IT threat evolution Q1 2020 – 10 minute mail

Targeted attacks and malware campaigns

Operation AppleJeus: the sequel

In 2018, we published a report on Operation AppleJeus, one of the more notable campaigns of the threat actor Lazarus, currently one of the most active and prolific APT groups. One notable feature of this campaign was that it marked the first time Lazarus had targeted macOS targets, with the group inventing a fake company in order to deliver its manipulated application and exploit the high level of trust among potential victims.

Our follow-up research revealed significant changes to the group’s attack methodology. To attack macOS victims, Lazarus has developed homemade macOS malware and added an authentication mechanism to deliver the next stage payload very carefully, as well as loading the next-stage payload without touching the disk. In addition, to attack Windows victims, the group has elaborated a multi-stage infection procedure and made significant changes to the final payload. We believe Lazarus has been more careful in its attacks since the release of Operation AppleJeus and has employed a number of methods to avoid detection.

We identified several victims as part of our ongoing research, in the UK, Poland, Russia and China. Moreover, we were able to confirm that several of the victims are linked to cryptocurrency business organizations.

Roaming Mantis turns to SMiShing and enhances anti-researcher techniques

Kaspersky continues to track the Roaming Mantis campaign. This threat actor was first reported in 2017, when it used SMS to distribute its malware to Android devices in just one country – South Korea. Since then, the scope of the group’s activities has widened considerably. Roaming Mantis now supports 27 languages, targets iOS as well as Android and includes cryptocurrency mining for PCs in its arsenal.

Roaming Mantis is strongly motivated by financial gain and is continuously looking for new targets. The group has also put a lot of effort into evading tracking by researchers, including implementing obfuscation techniques and using whitelisting to avoid infecting researchers who navigate to the malicious landing page. While the group is currently applying whitelisting only to Korean pages, we think it is only a matter of time before Roaming Mantis implements this for other languages.

Roaming Mantis has also added new malware families, including Fakecop and Wroba.j. The actor is still very active in using ‘SMiShing‘ for Android malware distribution. This is particularly alarming, because it means that the attackers could combine infected mobile devices into a botnet for malware delivery, SMiShing, and so on. In one of the more recent methods used by the group, a downloaded malicious APK file contains an icon that impersonates a major courier company brand: the spoofed brand icon is customized for the country it targets – for example, Sagawa Express for Japan, Yamato Transport and FedEx for Taiwan, CJ Logistics for South Korea and Econt Express for Russia.

WildPressure on industrial networks in the Middle East

In March, we reported a targeted campaign to distribute Milum, a Trojan designed to gain remote control of devices in target organizations, some of which operate in the industrial sector. We detected the first signs of this operation, which we have dubbed WildPressure, in August 2019; and the campaign remains active.

The Milum samples that we have seen so far do not share any code similarities with any known APT campaigns. All of them allow the attackers to control infected devices remotely: letting them download and execute commands, collect information from the compromised computer and send it to the C2 server and install upgrades to the malware.

Attacks on industrial targets can be particularly devastating. So far, we haven’t seen evidence that the threat actor behind WildPressure is trying to do anything beyond gathering data from infected networks. However, the campaign is still in development, so we don’t yet know what other functionality might be added.

To avoid becoming a victim of this and other targeted attacks, organizations should do the following.

  • Update all software regularly, especially when a new patch becomes available.
  • Deploy a security solution with a proven track record, such as Kaspersky Endpoint Security, that is equipped with behavior-based protection against known and unknown threats, including exploits.
  • On top of endpoint protection, implement a corporate-grade security solution designed to detect advanced threats against the network, such as Kaspersky Anti Targeted Attack Platform.
  • Ensure staff understand social engineering and other methods used by attackers and develop a security culture within in the organization.
  • Provide your security team with access to comprehensive cyberthreat intelligence, such as Kaspersky APT Intelligence Reporting.

TwoSail Junk

On January 10, we discovered a watering-hole attack that utilized a full remote iOS exploit chain to deploy a feature-rich implant named LightSpy. Judging by the content of the landing page, the site appears to have been designed to target users in Hong Kong.

Since then, we have released two private reports on LightSpy, available to customers of Kaspersky Intelligence Reporting (please contact [email protected] for further information).

We are temporarily calling the APT group behind this implant TwoSail Junk. Currently, we have hints from known backdoor callbacks to infrastructure about clustering this campaign with previous activity. We are also working with fellow researchers to tie LightSpy to prior activity from a well-established Chinese-speaking APT group, previously reported (here and here) as Spring Dragon (aka Lotus Blossom and Billburg(Thrip)), known for its Lotus Elise and Evora backdoors.

As this LightSpy activity was disclosed publicly by fellow researchers from Trend Micro, we wanted to contribute missing information to the story without duplicating content. In addition, in our quest to secure technologies for a better future, we have reported this malware and activity to Apple and other relevant companies.

Our report includes information about the Android implant, including its deployment, spread and support infrastructure.

A sprinkling of Holy Water in Asia

In December, we discovered watering-hole websites that were compromised to selectively trigger a drive-by download attack with fake Adobe Flash update warnings.

This campaign, which has been active since at least May 2019, targets an Asian religious and ethnic group. The threat actor’s unsophisticated but creative toolset, which has evolved greatly and may still be in development, makes use of Sojson obfuscation, NSIS installer, Python, open-source code, GitHub distribution, Go language and Google Drive-based C2 channels.

The threat actor’s operational target is unclear because we haven’t been able to observe many live operations. We have also been unable to identify any overlap with known APT groups.

Threat hunting with Bitscout

In February, Vitaly Kamluk, from the Global Research and Analysis Team at Kaspersky, reported on a new version of Bitscout, based on the upcoming release of Ubuntu 20.04 (scheduled for release in April 2020).

Bitscout is a remote digital forensics tool that we open-sourced about two and a half years ago, when Vitaly was located in the Digital Forensics Lab at INTERPOL. Bitscout has helped us in many cyber-investigations. Based on the widely popular Ubuntu Linux distribution, it incorporates forensics and malware analysis tools created by a large number of excellent developers around the world.

