Operation Molerats: Middle East Cyber Attacks Using Poison Ivy

Don’t be too hasty to link every Poison Ivy-based cyber attack to
China. The popular remote access tool (RAT), which
we recently detailed on this blog
, is being used in a broad
campaign of attacks launched from the Middle East, too.

First, some background:

In October 2012, malware attacks against Israeli government targets
grabbed media attention as officials temporarily cut off Internet
access for its entire police force and banned the use of USB memory
sticks. [1] Security researchers subsequently linked these attacks to
a broader, yearlong campaign that targeted not just Israelis but
Palestinians as well. [2] — and as discovered later, even the U.S. and
UK governments. [3] Further research revealed a connection between
these attacks and members of the so-called “Gaza Hackers Team.” We
refer to this campaign as “Molerats.” 

Threat actors in specific geographic regions may prefer one RAT to
another, but many RATs are publicly available and used by a variety of
threat actors, including those involved in malware-based espionage.

In 2012, the Molerats attacks appeared to rely heavily on the
XtremeRAT, a freely available tool that is popular with attackers
based in the Middle East. [5] But the group has also used Poison Ivy
(PIVY), a RAT more commonly associated with threat actors in China [6]
— so much so that PIVY has, inaccurately, become synonymous with all
APT attacks linked to China.

This blog post analyzes several recent Molerats attacks that
deployed PIVY against targets in the Middle East and in the U.S. We
also examine additional PIVY attacks that leverage Arabic-language
content related to the ongoing crisis in Egypt and the wider Middle
East to lure targets into opening malicious files. [7]

Enter Poison Ivy

We observed several attacks in June and July 2013 against targets in
the Middle East and the U.S. that dropped a PIVY payload that
connected to command-and-control (CnC) infrastructure used by the
Molerats attackers.

1

The malware sample we analyzed was unusual for two reasons:

  • It referenced an article that was published last year
  • The compile time for the dropped binary was also dated from last
    year, seemingly consistent with the referenced article. But this
    malware was signed, and — in contrast to the compile time, which can
    be faked — the signing time on its certificate was much more recent:
    Monday, July 08, 2013 1:45:10 A.M.

Here are the file details:

Hamas
shoot down Israeli F-16 fighter jet by modern weapon in Gaza
sea.doc- – – – – – – – – – – -.scr

MD5: 7084f3a2d63a16a191b7fcb2b19f0e0d

 

This malware was signed with a forged Microsoft certificate similar
to previous XtremeRat samples. But the serial number (which is often
reused by attackers, enabling FireEye researchers to link individual
attacks, including those by the Molerats) is different this time.

2

The malware dropped an instance of PIVY with the following configuration:

 

ID: F16 08-07-2013

Group:

DNS/Port: Direct: toornt.servegame.com:443,

Proxy DNS/Port:

Proxy Hijack: No

ActiveX Startup Key:

HKLM Startup Entry:

File Name:

Install Path: C:Documents and SettingsAdminLocal SettingsTempmorse.exe

Keylog Path: C:Documents and SettingsAdminLocal SettingsTempmorse

Inject: No

Process Mutex: gdfgdfgdg

Key Logger Mutex:

ActiveX Startup: No

HKLM Startup: No

Copy To: No

Melt: No

Persistence: No

Keylogger: No

Password: !@#GooD#@!

 

We collected additional PIVY samples that had the same password or
linked to CnC infrastructure at a common IP address (or both). We
observed three PIVY passwords (another potential identifier) used in
the attacks: “!@#GooD#@!”, “!@#Goood#@!” and “admin100”.

Additional Samples with Middle Eastern Themes

We also found a PIVY sample used by this group that leveraged what
are known as key files instead of passwords. The PIVY builder allows
operators to load .pik files containing a key to secure communications
between the compromised computer and the attacker’s machine. By
default, PIVY secures these communications with the ascii text
password of “admin” — when the same non-default password
appears in multiple attacks, researchers can conclude that the attacks
are related.

The PIVY sample in question had an MD5 hash of
9dff139bbbe476770294fb86f4e156ac and communicated with a CnC server at
toornt.servegame.com over port 443. The key file used to secure
communications contained the following ascii string ‘Password (256
bits):x0dx0aA9612889F6’ (where x0dx0a represents a line break).

3

The 9dff139bbbe476770294fb86f4e156ac sample dropped a decoy document
in Arabic that included a transcript of an interview with Salam
Fayyad, the former Prime Minister of the Palestinian National Authority.

The sample 16346b95e6deef9da7fe796c31b9dec4 was also seen
communicating with toornt.servegame.com over port 443. This sample
appears to have been delivered to its targets via a link to a RAR
archive labeled Ramadan.rar (fc554a0ad7cf9d4f47ec4f297dbde375)
hosted at the Dropbox file-sharing website.

4

The sample a8714aac274a18f1724d9702d40030bf dropped a decoy document
in Arabic that contained a biography of General Adbel Fattah el-Sisi –
the Commander-in-Chief of the Egyptian Armed Forces.

5

A recent sample (d9a7c4a100cfefef995785f707be895c) used protests in
Egypt to entice recipients to open a malicious file.

6

Another sample (b0a9abc76a2b4335074a13939c59bfc9) contained a decoy
with a grim picture of Fadel Al Radfani, who was the adviser to the
defense minister of Yemen before he was assassinated.

Although we are seeing Egyptian- and Middle Eastern-themed attacks
using decoy content in Arabic, we cannot determine the intended
targets of all of these attacks.

Delivery Vector

We believe that the Molerats attacker uses spear phishing to deliver
weaponized RAR files containing their malicious payloads to their
victims in at least two different ways. The Molerats actor will in
some cases attach the weaponized RAR file directly to their spear-
phishing-emails. We also believe that this actor sends spear-phishing
emails that include links to RAR files hosted on third-party platforms
such as Dropbox.

In one such example we found the following link was used to host
Ramadan.rar (fc554a0ad7cf9d4f47ec4f297dbde375):

hxxps://dl[.]dropboxusercontent[.]com/s/uiod7orcpykx2g8/Ramadan.rar?token_hash=AAHAVuiXpTkOKwar9e0WH-EfrK7PEB9O7t7WC6Tgtn315w&dl=1

CnC Infrastructure

We have found 15 PIVY samples that can be linked through common
passwords, common CnC domain names, and common IP addresses to which
the CnC domains resolve. The CnC servers for this cluster of activity are:

  • toornt.servegame.com
  • updateo.servegame.com
  • egypttv.sytes.net
  • skype.servemp3.com
  • natco2.no-ip.net

Two of the domain names (natco2.no-ip.net and skype.servemp3.com)
that were used as CnCs for PIVY were both documented as XtremeRat
CnCs that were used in previous attacks. [8]

7

We focused on these domains and their IP addresses — which they had
in common with toornt.servegame.com. In addition, we added the
well-known CnCs good.zapto.org and hint.zapto.org used in previously
documented attacks.

By observing changes in DNS resolution that occurred within the same
timeframe, we were able to ensure that the passive DNS data we
collected was the same. Interestingly, we also found that the domains
often shifted to a new IP address over time.

CnC Date IP

toornt.servegame.comnatco2.no-ip.netskype.servemp3.comgood.zapto.orghint.zapto.org

toornt.servegame.comnatco2.no-ip.netskype.servemp3.comgood.zapto.orghint.zapto.org

2013-07-10 22:06:56
2013-07-10 22:05:31
2013-07-10 23:45:46
2013-07-10 23:48:41
2013-07-10 23:48:41
2013-07-10 22:06:56
2013-07-10 22:05:31
2013-07-10 23:45:46
2013-07-10 23:48:41
2013-07-10 23:48:41

209.200.39.48
209.200.39.48

toornt.servegame.comnatco2.no-ip.netskype.servemp3.comgood.zapto.orghint.zapto.org

toornt.servegame.comnatco2.no-ip.netskype.servemp3.comgood.zapto.orghint.zapto.org

2013-07-16 09:14:30
2013-07-16 11:33:21
2013-07-16 12:47:59
2013-07-16 12:50:51
2013-07-16 12:50:51
2013-07-16 09:14:30
2013-07-16 11:33:21
2013-07-16 12:47:59
2013-07-16 12:50:51
2013-07-16 12:50:51

209.200.39.88
209.200.39.88

toornt.servegame.comnatco2.no-ip.nethint.zapto.org

toornt.servegame.comnatco2.no-ip.nethint.zapto.org

2013-07-21 15:00:38
2013-07-21 15:28:43
2013-07-21 16:31:07
2013-07-21 15:00:38
2013-07-21 15:28:43
2013-07-21 16:31:07

173.225.126.166
173.225.126.166

toornt.servegame.comnatco2.no-ip.net
toornt.servegame.comnatco2.no-ip.net

2013-07-21 22:06:19
2013-07-21
22:04:49
2013-07-21 22:06:19
2013-07-21 22:04:49
173.225.126.103
173.225.126.103

toornt.servegame.comnatco2.no-ip.netskype.servemp3.comgood.zapto.orghint.zapto.org

toornt.servegame.comnatco2.no-ip.netskype.servemp3.comgood.zapto.orghint.zapto.org

2013-07-29 15:38:21
2013-07-29 15:35:52
2013-07-29 16:46:35
2013-07-29 16:49:27
2013-07-29 16:49:27
2013-07-29 15:38:21
2013-07-29 15:35:52
2013-07-29 16:46:35
2013-07-29 16:49:27
2013-07-29 16:49:27

