Monthly Archives: March 2020

Booz Allen analyzed 200+ Russian hacking operations to better understand their tactics

Here is the report mentioned in the article

https://www.zdnet.com/article/booz-allen-analyzed-200-russian-hacking-operations-to-better-understand-their-tactics/bearing-witness-uncovering-the-logic-behind-russian-military-cyber-operations-2020

Here’s an excerpt:

Relevant Tools Used by GRU Operators
The following table contains descriptions of tools referenced in this report, intended to provide technical information beyond that
which appears in the report’s body. It is not an exhaustive list of tools attributed to GRU operators in public reporting.

TOOL ALIASES DESCRIPTION
SEDUPLOADER JHUHUGIT460 JKEYSKW460 SofacyCarberp461 Trojan.Sofacy462 Sednit463 GAMEFISH463 A first-stage downloader based on the Carberp banking Trojan. It serves as reconnaissance malware and can download a secondary backdoor such as XAgent.460
SOFACY SOURFACE464 A first-stage downloader that retrieves a second stage backdoor from a command-and-control server.464
DELPHOCY A malware family used from 2013 to late-2015 consisting of a Delphi-based backdoor and,sometimes, a bootkit.465 Its code overlapped with BlackEnergy and VPNFilter, which are linkedto technical effects operations, but its infrastructure overlapped with psychological effects operations Sofacy campaigns.
ZEBROCY Zekapab466 A multilanguage family of modular downloaders, droppers, and backdoors deriving from Delphocy.467 Zebrocy is used for reconnaissance, maintaining persistence, and exfiltrating information to command-and-control servers. Observed in the wild since October 2015, Zebrocy immediately dropped elements of the Carberp malware seen in Delphocy and eventually dropped elements of BlackEnergy code.465 Like BlackEnergy, it retained the use of victim-identifying build IDs. Zebrocy infrastructure continued to occasionally overlap with infrastructure linked to psychological effects operations Sofacy campaigns.
X AGENT Xagent468 CHOPSTICK468 Backdoor.SofacyX462 SPLM420 webhp463
A family of modular backdoors with Windows, Linux, and iOS variants.463, 470 The malware, which includes espionage functionalities like keystroke logging and file exfiltration, is typically dropped after a reconnaissance phase as second-stage malware.420
X-TUNNEL XTunnel420 Trojan.Shunnael462 XAP420 A network proxy tool in use since at least 2013. It creates an encrypted tunnel for transmitting data between infected computers and command-and-control servers.471, 472
SEDKIT A custom exploit kit used by APT28 from 2014 through October 2016. Victims were redirected to the exploit kit via watering holes and spearphishing emails. The victims’ machines are fingerprinted to ensure the delivery of a suitable exploit, usually Seduploader’s dropper.420
CANNON A first-stage payload written in C# and Delphi that uses an email-based command-and-control channel. The trojan gathers system information and screenshots then executes a second-stage payload.472
47
TOOL ALIASES DESCRIPTION
SOFACY SEDNIT474 Generic names that refer to a family of malware that are primarily backdoors and information stealers, which capture keystrokes and system information, transmitting collected information to command-and-control servers.474
F YSBIS A persistent modular Linux operating system (OS) trojan and backdoor that can install itself with or without root privileges.475
CORESHELL A first-stage downloader that retrieves a second-stage backdoor from a command-and-control server. Coreshell is an updated version of SOURFACE, with additional antianalysis techniques.476
LOJA X A UEFI rootkit used to maintain persistent remote access on targeted systems. Lojax is a trojanized version of an older LoJack antitheft-software userland agent.477
GOLD DRAGON A data-gathering implant that acts as a reconnaissance tool and downloader for subsequent payloads.478
BL ACKENERGY BE A DDoS botnet builder released in 2007 by a criminal using the handle Cr4sh in DDoS-for-hire campaigns.479, 480 The name “BlackEnergy” without version numbering is frequently used interchangeably with the much more diversely capable derivative BlackEnergy2 and BlackEnergy3 malware.
BL ACKENERGY2 BE2 A completely rewritten iteration of BlackEnergy that first appeared in the wild in mid-August 2008.480 The new BlackEnergy2 trojan featured rootkit and process-injection techniques, strong encryption, and, critically, a modular architecture.480