Here’s a summary of the approach we use in Bitscout

  • Bitscout is completely FREE, thereby reducing your forensics budget.
  • It is designed to work remotely, saving time and money that would otherwise be spent on travel. Of course, you can use the same techniques locally.
  • The true value lies not in the toolkit itself, but in the power of all the forensic tools that are included.
  • There’s a steep learning curve involved in mastering Bitscout, which ultimately reinforces the technical foundations of your experts.
  • Bitscout records remote forensics sessions internally, making it perfect for replaying and learning from more experienced practitioners or using as evidential proof of discovery.
  • It is fully open source, so you don’t need to wait for the vendor to implement a patch or feature for you: you are free to reverse-engineer and modify any part of it.

We have launched a project website, bitscout-forensics.info, as the go-to destination for those looking for tips and tricks on remote forensics using Bitscout.

Hunting APTs with YARA

In recent years, we have shared our knowledge and experience of using YARA as a threat hunting tool, mainly through our training course, ‘Hunting APTs with YARA like a GReAT ninja’, delivered during our Security Analyst Summit. However, the COVID-19 pandemic has forced us to postpone the forthcoming SAS.

Meanwhile, we have received many requests to make our YARA hands-on training available to more people. This is something we are working on and hope to be able to provide soon as an online training experience. Look out for updates on this by following us on Twitter – @craiu, @kaspersky.

With so many people working from home, and spending even more time online, it is also likely the number of threats and attacks will increase. Therefore, we decided to share some of the YARA experience we have accumulated in recent years, in the hope that all of you will find it useful for keeping threats at bay.

If you weren’t able to join the live presentation, on March 31, you can find the recording here.

We track the activities of hundreds of APT threat actors and regularly highlight the more interesting findings here. However, if you want to know more, please reach out to us at [email protected]

Other security news

Shlayer Trojan attacks macOS users

Although many people consider macOS to be safe, there are cybercriminals who seek to exploit those who use this operating system. One malicious program stands out – the Shlayer Trojan. In 2019, Kaspersky macOS products blocked this Trojan on every tenth device, making this the most widespread threat to people who use macOS.

Shlayer is a smart malware distribution system that spreads via a partner network, entertainment websites and even Wikipedia. This Trojan specializes in the installation of adware – programs that feed victims illicit ads, intercepting and gathering their browser queries and modifying search results to distribute even more advertising messages.

Shlayer accounted for almost one-third of all attacks on macOS devices registered by Kaspersky products between January and November last year – and nearly all other top 10 macOS threats were adware programs that Shlayer installs.

The infection starts with an unwitting victim downloading the malicious program. The criminals behind Shlayer set up a malware distribution system with a number of channels leading their victims to download the malware. Shlayer is offered as a way to monetize websites in a number of file partner programs, with relatively high payment for each malware installation made by users in the US, prompting over 1,000 ‘partner sites’ to distribute Shlayer. This scheme works as follows: a user looks for a TV series episode or a football match, and advertising landing pages redirect them to fake Flash Player update pages. From here, the victim downloads the malware; and for each installation, the partner who distributed links to the malware receives a pay-per-install payment.

Other schemes that we saw led to a fake Adobe Flash update page that redirected victims from various large online services with multi-million audiences, including YouTube, where links to the malicious website were included in video descriptions, and Wikipedia, where such links were hidden in article references. People that clicked on these links would also be redirected to the Shlayer download landing pages. Kaspersky researchers found 700 domains containing malicious content, with links to them on a variety of legitimate websites.

Almost all the websites that led to a fake Flash Player contained content in English. This corresponds to the countries where we have seen most infections – the US (31%), Germany (14%), France (10%) and the UK (10%).

Blast from the past

Although many people still use the term “virus” to mean any malicious program, it actually refers specifically to self-replicating code, i.e., malicious code that copies itself from file to file on the same computer. Viruses, which used to dominate the threat landscape, are now rare. However, there are some interesting exceptions to this trend and we came across one recently – the first real virus we’ve seen in the wild for some time.

The virus, called KBOT, infects the victim’s computer via the internet, a local network, or infected external media. After the infected file is launched, the malware gains a foothold in the system, writing itself to Startup and the Task Scheduler, and then deploys web injects to try to steal the victim’s bank and personal data. KBOT can also download additional stealer modules that harvest and send to the Command-and-Control (C2) server comprehensive information about the victim, including passwords/logins, crypto-wallet data, lists of files and installed applications, and so on. The malware stores all its files and stolen data in a virtual file system, encrypted using the RC6 algorithm, making it hard to detect.

Cybercriminals exploiting fears about data breaches

Phishers are always on the lookout for hot topics that they can use to hook their victims, including sport, politics, romance, shopping, banking, natural disasters and anything else that might entice someone into clicking on a link or malicious file attachment.

Recently, cybercriminals have exploited the theme of data leaks to try to defraud people. Data breaches, and the fines imposed for failing to safeguard data, are now a staple feature of the news. The scammers posed as an organization called the “Personal Data Protection Fund” and claim that the “US Trading Commission” had set up a fund to compensate people whose personal data had been exposed.

However, in order to get the compensation, the victims are asked to provide a social security number. The scammers offer to sell a temporary SSN to those who don’t have one.

Even if the potential victim enters a valid SSN, they are still directed to a page asking them to purchase a temporary SSN.

You can read the full story here.

… and coronavirus

The bigger the hook, the bigger the pool of potential victims. So it’s no surprise that cybercriminals are exploiting the COVID-19 pandemic. We have found malicious PDF, MP4 and DOCX files disguised as information about the coronavirus. The names of the files suggest they contain video instructions on how to protect yourself, updates on the threat and even virus detection procedures. In fact, these files are capable of destroying, blocking, modifying or copying data, as well as interfering with the operation of the computer.

The cybercriminals behind the Ginp banking Trojan recently developed a new campaign related to COVID-19. After receiving a special command, the Trojan opens a web page called Coronavirus Finder. This provides a simple interface that claims to show the number of people nearby who are infected with the virus and asks you to pay a small sum to see their location.

The Trojan then provides a payment form.

Then … nothing else happens – apart from the criminals taking your money. Data from the Kaspersky Security Network suggests that most users who have encountered Ginp are located in Spain. However, this is a new version of Ginp that is tagged “flash-2”, while previous versions were tagged “flash-es12”. So perhaps the lack of “es” in the tag of the newer version means the cybercriminals are planning to expand their campaign beyond Spain.

We have also seen a number of phishing scams where cybercriminals pose as bona fide organizations to trick people into clicking on links to fake sites where the scammers capture their personal information, or even ask them to donate money.

If you’ve ever wanted to know why it’s so easy for phishers to create spoof emails, and what efforts have been made to make it harder for them, you can find a good overview of the problems and potential solutions here.

Cybercriminals are also taking the opportunity to attack the information infrastructure of medical facilities, clearly hoping that the overload on IT services will provide them with an opportunity to break into hospital networks, or are attempting to extort money from clinical research companies. In an effort to ensure that IT security isn’t something that medical teams have to worry about, we’re offering medical institutions free six-month licenses for our core solutions.

In February, we reported an unusual malware campaign in which cybercriminals were spreading the AZORult Trojan as a fake installer for ProtonVPN.

The aim of the campaign is to steal personal information and crypto-currency from the victims.

The attackers created a spoof copy a VPN service’s website, which looks like the original but has a different domain name. The criminals spread links to the domain through advertisements using different banner networks – a practice known as malvertizing. When someone visits a phishing website, they are prompted to download a free VPN installer for Windows. Once launched, this drops a copy of the AZORult botnet implant. This collects the infected device’s environment information and reports it to the server. Finally, the attackers steal crypto-currency from locally available wallets (Electrum, Bitcoin, Etherium and others), FTP logins, and passwords from FileZilla, email credentials, information from locally installed browsers (including cookies), credentials from WinSCP, Pidgin messenger and others.

AZORult is one of the most commonly bought and sold stealers on Russian forums due to its wide range of capabilities. The Trojan is able to harvest a good deal of data, including browser history, login credentials, cookies, files and crypto-wallet files; and can also be used as a loader to download other malware.

Distributing malware under the guise of security certificates

Distributing malware under the guise of legitimate software updates is not new. Typically, cybercriminals invite potential victims to install a new version of a browser or Adobe Flash Player. However, we recently discovered a new approach: visitors to infected sites were informed that some kind of security certificate had expired.

They were offered an update that infected them with malware – specifically the Buerak downloader and Mokes backdoor.

We detected the infection on variously themed websites – from a zoo to a store selling auto parts. The earliest infections that we found date back to January 16.

Mobile malware sending offensive messages

We have seen many mobile malware apps re-invent themselves, adding new layers of functionality over time. The Faketoken Trojan offers a good example of this. Over the last six years, it has developed from an app designed to capture one-time passcodes, to a fully-fledged mobile banking Trojan, to ransomware. By 2017, Faketoken was able to mimic many different apps, including mobile banking apps, e-wallets, taxi service apps and apps used to pay fines and penalties – all in order to steal bank account data.

Recently, we observed 5,000 Android smartphones infected by Faketoken sending offensive text messages. SMS capability is a standard feature of many mobile malware apps, many of which spread by sending links to their victims’ contacts; and banking Trojans typically try to make themselves the default SMS application, in order to intercept one-time passcodes. However, we had not seen one become a mass texting tool.

The messages sent by Faketoken are charged to the owner of the device; and since many of the infected smartphones we saw were texting a foreign number, the cost was quite high. Before sending any messages, the Trojan checks to see if there are sufficient funds in the victim’s bank account. If there are, Faketoken tops up the mobile account sending any messages.

We don’t yet know whether this is a one-off campaign or the start of a trend. To avoid becoming a victim of Faketoken, download apps only from Google Play, disable the downloading of apps from other sources, don’t follow links from messages and protect your device with a reputable mobile security product.

The use and abuse of the Android AccessibilityService

In January, we reported that cybercriminals were using malware to boost the rating of specific apps, to increase the number of installations.

The Shopper.a Trojan also displays advertising messages on infected devices, creates shortcuts to advertising sites and more.

The Trojan opens Google Play (or other app store), installs several programs and writes fake user reviews about them. To prevent the victim noticing, the Trojan conceals the installation window behind an ‘invisible’ window. Shopper.a gives itself the necessary permissions using the Android AccessibilityService. This service is intended to help people with disabilities use a smartphone, but if a malicious app obtains permission to use it, the malware has almost limitless possibilities for interacting with the system interface and apps – including intercepting data displayed on the screen, clicking buttons and emulating user gestures.

Shopper.a was most widespread in Russia, Brazil and India.

You should be wary if an app requests access to the AccessibilityService but doesn’t need it. Even if the only danger posed by such apps comes from automatically written reviews, there is no guarantee that its creators will not change the payload later.

Everyone loves cookies – including cybercriminals

We recently discovered a new malicious Android Trojan, dubbed Cookiethief, designed to acquire root permissions on the victim’s device and transfer cookies used by the browser and the Facebook app to the cybercriminals’ C2 server. Using the stolen cookies, the criminals can gain access to the unique session IDs that websites and online services use to identify someone, thereby allowing the criminals to assume someone’s identity and gain access to online accounts without the need for a login and password.

On the C2 server, we found a page advertising services for distributing spam on social networks and messengers, which we think is the underlying motive in stealing cookies.

From the C2 server addresses and encryption keys used, we were able to link Cookiethief to widespread Trojans such as Sivu, Triada, and Ztorg. Usually, such malware is either planted in the device firmware before purchase, or it gets into system folders through vulnerabilities in the operating system and then downloads various applications onto the system.

Stalkerware: no place to hide

We recently discovered a new sample of stalkerware – commercial software typically used by those who want to monitor a partner, colleague or others – that contains functionality beyond anything we have seen before. You can find more information on stalkerware here and here.

