Thursday, December 4, 2014

Operation Clever

I knew the presence of "Clever" Malware, actually with no real evidence, (at that time I didn't know "Clever" it was its future name) from a cyber friend of mine who worked with me on Malware evasion techniques. I knew Iranian hackers were getting better and better, but what I did not know was the high cyber security level they reached ! (NOTE: PrivEsc is a clear plagiarism of MS10-015 ! I do agree to Cylance).  Cylance did a great job in putting al the information and all the spread analysis together discovering this incredible targeted cyber attack originated from Iran. Are you wondering when and where did we hear about Iranian hackers ? No problem, let's take a look to a clear timeline from Cylance showing Iranian-centric attacks either as victims (on the left) and attackers (on the right)

From Cylance Report
If you are wondering how Cylance  knows about the attacks' origin ... well, the answer is straight into the code. If you reverse Clever Malware (BTW, you want to download it from  here) you'll see : Persian names, most ips and DNA written into the code belong to Iranians, ASN belonging to Iranian companies, the entire infrastructure is hosted in an Iranian provider, and so on.

The initial compromise techniques according to Cylance where simple and well known even if having them all together into an unique piece of Malware make this attack "spectacular"! Quoting the report:
  • "Initial compromise techniques include SQL injection, web attacks, and creative deceptionbasedattacks – all of which have been implemented in the past by Chinese and Russian hacking teams.  
  • Pivoting and exploitation techniques leveraged existing public exploits for MS08-067 and Windows privilege escalations, and were coupled with automated, worm-like propagation mechanisms. 
  • Customized private tools with functions that include ARP poisoning, encryption, credential dumping, ASP.NET shells, web backdoors, process enumeration, WMI querying, HTTP and SMB communications, network interface sniffing, and keystroke logging. "
One of the most difficult questions to be answered is "What the most attacked country" ? Well, it's going to be easy answering to such a question talking about numbers but considering opportunities and economy speaking... almost all the top countries (economy wise) in the world have been targeted.

Targeted Countries, taken from Cylance Report

Interesting the way the attackers want to make sure the victims are not coming from IRAN. The following image show how the shell client controls the IP location. The code handles the XML response from, and displays the information as different colors based on different attributes. For instance, if the string “ERROR” is in the response, the text is displayed with the color magenta. If the string IRAN is in the response, the text is displayed with the color red. It should be noted that no other country name contains the substring IRAN. 

Piece of Shell Creator from Cylance Report

The entire system has been detected to use at least two different proxies: CCProxy (a China and MiddleEast based company) and Squid (OpenSource, world wide).  Interesting the way the attackers made use of CCProxy sources [... thinking about it ...] From the proxy configurations Cylance folks figured out IPS, Usernames and Passwords of Command -and- Controls belonging. They did find that domains, usernames and password were attributable to Tarh Andishan. Quoting Cylance Report:

"Tarh Andishan has been suspected in the past of launching attacks in the interest of Iran. The operators of the blog, which comments on Iran’s nuclear weapons efforts, has mentioned in multiple posts having been the target of debilitating brute-force authentication attacks from IP addresses registered to the same Tarh Andishan team found in Cleaver. In one of’s blog posts8, the author speculates on Tarh Andishan’s involvement with the Iranian government by showing close proximity to SPND, the Organization of Defensive Innovation and Research; however, the phone number listed under the registrant contact information has yet to be completely validated."
The Clever Malware owns many ways to be delivered from spread phising to watering leak. Once the Malware is dropped into the victims PC, it grabs local and network credentials (by using standard techniques) and use them to spread itself through PsExec, SMB shares, DLL injections etc, making it wormable. Clever Malware grabs user infos and sends them to external sources through FTP servers, SMTP Servers, SOAP based servers and if needed ssh controllers. Clever Malware uses a common version of TinyZBot (ut to 2013) to communicate back to ComandAndContols.

It is a pretty nice piece of Malware which, in my personal point of view, shows how easy could be  making a world wide targeted attack having good development skills and wise "underground knowledge". "Undergraund Knowledge" is useful to re-use piece of malware, shellcode generators, encryptors, proxies, spreading techniques, infection vectors, multiple stage infections, etc... in order to avoid new developments or new infection processes; development  skills are useful to fit all the re-used software together and to make it working.

No comments: