Research Saturday 8.15.20
Ep 147 | 8.15.20

Waiting for their victims.


Dave Bittner: Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Liviu Arsene: Most of this information, you know, it's too much to handle for an average user or for the regular security researcher.

Dave Bittner: That's Liviu Arsene. He's a Global Cybersecurity Researcher with Bitdefender. The research we're discussing today is titled, "StrongPity APT – Revealing Trojanized Tools, Working Hours, and Infrastructure."

Liviu Arsene: That's why we have some sort of automated systems that flag potentially interesting samples, potentially interesting malware. And that's when somebody goes in and manually digs through the sample to see if it's something interesting and worthwhile.

Dave Bittner: Well, let's go through it together. So, this APT group, StrongPity, they come to your attention – take us through what you discovered.

Liviu Arsene: Right. So, basically, we found a campaign, apparently that they seem to have been operating since last year. I think it all started with October 1st, 2019 – at least that's our best guess. But it seems to have been targeting the Kurdish community. So basically, it seems to have been targeting victims either at the border with Syria or in Turkey's capital city. So, whoever was behind this in terms of – I mean, we assume that this APT group might have potentially been state-sponsored with some sort of political motivation, because the timestamps on the samples that we found seem to coincide with the same date when the Operation Peace Spring began. So basically, that was the day when Turkish military offensive began into northern Syria. That is kind of like the only, if you will, circumstantial evidence that we have right now to tie the campaign with this military operation.

Dave Bittner: I see. Well, take us through exactly what was going on here. What were they up to?

Liviu Arsene: So, judging by the way they set up the infrastructure and by the way they compromised victims, it seems that they were selectively targeting – selectively targeting victims, yeah. So they basically used an attack technique that we call "watering hole." It's basically the type of tactic that involves your victim coming to you instead of you going after your victims. So, you know, if traditionally attackers would try to exploit a vulnerability in your browser, get you to download something from a tampered website or a website that they control, or click on attachments or stuff like that. Now, it seems that they decided to tamper with some localized software aggregates and sharers, basically just waiting for their victims to come to them and do some actions on a website that they frequently visit. That's how you know that it's a targeted attack, because they apparently seem to have had a very good understanding of their victims' profile and the types of websites that they visit, so that they would know to compromise in advance and simply just wait it out – just wait for the victims to come to them.

Dave Bittner: And so, what were they – what sorts of websites were they taking advantage of?

Liviu Arsene: It's just software aggregates and sharers – basically the types of websites that you would use whenever you wanted to download some tools, you know, like common archivers or unzipping tools or emulation tools, stuff like that. So, it's just regular, traditional tools that you would normally use on your computer.

Dave Bittner: I see. So, suppose I'm someone who finds myself with one of these compromised tools, I install it on my system – what would happen next?

Liviu Arsene: Well, the interesting thing is that you wouldn't know that you've installed something malicious. Now, the way this thing works is that they seem to have had a list of IP addresses that belong to their targets. So, whenever they got a hit from one of those IP addresses visiting the compromised websites, they would automatically redirect them to an infected tool. So, for example, let's say I'm the victim, I visit the website, the attacker knows my IP address in advance, and I want to download, for example, 7-Zip. Instead of downloading the legitimate 7-Zip, the attacker would redirect my download request to one of their own servers that practically feeds me a tampered version of 7-zip.

Dave Bittner: Hmm.

Liviu Arsene: I would then install 7-Zip. It has a perfectly valid and legitimate package. So, it – after it installed, I wouldn't see anything peculiar, nothing out of the ordinary would happen. But it seems that, you know, the tool actually came with some additional components. From what we were able to gather, it seems to have had about four components, mostly designed for persistency, data, exfiltration, and stuff like that.

Dave Bittner: So, to be clear here, I mean, the app's primary functionality was still in place. If you were downloading a utility for zipping files, it was still able to do that.

Liviu Arsene: Exactly. So, they actually use the legit setup, the legitimate file, the legitimate tool that you would otherwise get from the legitimate website. But they added some additional components on the side, you know, just to make things interesting.

Dave Bittner: Well, take us behind the scenes here of some of the additional components – what exactly they were up to.

Liviu Arsene: So, there's a launcher and persistence component. Basically, the name is pretty self-explanatory – it allows – it sets up the exfiltration, basically, and command-execution component as a persistent task on the victim's machine. And then it has a component that's specifically designed to search through every file, every drive, every folder you have on your computer. It's a file searcher component. So, all of these, especially the file searcher component, actually accept instructions from the command-and-control infrastructure alone.