MonitorMinor, goes beyond other stalkerware programs. Primitive stalkerware uses geo-fencing technology, enabling the operator to track the victim’s location, and in most cases intercept SMS and call data. MonitorMinor goes a few steps further: recognizing the importance of messengers as a means of data collection, this app aims to get access to data from all the popular modern communication tools.

Normally, the Android sandbox prevents direct communication between apps. However, if a superuser app has been installed, which grants root access to the system, it overrides the security mechanisms of the device. The developers of MonitorMinor use this to enable full access to data on a variety of popular social media and messaging applications, including Hangouts, Instagram, Skype and Snapchat. They also use root privileges to access screen unlock patterns, enabling the stalkerware operator to unlock the device when it is nearby or when they next have physical access to the device. Kaspersky has not previously seen this feature in any other mobile threat.

Even without root access, the stalkerware can operate effectively by abusing the AccessibilityService API, which is designed to make devices friendly for users with disabilities. Using this API, the stalkerware is able to intercept any events in the applications and broadcast live audio.

Our telemetry indicates that the countries with the largest share of installations of MonitorMinor are India, Mexico, Germany, Saudi Arabia and the UK.

We recommend the following tips to reduce the risk of falling victim to a stalker:

  • Block the installation of apps from unknown sources in your smartphone settings.
  • Never disclose the password or passcode to your mobile device, even with someone you trust.
  • If you are ending a relationship, change security settings on your mobile device, such as passwords and app location access settings.
  • Keep a check on the apps installed on your device, to see if any suspicious apps have been installed without your consent
  • Use a reliable security solution that notifies you about the presence of commercial spyware programs aimed at invading your privacy, such as Kaspersky Internet Security.
  • If you think you are being stalked, reach out to a professional organization for advice.
  • For further guidance, contact the Coalition against Stalkerware
  • There are resources that can assist victims of domestic violence, dating violence, stalking and sexual violence. If you need further help, please contact the Coalition against Stalkerware.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Holy water: ongoing targeted water-holing attack in Asia – 10 minute mail

On December 4, 2019, we discovered watering hole websites that were compromised to selectively trigger a drive-by download attack with fake Adobe Flash update warnings. This campaign has been active since at least May 2019, and targets an Asian religious and ethnic group.

The threat actor’s unsophisticated but creative toolset has been evolving a lot since the inception date, may still be in development, and leverages Sojson obfuscation, NSIS installer, Python, open-source code, GitHub distribution, Go language, as well as Google Drive-based C2 channels.

The threat actor’s operational target is not clear because, unfortunately, we haven’t been able to observe many live operations, and we couldn’t identify any overlap with known intrusion sets.

Thou shalt update plugins: attack synopsis

The watering holes have been set-up on websites that belong to personalities, public bodies, charities and organizations of the targeted group. At the time of writing, some of these websites (all hosted on the same server) are still compromised, and continue to direct selected visitors to malicious payloads:

Domain Description
*****corps.org Voluntary service program
*****ct.org Religious personality’s charity
*****policy.net Policy institute
*****che.com Religious personality
*****parliament.org Public body
*****ialwork.org Charity
*****nature.net Environmental conservation network
*****airtrade.com Fair trade organization

Upon visiting one of the watering hole websites, a previously compromised but legitimately embedded resource will load a malicious JavaScript. It’s hosted by one of the water-holed websites, and gathers information on the visitor. An external server (see Fig. 1) then ascertains whether the visitor is a target.

Fig. 1. Target validation service request.

If the visitor is validated as a target, the first JavaScript stage will load a second one, which in turn will trigger the drive-by download attack, showing a fake update pop-up (see Fig. 2).

Fig. 2. Warning generated by the second payload.

The visitor is then expected to fall into the update trap, and download a malicious installer package that will set up a backdoor.

For nothing is hidden that will not come to light: technical analysis

1st JavaScript stage

The first JavaScript stage is named (script|jquery)-css.js, and is obfuscated with the Chinese-language web service Sojson, version 4 (see Fig. 3).

Fig. 3. Sojson v4 JavaScript obfuscated one-liner.

The payload leverages the RTCPeerConnection API and ipify service to fingerprint visitors. The gathered data is sent to loginwebmailnic.dynssl[.]com through HTTP GET requests, in order to validate the visitor as a target:

https://loginwebmailnic.dynssl[.]com/all/content.php?jsoncallback=&lanip=&wanip=&urlpath=&_=

The JSON-formatted response, whose only key is “result”, can either be “t” or “f” (true or false). If the value is “f”, then nothing happens, while “t” will trigger the second JavaScript stage (see Fig. 4).

Fig. 4. First stage deobfuscated validation logic.

In a previous version of this first JavaScript script, an additional JavaScript payload was unconditionally loaded during the first stage, and proceeded with another branch of visitor validation and the second stage.

This other branch loaded scripts from root20system20macosxdriver.serveusers[.]com, and leveraged https://loginwebmailnic.dynssl[.]com/part/mac/contentmc.php URL to validate targets. The host and validation page names suggest this other branch may have been specifically targeting MacOS users, but we were unable to confirm this hypothesis.

2nd JavaScript stage

The second JavaScript stage is named (script|jquery)-file.js, and is obfuscated with Sojson version 5 (see Fig. 5).

Fig. 5. Nerve-breaking one-line obfuscation.

The payload leverages jquery.fileDownload to show a modal pop-up to the target. It offers visitors an update to Flash Player. No technical vulnerabilities are exploited: the threat actor relies on the target’s willingness to keep their system up to date. The deobfuscated JavaScript payload (see Fig. 6) reveals that the malicious update is hosted on GitHub.

Fig. 6. Malicious update source in second JavaScript payload.

GitHub FlashUpdate repository

The pop-up links to a PE executable hosted on github[.]com/AdobeFlash32/FlashUpdate. GitHub disabled this repository on February 14 after we reported it to them. However, the repository has been online for more than nine months, and thanks to GitHub’s commit history (see Fig. 7), we gained a unique insight into the attacker’s activity and tools.

Fig. 7. GitHub’s AdobeFlash32 commit history.

Four executables were hosted in AdobeFlash32/FlashUpdate on the last day it was still available:

  • An installer package, embedding a decoy legitimate Flash update and a stager.
  • Godlike12, a Go backdoor that implements a Google Drive based C2 channel.
  • Two versions of the open-source Stitch Python backdoor that the threat actor modified to add functionalities (persistence, auto-update, decoy download and execution).

Digging into the repository for older commits, we also discovered a previous fake update toolset: a C installer bundling the legitimate Flash installer and a vanilla Stitch backdoor, as well as a C++ infostealer that collects information about host computers (OS version, IP address, hostname) and sends them over HTTP/S.

Installer package

MD5 9A819F2CE060058745FF5374221ADA7C
Compilation date 2017-Jul-24 06:35:22
File type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
File size 4420 KB
File names flashplayer32ppi_xa_install.exe

This malicious update package is a NSIS installer version 3 that will drop and execute two other binaries:

  • FlashUpdate.exe, D59B35489CB88619415D175953CA5400, a legitimate Windows Flash Player installer from January 15 that is used as a decoy to trick the user into believing they actually set up a Flash update. As modern Adobe Flash installers ‘phone home’ to check for their own validity, this one will fail nowadays with a message stating that the installer is outdated or renamed, and will direct the user to the Adobe website.
  • Intelsyc.exe, the malicious payload (described below).

The installer is detected by Kaspersky endpoint protection heuristics as HEUR:Trojan.Win32.Tasker.gen.

Intelsyc Go stager

MD5 6DC5F8282DF76F4045F75FEA3277DF41
Compilation date 1970-Jan-01 00:00:00
File type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
File size 5976 KB
File names flashplayer32ppi_xa_install.exe
C2 server adobeflash31_install.ddns[.]info
User Agent Go-http-client/1.1

The Go programmed Intelsyc implant is aimed at staging itself, downloading the Godlike12 backdoor (described below), and setting up persistence.

It will first retrieve /flash/sys.txt with HTTP GET on adobeflash31_install.ddns[.]info. The file contents may be used as a killswitch to stop any further deployment. If the content is “1” though, the implant will:

  • copy itself to C:/ProgramData/Intel/Intelsyc.exe;
  • establish persistence through schtasks [T1053] with a logon task named Intelsyc, run as system, and pointing to a previously created self copy;
  • download Godlike12 from github[.]com/AdobeFlash32/FlashUpdate, as C:ProgramDataAdobeflashdriver.exe;
  • establish Godlike12 persistence through a registry run key [T1060] named flashdriver in HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun, and pointing to a previously downloaded backdoor.

The stager is detected by Kaspersky endpoint protection heuristics as UDS:DangerousObject.Multi.Generic, and may be misidentified as the GoRansom Go ransomware proof of concept by other endpoint protection products.

Source files paths in the code suggest this backdoor may have been developed on a Windows system.

Godlike12 Go backdoor

MD5 BEC4482890A89F0184B463C727709D53
Compilation date 1970-Jan-01 00:00:00
File type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
File size 4436 KB
File names flashdriver.exe
C2 server Google Drive

This implant is written in Go language, and its C2 channel relies on file exchanges with a Google Drive space, through Google Drive’s HTTPS API v3. The implant probably leverages the gdrive Go source from GitHub, as it shares several identical code source paths with it.

Godlike12 is the name the threat actor gave to the Google Drive space connections from this implant. Source file paths in the code suggest this backdoor may have been developed on a GNU/Linux system. The not-so-common (less than 100 results in a popular search engine) /root/gowork GOPATH that some of this backdoor’s modules have been compiled from seems popular in Chinese-speaking communities, and may originate from a Chinese-authored tutorial on Go language.

Godlike12 first proceeds with host fingerprinting upon startup (hostname, IP address, MAC address, Windows version, current time). The result is encrypted, base64-encoded, stored in a text file at %TEMP%/[ID]-lk.txt, and uploaded to the remote Google Drive. The implant then regularly checks for a remote [ID]-cs.txt, that contains encrypted commands to execute, and stores encrypted command results in %TEMP%/[ID]-rf.txt to later upload them to the same Google Drive space. ID is the MD5 hash of the base64-encoded MAC address of the first connected network adapter, while TripleDES in ECB mode is used as an encryption algorithm. It is worth mentioning that once again, the encryption function seems to have been inspired from existing open-source code, which mainly appears popular in Chinese-language forums.

Godlike12 does not implement a persistence mechanism, as it is provided by the previous installer package. It is detected by Kaspersky endpoint protection heuristics as HEUR:Trojan.Win32.Generic.

With this implant being a month old at the time of writing (while being in use since at least October 2019), and other malicious update implants having been used before, it is possible that Godlike12-based operations were still a work in progress when we investigated them.

Modified Stitch Python backdoor

MD5 EC993FF561CBC175953502452BFA554A
Compilation date 2008-Nov-10 09:40:35
File type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
File size 7259 KB
File names flashplayer32_xa_pp_install.exe
flashplayer32pp_xa_install.exe
C2 server system0_update04driver_roots.dynamic-dns[.]net:443

This implant is a modified version of the open-source Python backdoor called Stitch, packed as a standalone PE executable with Py2exe.

Threat actors wrapped Stitch with custom Python code to perform additional operations:

  • It downloads a legitimate Adobe Flash installation program from the C2 server at startup;
  • It auto-updates the backdoor from ubntrooters.serveuser[.]com at startup;
  • It ensures persistence through schtasks [T1053] with a logon task named AdobeUpdater pointing to C:ProgramDatapackageAdobeService.exe.

Under the hood, Stitch is a remote shell program that provides classic backdoor functionalities by establishing a direct socket connection, to exchange AES-encrypted data with the remote server.

Conclusion

With almost 10 compromised websites and dozens of implanted hosts (that we know of), the attackers have set up a sizable yet very targeted water-holing attack. The toolset that’s being used seems low-budget and not fully developed, but has been modified several times in a few months to leverage interesting features like Google Drive C2, and would be characteristic of a small, agile team.

We were unable to observe any live operations, but some tracks indicate that the Godlike12 backdoor is not widespread, and is probably used to conduct reconnaissance and data-exfiltration operations.