209.200.39.220
209.200.39.220

natco2.no-ip.netgood.zapto.orghint.zapto.orgtoornt.servegame.comomagle.serveblog.netskype.servemp3.com

natco2.no-ip.netgood.zapto.orghint.zapto.orgtoornt.servegame.comomagle.serveblog.netskype.servemp3.com

2013-07-10 22:05:31
2013-07-10 22:06:35
2013-07-10 22:06:37
2013-07-10 22:06:56
2013-07-10 22:19:03
2013-07-10 22:19:31

2013-07-10
22:05:31
2013-07-10 22:06:35
2013-07-10
22:06:37
2013-07-10 22:06:56
2013-07-10
22:19:03
2013-07-10 22:19:31

209.200.39.48
209.200.39.48

egypttv.sytes.nettoornt.servegame.com
egypttv.sytes.nettoornt.servegame.com

2013-08-10 14:07:38
2013-08-10
14:08:43
2013-08-10 14:07:38
2013-08-10 14:08:43
173.225.126.179
173.225.126.179

One interesting discovery concerns a sample
(5b740b4623b2d1049c0036a6aae684b0) that was first seen by VirusTotal
on September 14, 2012. This date is within the timeframe of the
original XtremeRat attacks, but the payload in this case was PIVY.
This indicates that the attackers have been using PIVY in addition to
XtremeRat for longer than we had originally believed.

Conclusion

We do not know whether using PIVY is an attempt by those behind the
Molerats campaign to frame China-based threat actors for their attacks
or simply evidence that they have added another effective,
publicly-available RAT to its arsenal. But this development should
raise a warning flag for anyone tempted to automatically attribute all
PIVY attacks to threat actors based in China. The ubiquity of
off-the-shelf RATs makes determining those responsible an increasing challenge.

The ongoing attacks are also heavily leveraging content in Arabic
that uses conflicts in Egypt and the wider Middle East to lure targets
into opening malicious files. But we have no further information about
the exact targets of these Arabic lures.

As events on the ground in the Middle East — and in Egypt in
particular — receive international attention, we expect the Molerat
operators to continue leveraging these headlines to catalyze their operations.

Notes

1.
http://www.timesofisrael.com/how-israel-police-computers-were-hacked-the-inside-story/ http://www.haaretz.com/blogs/diplomania/israel-s-foreign-ministry-targeted-by-computer-virus-bearing-idf-chief-s-name.premium-1.472278

2. http://download01.norman.no/whitepapers/Cyberattack_against_Israeli_and_Palestinian_targets.pdf

3. http://blog.trendmicro.com/trendlabs-security-intelligence/new-xtreme-rat-attacks-on-usisrael-and-other-foreign-governments/

4. http://blog.trendmicro.com/trendlabs-security-intelligence/new-xtreme-rat-attacks-on-usisrael-and-other-foreign-governments/

5. http://blog.trendmicro.com/trendlabs-security-intelligence/new-xtreme-rat-attacks-on-usisrael-and-other-foreign-governments/

6. /content/dam/legacy/resources/pdfs/fireeye-poison-ivy-report.pdf

7. The Molerats group also uses addition RATs such as XtremeRat,
Cerberus, Cybergate, but we have focused on their used of PIVY in this blog.

8. http://download01.norman.no/whitepapers/Cyberattack_against_Israeli_and_Palestinian_targets.pdf

Yara Signature

This Yara signature can be used to locate signed samples that have
the new certificate serial numbers used by Molerats.

 

rule Molerats_certs

{

meta:

author = “FireEye Labs”

description = “this rule detections code signed with
certificates used by the Molerats actor”

strings:

$cert1 = {06 50 11 A5 BC BF 83 C0 93 28 16 5E 7E 85 27 75}

$cert2 = {03 e1 e1 aa a5 bc a1 9f ba 8c 42 05 8b 4a bf 28}

$cert3 = {0c c0 35 9c 9c 3c da 00 d7 e9 da 2d c6 ba 7b 6d}

condition:

1 of ($cert*)

}

 

Samples

9dff139bbbe476770294fb86f4e156ac

6350d1039742b87b7917a5e26de2c25c

b0a9abc76a2b4335074a13939c59bfc9

5b740b4623b2d1049c0036a6aae684b0

9dff139bbbe476770294fb86f4e156ac

cf31aea415e7013e85d1687a1c0f5daa

973b5f2a5608d243e7305ee4f9249302

e85fc76362c2e9dc7329fddda8acc89e

b05603938a888018d4dcdc551c4be8ac

7084f3a2d63a16a191b7fcb2b19f0e0d

16346b95e6deef9da7fe796c31b9dec4

a8714aac274a18f1724d9702d40030bf

d9a7c4a100cfefef995785f707be895c

9ef9a631160b96322010a5238defc673

a60873e364a01870b2010518d05a62df

Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips