During the initial communication, the backdoor sends an encrypted buffer to the C&C server that contains a RC4 key and the IDs of
the plugins it has installed. The buffer is shown below:
We can identify plugins with the following ids from the buffer above: 0x3302, 0x3303, 0x2103, 0x2106
An interesting aspect of the pr.dll is that it creates two pipes that are presumably used to collect data sent by other processes.
The pr.dll seems to be a Windows version of a Linux file found on the server. The server hosts 4 elf files, two built for the x86
architecture (075b6695ab63f36af65f7ffd45cccd39, f3bf929a35c3f198226b88537d9ccb1a) and two for the x64 architecture
(2683624eacc490238e98c449bddbb573, 5bf524a4860f3c33e3ad77b6b625db37). The elf file uses SQLite3 rather than Registry
to store its configuration. The database named My_BD holds two values chnnl and prms.
The files attempt to contact the server by constructing random requests. Each request is made of one of the verbs (watch/, search/,
results/, search/, close) and two to nine arguments (selected from the list: text=, from=, itwm=, ags=, oe=, aq=, btnG=, oprnd=, utm=,
channel=). The values of the arguments are randomly generated.
An example of a request is given below:
h[tt]p://198.***.***.74/watch/?aq=JTfJRp-s&oprnd=Dwtee&itwm=niKMuGE9Mp9Md9vHdggZMS16YlSTx&btnG=t&oprnd=FbLtw&AVVAT=m
8I2tN
The elf files contain the following modules:
1. AgentModule
2. KernelProvider
3. AgentKernel
4. ChannelController
5. Cryptor
6. LocalStorage (sqlite3)
7. ReserverApi
8. AgentChannel
9. HttpChannel
10. FSModule
11. RemoteShell
12. RemoteKeylogger
As stated above, there are two versions for each architecture. The only difference between them is that one version does not include the
last two modules.
03 33 02 03 33 23 03 21 23 06 21 23 3A 66 95 64 4B 56 FF 22 4D 81 4F
25. [25]
White Paper
About the Authors
Răzvan Benchea has been working as a malware researcher for more than eight years. He is an associate professor at the Alexandru Ioan
Cuza university of Iaşi where he teaches operating systems and assembly language. Răzvan’s areas of expertise includes APT forensics
and reverse engineering. His academic accomplishments include a PhD in machine learning algorithms for malware detection.
Alexandru Maximciuc spent the past 10 years doing antimalware research at Bitdefender. He is an expert in reverse engineering and
cryptanalysis. Alexandru has played a key role in the analysis and mapping of the PushDO botnet and is in charge with the automation of
sinkholing operations.
Cristina Vatamanu is a malware researcher with a focus on botnets. With more than six years of experience in reverse engineering, exploit
analysis and cryptography, Cristina has brought her contribution to the threat intelligence scene at conferences such as AVAR and Virus
Bulletin.
Victor Luncasu is a junior malware researcher focused on algorithms and data structures. His experience includes reverse engineering and
payload analysis as well as custom communication protocols between bots and command & control servers.