We were unable to correlate these attacks to any known APT groups.
For more details and the latest information on this threat actor, please contact [email protected]

Appendix – IOCs

Infrastructure

Domain IP address Description
root20system20macosxdriver.serveusers[.]com 45.32.154[.]111 Watering hole targets validator server
loginwebmailnic.dynssl[.]com 207.148.117[.]159 Watering hole targets validator server
ubntrooters.serveuser[.]com 45.76.43[.]153 Stitch auto-update server
system0_update04driver_roots.dynamic-dns[.]net 95.179.171[.]173 Stitch C2
sys_andriod20_designer.dynamic-dns[.]net 45.63.114[.]152 Stitch C2
adobeflash31_install.ddns[.]info 95.179.171[.]173 Installer package C2
airjaldinet[.]ml 108.61.178[.]125 Older C++ validator C2

URLs

https://loginwebmailnic.dynssl[.]com/part/mac/contentmc.php
https://loginwebmailnic.dynssl[.]com/all/content.php
https://loginwebmailnic.dynssl[.]com/lh/content.php
https://root20system20macosxdriver.serveusers[.]com/yW6jOyQM16rj.html
https://root20system20macosxdriver.serveusers[.]com/itV6E1uKYiOo.html
http://ubntrooters.serveuser[.]com/wuservice.exe
http://ubntrooters.serveuser[.]com/upgrade.exe
http://ubntrooters.serveuser[.]com/flashplayer_update.exe
http://adobeflash31_install.ddns[.]info/flash/sys.txt
https://github[.]com/AdobeFlash32/FlashUpdate/
https://airjaldinet[.]ml/

Hashes (MD5)

0C6025A2C68E1C702A3022F1A6AE9169
1076A0EE924F198A7BD58A2DE1F060A0
10B4D3A667E06DC4B06AA542173D052C
11294E27491B496E36CA7DB9F363ADCD
11A16E109DBAF2FD080D8490328DE5A1
2E1862BC23085402EE11C88E540533C0
3989AC9EFB6A725918BD1810765D30B3
481DD1A37C86FDA68BCED0ECB2F47597
5287045D15FF60618F426AFC03BBB331
53CB974CAF909EEDCD86D2F80E75AD0A
5F19BB1688CA836B9207248F9096B9D2
6DF39D2CE9FCA27B78CC5CA0BED89703
7EB0C103AE21189AD9AD4A9804293B22
8623FA35226AC92CF6F02447AC80AFB0
9E69DDE252038B4A38EF0BFF6CE7FCD7
AD7A4333BC364DF3D4FA00B13CBBBEB4
B02ABA86409BE2AB263B1A476C1A1417
B21AF331B1752A70360B5D8DC9013F3F
B21BD93F15916A9A4AC76350D8FDBE10
BE3E563E95DEDCA0CEC9792194FFF2AC
DE2D8AF2EFED0C145690B2F13CD063B3
EC993FF561CBC175953502452BFA554A
ED081A869D30BB90B76552C83BD784C8
BEC4482890A89F0184B463C727709D53
9A819F2CE060058745FF5374221ADA7C
6DC5F8282DF76F4045F75FEA3277DF41


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

iOS exploit chain deploys “LightSpy” feature-rich malware – 10 minute mail

A watering hole was discovered on January 10, 2020 utilizing a full remote iOS exploit chain to deploy a feature-rich implant named LightSpy. The site appears to have been designed to target users in Hong Kong based on the content of the landing page. Since the initial activity, we released two private reports exhaustively detailing spread, exploits, infrastructure and LightSpy implants.

Landing page of watering hole site

We are temporarily calling this APT group “TwoSail Junk”. Currently, we have hints from known backdoor callbacks to infrastructure about clustering this campaign with previous activity. And we are working with colleagues to tie LightSpy with prior activity from a long running Chinese-speaking APT group, previously reported on as Spring Dragon/Lotus Blossom/Billbug(Thrip), known for their Lotus Elise and Evora backdoor malware. Considering this LightSpy activity has been disclosed publicly by our colleagues from TrendMicro, we would like to further contribute missing information to the story without duplicating content. And, in our quest to secure technologies for a better future, we reported the malware and activity to Apple and other relevant companies.

This supplemental information can be difficult to organize to make for easy reading. In light of this, this document is broken down into several sections.

  1. Deployment timeline – additional information clarifying LightSpy deployment milestone events, including both exploit releases and individual LightSpy iOS implant component updates.
  2. Spreading – supplemental technical details on various techniques used to deliver malicious links to targets
  3. Infrastructure – supplemental description of a TwoSail Junk RDP server, the LightSpy admin panel, and some related server-side javascript
  4. Android implant and a pivot into evora – additional information on an Android implant and related infrastructure. After pivoting from the infrastructure in the previous section, we find related implants and backdoor malware, helping to connect this activity to previously known SpringDragon APT with low confidence.

More information about LightSpy is available to customers of Kaspersky Intelligence Reporting. Contact: [email protected]

Deployment timeline

During our investigation, we observed the actor modifying some components involved in the exploit chain on February 7, 2020 with major changes, and on March 5, 2020 with minor ones.

Figure 1. Brief LightSpy event timeline

The first observed version of the WebKit exploit dated January 10, 2020 closely resembled a proof of concept (PoC), containing elements such as buttons, alert messages, and many log statements throughout. The second version commented out or removed many of the log statements, changed alert() to print() statements, and also introduced some language errors such as “your device is not support…” and “stab not find…”.

By analyzing the changes in the first stage WebKit exploit, we discovered the list of supported devices was also significantly extended:
Table 1. iOS version exploit support expansion

Device iOS version Supported as of Jan 10 Supported as of Feb 7
iPhone 6 11.03 +
iPhone 6S 12.01 + commented
12.2 +
iPhone 7 12.1 +
12.11 + +
12.12 + +
12.14 +
12.2 +
iPhone 7+ 12.2 +
iPhone 8 12.2 +
iPhone 8+ 12.2 +
iPhone X 12.2 +

As seen above, the actor was actively changing implant components, which is why we are providing a full list of historical hashes in the IoC section at the end of this report. There were many minor changes that did not directly affect the functionality of each component, but there were also some exceptions to this that will be expanded on below. Based on our observations of these changes over a relatively short time frame, we can assess that the actor implemented a fairly agile development process, with time seemingly more important than stealthiness or quality.