Observed modules reflected BlackEnergy’s dual use as a criminal and state-linked espionage
or warfare tool.438 Criminal modules included a DDoS builder, spam distributor, and a banking credential stealer designed for the Russian and Ukrainian markets.480 Other modules showed little for-profit utility such as ones contained in exploits for specific types of humanmachine interface (HMI) applications in ICS networks.481 The tool was used in both information technical482 and psychological effects campaigns at least as early as January 2012.438
BLACKENERGY3 BlackEnergy Lite
BE3 An updated, 2014 version of BlackEnergy that lacks a driver and includes a simpler installer component, a greater number of plugins, and antianalysis techniques.438 This version was not linked to for-profit criminal activity.
GREYENERGY A modular malware family likely based on BlackEnergy that includes a first-stage backdoor that
maps networks, collects passwords, and uses escalate privileges. A second-stage backdoor
then uses Tor relays and internal nodes as proxy command and control for stealth. GreyEnergy modules vary and enable data exfiltration and execution of remote processes.483
GREYENERGY MINI FELIXROOT484 A first-stage backdoor used to evaluate a compromised computer and gain an initial foothold in the network.483
CRASHOVERRIDE Industroyer485 A modular malware designed to disrupt ICS processes in electrical substations. Crashoverride consists of an initial backdoor, loader module, and several supporting and payload modules.481
The malware also includes a data wiper and a denial of service (DoS) tool targeted at Siemens
SIPROTEC protection relays.485
EX ARAMEL A backdoor used to execute shell commands, launch processes, and exfiltrate data to a command-and-control server.486 This malware is an improved version of the Crashoverride (Industroyer) malware.486
48
TOOL ALIASES DESCRIPTION
VPNFILTER A multistage modular malware targeting networking equipment that allows for theft of website credentials and monitoring of Modbus supervisory control and data acquisition (SCADA) protocols. The malware can exfiltrate data and conduct man-in-the-middle attacks on traffic passing through infected devices. It also has a destructive capability that can be triggered en masse. VPNFilter has significant code overlap with BlackEnergy.487
KILLDISK A publicly available data wiping tool used to overwrite files with random data, rendering the files inaccessible and the operating system inoperable.488
MOONRAKER PET YA An early version of the NotPetya ransomware deployed in December 2016. The worm had limited spreading capabilities but contained code that rendered infected computers unbootable byrewriting registry keys and wiping parts of the system drive. It incorporated code from the original Green Petya crimeware.483
XDATA Win32/Filecoder.
AESNI.C489 A ransomware distributed via a supply-chain attack against the update server of the Ukrainian software M.E.Doc.490 XData attempts spread laterally by using Mimikatz to extract admin credentials and copy itself to all computers on an internal network.491
PETRWRAP A family of ransomware used in targeted attacks that contains a sample of the Petya ransomware, modified with entirely new decryption routine.492
NOTPET YA GoldenEye493 ExPetr494 Nyetya493 Diskcoder.C489 PetrWrap (new version)493
A wiper disguised as ransomware designed to destroy data and disk structure on compromised systems. Although NotPetya encrypts data and presents a ransom demand on
compromised systems, the malware did not have the ability to decrypt data, rendering it
permanently unavailable. NotPetya was delivered through a supply-chain attack through an
update server for M.E.Doc. NotPetya included a worm-like feature to propagate across a
network using EternalBlue and EternalRomance exploits.495 The malware contains substantial code similarities with the Crashoverride (Industroyer) malware.486
BAD R ABBIT A pseudo-ransomware wiper family consisting of a dropper disguised as an Adobe Flash installer. Bad Rabbit used the EternalRomance exploit to spread within networks. Bad Rabbit’s encryption uses a hashing process that uses an algorithm similar to NotPetya. Unlike NotPetya, there are technical means to decrypt the key necessary for disk decryption.496