Liviu Arsene: And since I was talking about the command-and-control infrastructure, what's interesting about it – it's that we seem to have uncovered that it has multiple layers. I mean, the victim doesn't directly communicate with the final C&C – it goes through some additional steps. For example, as soon as the victim is infected, there's a first layer that intercepts the communication, pretty much guaranteeing or making sure that indeed, we're talking about a legitimate victim. It kind of validates the victim, if you will. Then it simply forwards that communication to a second-layer C&C, which, if you will, it kind of acts like a proxy. So it makes sure that indeed, whatever the level-two C&C is receiving comes from a C&C that's already part of the infrastructure, and, you know, it's not somebody trying to impersonate a level-one C&C. It also validates that indeed, we're talking about a victim, that a legitimate victim is actually trying to communicate. And the level-two then just forwards everything that it received from the level-one to the level-three, which is the final command-and-control infrastructure. And to me, this is kind of interesting. I mean, you don't see a lot of instances in which somebody goes through all this trouble. 

Dave Bittner: And this is to cover their tracks, you presume?

Liviu Arsene: So, yeah. This is a – if you will, it's a tactic to make things difficult for us. To make things very difficult in terms of finding out who's behind it, who owns the infrastructure, and, you know, what's the purpose for each layer sometimes. You know, it adds obfuscation to the entire problem.

Dave Bittner: And what sort of insights were you able to gain by sort of unwinding that, discovering these multiple tiers?

Liviu Arsene: Well, not much, actually. We just found that this is the type of infrastructure that they seem to use. It's likely that this is just part of it because we've backtracked this, I mean, everything that we found with other research found in the past, and it seems that these guys have a pretty good track record of having infrastructure based in Europe and other countries. So it's likely that, you know, they have a much broader infrastructure. But this is just the scale that they've used in this particular campaign. So, it's likely that they're going to be using it – it's likely that the full infrastructure is yet invisible to us. It's like piecing together pieces of a puzzle. You know, one security researcher finds this three-layer infrastructure, and another security infrastructure (ph) finds an additional layer or finds another command-and-control server, and so on. So, without – it's difficult to have the full scope and magnitude of the infrastructure that they're using. And I guess this is pretty much the whole reason why we call them an APT group... 

Dave Bittner: Mm-hmm.

Liviu Arsene: ...You know, they're advanced, persistent, they're knowledgeable, skillful. And sometimes, they have some sort of political benefactor or government benefactor.

Dave Bittner: Well, and one of the things you note here is that there seems to be a certain professionalism to them, like they're keeping regular working hours.

Liviu Arsene: Oh, yeah. So, this is actually quite interesting, because we've seen malware-as-a-service – you know, traditional malware that's being developed and delivered to the highest bidder – acting pretty much like software outsourcing company. These guys, instead of showing up to work, they wake up at 9:00 a.m., sit in front of a computer, they've got a project manager, they've got marketing, they've got sales, and they just write their own piece of code during working hours. APT groups take this to a whole new level. I mean, if you're talking about a group that's potentially state-sponsored and has some sort of political motivation, it's literally just like a software outsourcing company. These guys wake up at 9:00 a.m., they clock in, and they clock out at 6:00 p.m. And, you know, they pretty much act like security experts, if you will, except they're sitting on the wrong side of the fence...

Dave Bittner: (Laughs)

Liviu Arsene: ...Because make no mistake, they are very good at what they do. They have a very good understanding of how security solutions work, of how operating systems work – I mean, the internals of operating system work – and in some cases, they are even more skilled than traditional security folk.

Dave Bittner: Now, in terms of detecting what they were up to, I mean, once they're within an environment, how noisy are they? How stealthy are they? How likely are they to be discovered?

Liviu Arsene: Right, so that's the interesting thing – you probably won't know that they've breached your infrastructure or exfiltrated some information before it's probably too late. Because what they do is once they have that component that I said, start searching for files, you know, they look for files with specific extensions. If they find some files that are interesting, they just simply download them on a network computer that sits within the same compromised infrastructure. Or it sits, you know, on the victim's computer, basically a folder. So they gather all the information they need from various folders, partitions, or even network-attached devices into a single folder on the victim's computer. Now, once they have all that, they simply create archives of it, they split them, and just send them to the command-and-control server. You know, if you're a network administrator, you would see that your employee's probably uploading some zip files to a file share or uploading some files online, but it's nothing out of the ordinary to upload a file, a zip file.

Dave Bittner: And they're encrypted as well, which adds to the difficulty in analyzing what's being sent, I suppose.

Liviu Arsene: Exactly. Sometimes they're encrypted, sometimes they're password-protected, you know, making decompression difficult to find out what exactly goes on. And after they've successfully exfiltrated everything they needed to know, you know, they delete the archives, the folder, and they even have a kill switch that they can use to simply remove the threat from the infected computer and just be gone with it. You know, just remove any forensic evidence that they might have left behind.