One interesting observation involved the “EnvironmentalRecording” plugin (MD5: ae439a31b8c5487840f9ad530c5db391), which was a dynamically linked shared library responsible for recording surrounding audio and phone calls. On February 7, 2020, we noticed a new binary (MD5: f70d6b3b44d855c2fb7c662c5334d1d5) with the same name with no similarities to the earlier one. This new file did not contain any environment paths, version stamps, or any other traces from the parent plugin pattern. Its sole purpose was to clean up the implant components by erasing all files located in “/var/iolight/”, “/bin/light/”, and “/bin/irc_loader/”. We’re currently unsure whether the actor intended to replace the original plugin with an uninstall package or if this was a result of carelessness or confusion from the rapid development process.

Another example of a possible mistake involved the “Screenaaa” plugin. The first version (MD5: 35fd8a6eac382bfc95071d56d4086945) that was deployed on January 10, 2020 did what we expected: It was a small plugin designed to capture a screenshot, create a directory, and save the capture file in JPEG format. However, the plugin (MD5: 7b69a20920d3b0e6f0bffeefdce7aa6c) with the same name that was packaged on February 7 had a completely different functionality. This binary was actually a LAN scanner based on MMLanScan, an open source project for iOS that helps scan a network to show available devices along with their MAC addresses, hostname, and manufacturer. Most likely, this plugin was mistakenly bundled up in the February 7 payload with the same name as the screenshot plugin.

Figure 2. LightSpy iOS implant component layout and communications

Spreading

We cannot say definitively that we have visibility into all of their spreading mechanisms. We do know that in past campaigns, precise targeting of individuals was performed over various social network platforms with direct messaging. And, both ours and previous reporting from others have documented TwoSail Junk’s less precise and broad use of forum posts and replies. These forum posts direct individuals frequenting these sites to pages hosting iframes served from their exploit servers. We add Telegram channels and instagram posts to the list of communication channels abused by these attackers.

These sites and communication medium are known to be frequented by some activist groups.

Figure 3. LightSpy iPhone infection steps

The initial watering hole site (hxxps://appledaily.googlephoto[.]vip/news[.]html) on January 10, 2020 was designed to mimic a well known Hong Kong based newspaper “Apple Daily” by copy-pasting HTML content from the original:

Figure 4. Source of html page mimicking newspaper “Apple Daily”

However, at that time, we had not observed any indications of the site being purposely distributed in the wild. Based on our KSN detection statistics, we began seeing a massive distribution campaign beginning on February 18, 2020.

Table 2. LightSpy related iframe domains, urls, and first seen timestamps

Starting on February 18, the actors began utilizing a series of invisible iframes to redirect potential victims to the exploit site as well as the intended legitimate news site from the lure.

Figure 5. Source of html page with lure and exploit

Infrastructure

RDP Clues

The domain used for the initial watering hole page (googlephoto[.]vip) was registered through GoDaddy on September 24, 2019. No unmasked registration information was able to be obtained for this domain. The subdomain (appledaily.googlephoto[.]vip) began resolving to a non-parked IP address (103.19.9[.]185) on January 10, 2020 and has not moved since. The server is located in Singapore and is hosted by Beyotta Network, LLP.

At the time of our initial investigation, the server was listening on ports 80 (HTTP) and 3389 (RDP with SSL/TLS enabled). The certificate for the server was self-signed and created on December 16, 2019. Based on Shodan data as early as December 21, 2019, there was a currently logged in user detected who’s name was “SeinandColt”.

Figure 6. Screenshot of RDP login page for the server 103.19.9[.]185

Admin Panel

The C2 server for the iOS payload (45.134.1[.]180) also appeared to have an admin panel on TCP port 50001.

The admin panel seems to be a Vue.js application bundled with Webpack. It contains two language packs: English and Chinese. A cursory analysis provides us the impression of actual scale of the framework:

If we take a closer look at the index.js file for the panel, some interesting configurations are visible, to include a user config, an application list, log list, and other interesting settings.

The “userConfig” variable indicates other possible platforms that may have been targeted by the same actors, such as linux, windows, and routers.

Another interesting setting includes the “app_list” variable which is commented out. This lists two common applications used for streaming and chat mostly in China (QQ and Miapoi). Looking further, we can also see that the default map coordinates in the config point directly to the Tian’anmen Gate in Beijing, however, most likely this is just a common and symbolic mapping application default for the center of Beijing.

Android implants and a pivot into “evora”

During analysis of the infrastructure related to iOS implant distribution we also found a link directing to Android malware – hxxp://app.hkrevolution[.]club/HKcalander[.]apk (MD5: 77ebb4207835c4f5c4d5dfe8ac4c764d).

According to artefacts found in google cache, this link was distributed through Telegram channels “winuxhk” and “brothersisterfacebookclub”, and Instagram posts in late November 2019 with a message lure in Chinese translated as “The Hong Kong People Calendar APP is online ~~~ Follow the latest Hong Kong Democracy and Freedom Movement. Click to download and support the frontline. Currently only Android version is available.”

Further technical analysis of the packed APK reveals the timestamp of its actual build – 2019-11-04 18:12:33. Also it uses the subdomain, sharing an iOS implant distribution domain, as its c2 server – hxxp://svr.hkrevolution[.]club:8002.

Its code contains a link to another related domain:

Checking this server we found it hosted another related APK:

MD5 fadff5b601f6fca588007660934129eb
URL hxxp://movie.poorgoddaay[.]com/MovieCal[.]apk
C2 hxxp://app.poorgoddaay[.]com:8002
Build timestamp 2019-07-25 21:57:47

The distribution vector remains the same – Telegram channels:

The latest observed APK sample is hosted on a server that is unusual for the campaign context – xxinc-media[.]oss-cn-shenzhen.aliyuncs[.]com. We assume that the actors are taking steps to split the iOS and Android activities between different infrastructure pieces.

