Research Saturday 11.7.20
Ep 159 | 11.7.20

PoetRAT: a complete lack of operational security.


Dave Bittner: Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Craig Williams: We have a data set that's probably unmatched in the industry, and so we look through it constantly trying to find new samples doing strange and interesting things. And while doing that one day, we stumbled across PoetRAT.

Dave Bittner: That's Craig Williams. He's the head of Talos Outreach at Cisco. The research we're discussing today is titled, "PoetRAT: Malware Targeting Public and Private Sector in Azerbaijan Evolves."

Craig Williams: So, the reason it stood out to us initially was that it doesn't really share that many similarities with known samples. We believe it's a new APT group, one that we haven't seen before, or perhaps a new actor – depending how you want to define "APT," right?

Dave Bittner: Mm-hmm.

Craig Williams: But we believe this actor – we hadn't seen them before – that they came into the space, that they had the initial version of PoetRAT that we talked about in April, and then have kind of evolved it since then. Along the lines of what you'd see with other nation states – right? – moving towards more evasive protocols, a little bit more careful OPSEC, and just doing what you would expect as someone with, you know, an initial swing into the APT world and then over the next period of months would do.

Dave Bittner: So, honing their craft, if you will.

Craig Williams: Unfortunately so, yes.

Dave Bittner: Yeah. Well, I mean, let's go back to the original version. What was going on under the hood there that caught your eye?

Craig Williams: So the reason this one stood out was a complete lack of operational security. (Laughs)

Dave Bittner: (Laughs) OK. 

Craig Williams: So, that can tell you a couple of things about the actor, right? The most obvious of which is often the actor is not concerned about being caught. Now, that can mean a couple of different things, right? For crimeware, it can tell you, well, perhaps they're from a region where they're not worried about it, right? Maybe in certain countries, cybercrime is not something that's heavily punished or even something that's against the law.

Dave Bittner: Right.

Craig Williams: And when it comes to more espionage malware, well, when you see malware going after government targets or people associated with government targets and they are not practicing operational security, it generally gives you an idea that they're probably from, you know, a less mature organization, that they don't really care if you detect it, and that they're probably being a little bit more, let's call it "liberal" with the malware than you would see with other more mature APT groups.

Dave Bittner: Huh. Is this an indicator that this could be, for example, the folks who are in power, like, you know, what are you going to do if you find out that it's me?

Craig Williams: You know, it certainly could be. And I think that's probably the other more interesting thing about this. When we look at common geopolitical interactions these days, and when we see tensions rise in a region, we are seeing more and more often a rise in cyber activity against those countries involved. And so I think that that's something that needs to be expected now, that it's something that we will continue to see, and I would say it's something that if we're not seeing it, then someone found something clever, because it's there. And so I think this is really an extension of geopolitical tension right now, right? If two countries are threatening each other or there's tensions in a region, you can expect all countries with interests in those regions to try and – you know, to be trying to gain intelligence on one another and try and collect different types of intelligence, you know, just for standard purposes. And this is what we're seeing here. So I think it's something that's really interesting, and I think it's something that we're going to see as part of the political and geopolitical processes now.

Dave Bittner: Well, let's dig into some of the specifics here together. In this round of PoetRAT, what's going on?

Craig Williams: Well, so this time, they changed a little bit of it up. In the first one, one of the reasons it stood out was that they were doing a lot of the phoning home – well, all of the phoning home over FTP. Which, you know, it works...

Dave Bittner: (Laughs)

Craig Williams: ...It's like a classic car, right? You can count on it. Not a lot of computer involved. And so FTP, while it is one of the more stable, easy-to-use protocols, it does kind of stand out a little bit now. You know, I don't know the last time you FTP'd file in a network.

Dave Bittner: I don't either. (Laughs)

Craig Williams: Yeah, it's been years. So, obviously that was on their list of things to change. The other problem with FTP is that not only does it stand out, but all the data is passed in the clear, and if there's anything in that data that you don't want someone in between to see, or maybe there's, you know, something in there that could be detected, it's a little bit more risky. And so in this version, they moved over to HTTP, which is a nice evolution.

Craig Williams: So, they are growing. They are taking steps. You know, it's using similar victimology. If you look at the blog post we have, we found them targeting diplomatic passports for people in that region, which is – you know, when we wrote the intro to the blog, I was discussing with Paul and Warren, you know, at some point, where does cyberespionage end and just regular espionage over the Internet begin? 