Dave Bittner: Well, let's touch on persistence here. Do they have ways of staying on a machine if they want to? If they are discovered and the folks clean off their machine, for example, are they able to come back?

Liviu Arsene: Um, it depends. I mean, most of the persistence mechanisms that we've seen involve creating a new service and naming that service, you know, like something a Windows service would be named, like "Print Spooler" or stuff like that. So, if you don't know what you're looking for, if you're looking at that service and you don't know what it does and it has a common name, you're probably not going to realize that it's a malicious service. Of course, if you do a complete wipe or if you kill that service, it will probably be spinned up again once the computer reboots. 

Dave Bittner: I see. Well, so what are your recommendations for folks to protect themselves against this?

Liviu Arsene: Oh, well, so I think you should probably, you know, first and foremost use a security solution. It's not often that I get to stress this strong enough. You know, I've got a lot of complaints from people that say they've been compromised or they've had some sort of security issue because they either disabled some features from the security solution, or because at some point they decided they know better. I actually have quite a few stories with people that got infected by disabling the security solution because they believed the spearphishing email, you know, instead of the security solution. So, yeah. So start with that.

Liviu Arsene: Then, it's probably best that you also, you know, try to get your information, get your tools, get your software from the legitimate website. If you want to download applications, make sure you download them from the official website, not, you know, sources that you are not usually trusted, or they are trusted, but they could be compromised. So, again, make sure that you're getting your information from the official website.

Liviu Arsene: And if you're a company, and you want to make sure that even if something like this happens and an employee ends up being infected, I think it's also important to have the proper security stack deployed within your infrastructure. I mean, look, now, since everybody's working from home, I think, you know, most companies think that their employees are usually the weakest link, basically because they're no longer within the company infrastructure and they're relying on their home network. If you will address that, if you will, you need to have some sort of technologies deployed on the endpoint – you know, on the employee's endpoint – that do some sort of network analysis, some sort of policy enforcement in terms of what these employees can install, cannot install, and stuff like that.

Liviu Arsene: There are security technologies out there that will offer you even the opportunity to assess your employees' home network remotely. For example, this is something that I've recommended since the pandemic – if your employees start dialing into your infrastructure from their home network, wouldn't it be interesting if you could just, you know, take their IP addresses and just run a port scan on them, just to make sure that, you know, maybe the router is exposing the router control interface online, maybe they have some custom shares that they've enabled without knowing on their routers and they're publicly exposing files online. You do some sort of pentesting, if you will, on your employee's home network – and let them know about it, because otherwise that's just mean,

Dave Bittner: (Laughs) Not very sporting of you, right?

Liviu Arsene: Exactly. So, everybody needs to be aware that, you know, this is –we're living in some interesting times, and everybody working from home – it's natural that some companies might feel that employees potentially can be more at risk than ever before, especially now that they work from home. Now, if until now they received, for example, a spearphishing email, they could simply just, you know, ask your buddy to the left or to the right, hey, is this an email coming from John, you know, the CFO? Oh, no, the CFO's on vacation. Well, now that they're home, they've got nobody to ask. And contacting your IT department is not really something that a lot of employees want to do. So, it's important to let them know that the IT department is there to help them. Any questions they may have – you know, doesn't matter how dumb they may be at first – they're there to answer them and to educate them.

Dave Bittner: Yeah, well, and I suppose with this StrongPity group, I mean, the way – with how targeted they are with the people that they're trying to hit, I mean, this doesn't sound like a broad campaign that's just trying to vacuum up everybody on the Internet – they know who they're after here.

Liviu Arsene: Exactly. So, again, just because they had that – I mean, we actually saw a list – they had a list of IP addresses that they were specifically waiting for to connect to those compromised websites. So that means they did their homework in advance. So they did a lot of investigation, if you will, on who their victims are, what their IP addresses are – especially now, potentially that, you know, some of them might have worked from home. So they knew exactly who they were targeting, and they knew their habits. They knew that they would visit those websites frequently. So, you know, it was just a matter of waiting it out.

Dave Bittner: Do you have any sense for how successful they were?

Liviu Arsene: Well, it's difficult to say, because you don't know how much information they actually managed to get from their victims and how many victims they successfully compromised. So, what we do know is that they were waiting for a very limited number of victims. We know that they had the capabilities of exfiltrating pretty much everything they needed or wanted. But in terms of what they actually and how much they actually managed to do in terms of damage, it's difficult to estimate.

Dave Bittner: Our thanks to Liviu Arsene from Bitdefender for joining us. The research is titled "StrongPity APT: Revealing Trojanized Tools, Working Hours, and Infrastructure." We'll have a link in the show notes.

Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.