MD5 5d2b65790b305c186ef7590e5a1f2d6b
URL hxxps://xxinc-media.oss-cn-shenzhen.aliyuncs[.]com/calendar-release-1.0.1.apk
C2 hxxp://45.134.0[.]123:8002
Build timestamp 2020-01-14 18:30:30

We had not observed any indications of this URL being distributed in the wild yet.

If we take a look closer at the domain poorgoddaay[.]com that not only hosted the malicious APK but also was a C2 for them, we can note that there are two subzones of particular interest to us:

  • zg.poorgoddaay[.]com
  • ns1.poorgoddaay[.]com

We were able to work with partners to pivot into a handful of “evora” samples that use the above two subzones as their C2. Taking that a step further, using our Kaspersky Threat Attribution Engine (KTAE), we can see that the partner samples using those subzones are 99% similar to previous backdoors deployed by SpringDragon.

We are aware of other related and recent “evora” malware samples calling back to these same subnets while targeting organizations in Hong Kong as well. These additional factors help lend at least low confidence to clustering this activity with SpringDragon/LotusBlossom/Billbug.

Conclusion

This particular framework and infrastructure is an interesting example of an agile approach to developing and deploying surveillance framework in Southeast Asia. This innovative approach is something we have seen before from SpringDragon, and LightSpy targeting geolocation at least falls within previous regional targeting of SpringDragon/LotusBlossom/Billbug APT, as does infrastructure and “evora” backdoor use.

Indicators of Compromise

File hashes

payload.dylib
9b248d91d2e1d1b9cd45eb28d8adff71 (Jan 10, 2020)
4fe3ca4a2526088721c5bdf96ae636f4 (Feb 7, 2020)

ircbin.plist
e48c1c6fb1aa6c3ff6720e336c62b278 (Jan 10, 2020)

irc_loader
53acd56ca69a04e13e32f7787a021bb5 (Jan 10, 2020)

light
184fbbdb8111d76d3b1377b2768599c9 (Jan 10, 2020)
bfa6bc2cf28065cfea711154a3204483 (Feb 7, 2020)
ff0f66b7089e06702ffaae6025b227f0 (Mar 5, 2020)

baseinfoaaa.dylib
a981a42fb740d05346d1b32ce3d2fd53 (Jan 10, 2020)
5c69082bd522f91955a6274ba0cf10b2 (Feb 7, 2020)

browser
7b263f1649dd56994a3da03799611950 (Jan 10, 2020)

EnvironmentalRecording
ae439a31b8c5487840f9ad530c5db391 (Jan 10, 2020)
f70d6b3b44d855c2fb7c662c5334d1d5 (Feb 7, 2020)

FileManage
f1c899e7dd1f721265cc3e3b172c7e90 (Jan 10, 2020)
ea9295d8409ea0f1d894d99fe302070e (Feb 7, 2020)

ios_qq
c450e53a122c899ba451838ee5250ea5 (Jan 10, 2020)
f761560ace765913695ffc04dfb36ca7 (Feb 7, 2020)

ios_telegram
1e12e9756b344293352c112ba84533ea (Jan 10, 2020)
5e295307e4429353e78e70c9a0529d7d (Feb 7, 2020)

ios_wechat
187a4c343ff4eebd8a3382317cfe5a95 (Jan 10, 2020)
66d2379318ce8f74cfbd0fb26afc2084 (Feb 7, 2020)

KeyChain
db202531c6439012c681328c3f8df60c (Jan 10, 2020)

locationaaa.dylib
3e7094eec0e99b17c5c531d16450cfda (Jan 10, 2020)
06ff47c8108f7557bb8f195d7b910882 (Feb 7, 2020)

Screenaaa
35fd8a6eac382bfc95071d56d4086945 (Jan 10, 2020)
7b69a20920d3b0e6f0bffeefdce7aa6c (Feb 7, 2020)

ShellCommandaaa
a8b0c99f20a303ee410e460730959d4e (Jan 10, 2020)

SoftInfoaaa
8cdf29e9c6cca6bf8f02690d8c733c7b (Jan 10, 2020)

WifiList
c400d41dd1d3aaca651734d4d565997c (Jan 10, 2020)

Android malware
77ebb4207835c4f5c4d5dfe8ac4c764d
fadff5b601f6fca588007660934129eb
5d2b65790b305c186ef7590e5a1f2d6b

Past similar SpringDragon evora
1126f8af2249406820c78626a64d12bb
33782e5ba9067b38d42f7ecb8f2acdc8

Domains and IPs

Implant c2
45.134.1[.]180 (iOS)
45.134.0[.]123 (Android)
app.poorgoddaay[.]com (Android)
svr[.]hkrevolution[.]club (Android)

WebKit exploit landing
45.83.237[.]13
messager[.]cloud

Spreading
appledaily.googlephoto[.]vip
www[.]googlephoto[.]vip
news2.hkrevolution[.]club
news.hkrevolution[.]club
www[.]facebooktoday[.]cc
www[.]hkrevolt[.]com
news.hkrevolt[.]com
movie.poorgoddaay[.]com
xxinc-media[.]oss-cn-shenzhen.aliyuncs[.]com

Related subdomains
app.hkrevolution[.]club
news.poorgoddaay[.]com
zg.poorgoddaay[.]com
ns1.poorgoddaay[.]com

Full Mobile Device Command List

change_config
exe_cmd
stop_cmd
get_phoneinfo
get_contacts
get_call_history
get_sms
delete_sms
send_sms
get_wechat_account
get_wechat_contacts
get_wechat_group
get_wechat_msg
get_wechat_file
get_location
get_location_coninuing
get_browser_history
get_dir
upload_file
download_file
delete_file
get_picture
get_video
get_audio
create_dir
rename_file
move_file
copy_file
get_app
get_process
get_wifi_history
get_wifi_nearby
call_record
call_photo
get_qq_account
get_qq_contacts
get_qq_group
get_qq_msg
get_qq_file
get_keychain
screenshot


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.