Dave Bittner: Hmm.

Craig Williams: Do you know what I mean? You know, people overload the term "cyberespionage" to be any espionage over the Internet, but really, to me, cyberespionage is becoming more and more of a term to say intellectual property theft. Right? One country to another or one commercial entity to another. And what we're seeing here with the theft of diplomatic credentials and things along those lines, it's really more of just the pure espionage angle.

Dave Bittner: Yeah, shifting – I suppose, with the shift of where these things are handled, that more and more of these documents as a regular course of business are being handled electronically and online, that's just where this stuff is.

Craig Williams: Right. And if you look at the way that they're crafting the Word documents that they use as the vector for this, they're impersonating official government documentations for the local government. And we see that a lot. You know, we saw that with campaigns in North Korea, a couple in Russia. So it's a common technique, but it is a way that they can target a specific country, because if they want intelligence on officials in those regions, they're going to use the right letterhead, they're going to use the right context, and so that can give you a much more involved picture of who they're targeting, which then can give you some insight into why they're targeting those people. And in this particular case, of course, once we found the intel that was attempted to be collected, it was very obvious.

Dave Bittner: And to be clear here, who are they targeting?

Craig Williams: Well, it's – I think we call it VIP folks – right? – folks with diplomatic passports.

Dave Bittner: And this is in Azerbaijan?

Craig Williams: Yes. Thank you for saying it. (Laughs)

Dave Bittner: (Laughs) I see. I was wondering why you were putting it off there, Craig, but I had your back, my friend. I had your back.

Craig Williams: I can stumble through it for everyone. (Laughs)

Dave Bittner: (Laughs) You know, I think you would not be alone in that. You know, there's a couple of things that caught my eye here when I was reading through your research that maybe you could clarify for me. You point out that looking at some of the code here – there's a macro that they're using in a Word document, and it contains literature references... 

Craig Williams: Yeah. 

Dave Bittner: ...In this case, text from the novel The Brothers Karamazov. Is this just style points or is there some sort of obfuscation tactic here?

Craig Williams: A little bit of both. You know, I think it's more style points.

Dave Bittner: OK.

Craig Williams: So, you know, it will allow them to change the file checksums for a very, very simplistic malware detection by including or modifying quotes. But I think it's more of a calling card, right? 

Dave Bittner: I see.

Craig Williams: And we see this relatively commonly. If you read the section below that it gets even funnier.

Dave Bittner: Yeah, go on. 

Craig Williams: Well, so while we're doing our investigation, we found the script basically trying to pull down additional payloads and, you know, basically enhance the malware with plugin-type activity, right? You know, a lot of times when you have malware, it'll be a loader for different stages down the path. Well, instead of the next stage, we got a file named after an expletive filled with thousands and thousands of lines of additional expletives. 

Dave Bittner: (Laughs)

Craig Williams: So, I think they were on to us at that point.

Dave Bittner: I see. Interesting.

Dave Bittner: Now, there were some other changes that they made here along the way. What are some of the adjustments that you all are tracking?

Craig Williams: Well, so the major one was the shift towards a little bit more covert of a phone-home system, right? They moved from Python to Lua, which is a little bit more rare. And they also, you know, they shifted the TTPs. You know, it's – like I said at the beginning, it's basic advances in techniques that will make them slightly harder to detect. Now, there is still the very real fact that they're using a Microsoft Word document with a macro embedded in it... 

Dave Bittner: Mm-hmm.

Craig Williams: ...Which unfortunately is still remarkably successful. Right? I mean, this has been around for decades. It's something everyone should know and everyone should have, you know, mitigation strategies in place for, but unfortunately, what we can see here is at least this actor believes that his potential targets do not have those strategies in place.

Dave Bittner: And they're taking advantage of, I suppose, social engineering techniques, you know, using some of the political unrest that's going on in Azerbaijan as the hook to the people they're targeting.

Craig Williams: Absolutely. And if you look at the pictures of the Word document that we included, they even have the official seals in the corners of it. And again, this is something that we've seen other actors do, right? So we've looked at some that were impersonating South Korean government officials, and they even went a step further than this, and they would take the localized information classification headers and embed those into the document. So, actors are really good at this, right? These type of techniques are very publicly known.

Craig Williams: Now, there are a lot of next-level stuff that you can do, and creativity is the limit. And so, you know, we're seeing a little bit of that, but not a lot. So I think, again, this is one of those situations where it's very likely that these attackers will continue to evolve and will continue to improve their tradecraft as they need to. But it's very possible that right now they're not meeting enough resistance to need to improve that tradecraft. So, you know, if your current techniques work, there's not going to be a need to evolve.

Dave Bittner: Is this a case where you and your team are kind of witnessing a nation or a threat actor, you spin up their capabilities in real-time? You're sort of watching them grow up?

Craig Williams: I think that's very possible.

Dave Bittner: How often does something like that happen? I mean, is this – I guess what I'm getting at is, is this sort of thing taking a natural spread around the world? As you mentioned earlier, this sort of thing becomes more routine as more of the information is online. Is this just part of every nation's toolkit?

Craig Williams: So, let me answer that question in parts. So, I think right now cyber capabilities are part of most established nations' toolkit. 

Dave Bittner: Right.

Craig Williams: I think where you see things like this, where you can literally watch an actor figure out what works better and what doesn't, are either one of two things. One, like you said, it could be a country exploring new capabilities for the first time. Or two, it could be a new operator hired by a government who – I don't want to say they fudged the resume a little bit, but perhaps... (Laughs) Yeah, my cousin Bob is good with computers. Let's hire him. 

Craig Williams: Now, you know, in this actor's defense – I hate that I have to defend him...

Dave Bittner: Right, yeah.

Craig Williams: ...But the reality is it doesn't need to be complex. Right? These techniques, even though most of them are well known and have been seen before, are working. And so that's the thing, right? You're only going to see malware as advanced as it needs to be. And this is kind of why it's hilarious when so many people are worried about zero-day. You see people tweeting about it and concerned about it. And meanwhile, they're, you know, six months behind on patching.

Craig Williams: So, you know, you've got to realize that this is the type of thing – Word macros – that are probably the largest threat to most organizations. Simplistic, well-known, functional attacks that, you know, yeah, they target the system a little bit, but mostly they target the people. Right? And I would guess that probably right behind this is an email saying, "hey, click on this." 

Dave Bittner: Right. (Laughs)

Craig Williams: Yeah.

Dave Bittner: So, what are your recommendations here in terms of, you know, best practices to defend against this sort of thing, as old school as it is? Can you take us through some of your recommendations?

Craig Williams: Absolutely. So, the right way to defend against Word macros are, number one, keep your software up-to-date. You know, modern versions of Office don't allow this by default. You know, that's step one.

Craig Williams: Step two is to have a layered defense. You know, there are multiple opportunities to detect something like this, right? The first one is at the network perimeter. You know, your network security devices should be looking for things like Word documents with macros embedded in them from outside sites, and they should probably convict them, and they should especially convict them if they match a known malware sample.

Craig Williams: You know, next is, obviously, let's say it gets to your endpoint. You know, somebody checks email at home, maybe it comes through the network because you don't have, you know, network security devices. So you've got to have something on that endpoint besides the person to help them make smart decisions. And that's where you can get into, you know, malware protection products, antivirus, that type of thing.

Craig Williams: And even after that, there are a couple of things you can do. And so, after that, I would say DNS security is an easy one. Have all of your offices' computers look up to a DNS server that provides security, so that if the malware author is trying to have you connect to a command-and-control server that doesn't have a known-good reputation, there's a good chance it won't allow that lookup to continue and will block it.

Dave Bittner: Mm-hmm.

Craig Williams: And all of those things can give you slightly more chances and overlapping chances to block this type of activity.

Dave Bittner: Yeah, and of course, your blog post here on PoetRAT, that includes some indicators of compromise so folks can look up those and see where we stand there. But are you expecting further evolution here?

Craig Williams: I think there's a good chance. You know, as long as there's going to be increased tension in that region and as long as those countries seem to be investing in cyber capabilities, we're going to continue to see it. So I expect, you know, in another couple of months, we're probably going to see some more evolution and we may even see more groups and more samples pop up. So we'll have to keep our eyes on it.

Dave Bittner: Our thanks to Craig Williams from Cisco Talos for joining us. The research is titled, "PoetRAT: Malware Targeting Public and Private Sector in Azerbaijan Evolves." We'll have a link in the show notes.

Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.