Observing the Ebb and Flow of Cross-Platform Malware

Recent news of a cross-platform, Java-based backdoor used to create a DDoS botnet (ThreatPost authored a valuable brief) prompted us to revisit a late November report by MobiStealth on the emergence of cross-platform threats.

Well known malware such as Koobface and McRAT, capable of affecting OSX, Windows, and Linux machines, are interesting to observe over time as their effects are typically noticed in bursts. But after patches are made and defenses are hardened, there’s often a comeback: malware reemerges, sometimes years later, when new vulnerabilities are discovered or modifications allow it to once again slip through defenses.

Paraphrasing a fellow threat intel analyst: while novel vulnerabilities remain available, why would attackers waste resources creating new malware if existing tools can do the job? We’ve seen trojans, say Trojan.Naid, used in distinct attacks over long stretches, making it clear that attackers are comfortable opportunistically reusing tools.

The below Recorded Future timeline shows attention to Koobface and McRAT (along with its various aliases) during 2013:

Koobface McRAT timeline

The top row in the timeline shows variants of McRAT being used in distinct campaigns during 2013. The lower row reveals the reported spike in Koobface as infections during Q1 2013, which some researchers called a return “from the dead,” and subsequent slowdown later in the year.

Tracking the Latest Cross-Platform Malware Developments

Recognition last week of the cross-platform HEUR:Backdoor.Java.Agent.a, the technical name bestowed by Kaspersky Lab upon the above mentioned Java backdoor, led us to set up monitoring in Recorded Future so we can watch the evolution of this particular malware.

The below network (here’s the live, interactive view in Recorded Future) details elements of recent conversations happening around the web related to cross-platform malware.

Cross Platform Malware Network

The recent Java backdoor aside, we notice discussion about a cross-platform threat that works in the other direction: banking malware that seeks to infect Android devices from Windows. Separately, we see Twitter chatter raising attention to the new Java.Agent.a malware by using several hashtags associated with hacktivist collective Anonymous.

Analysts at Booz Allen report cross-platform malware will be a growing and increasingly damaging threat vector in 2014. If you’d like to set up an alert on this topic and/or use the visualization tools shown above for your own threat intelligence research, reach out to us at Recorded Future. We’ll get you hooked up with a trial account.

Tripwire Series on Cyber Intelligence

Tripwire’s State of Security blog is running an interesting series on cyber intelligence with Robert M. Lee, an active-duty U.S. Air Force Cyberspace Operations Officer and co-founder of Dragos Security.

The first post in the series – An Introduction to Cyber Intelligence – discusses developments in DoD’s “Joint Publication (JP) 2-0 Joint Intelligence” (PDF) and particularly highlights how “intelligence tactics, techniques, and procedures (TTPs) as well as various types of operations existed long before cyberspace was conceived.”

Here is a sample of what you’ll get from the full post:

The key here is making sure the data meets some goal or purpose and is not just ‘intelligence for intelligence’s sake’ (dragnet type intelligence operations actually hinder analysts and negatively impacts security; I’ll address the topic of privacy being crucial to security in a presentation to TROOPERS 2014 in March). This definition is applicable to cyber intelligence and we can simply apply the sources and efforts of the collection, processing, analyzing, and using of the intelligence to cyberspace related topics.

Syrian Electronic Army Phishing in Turkey, Turkish Hackers Retaliate

The Syrian Electronic Army was busy playing both offense and defense last week. They reportedly gained access to multiple Microsoft assets including social media channels and the Official Microsoft Blog at blogs.technet.com; soon after, their website was hacked by a Turkish group called TurkGuvenligi.

It’s not the first time we’ve seen hacker on hacker campaigns involving the SEA. Their spat with members of Anonymous is well documented, but this defacement, if TurkGuvenligi’s stated cause for their attack is true, is interesting in that it alerts us to ongoing efforts by the SEA to infiltrate Turkish assets.

SEA Hacked by TurkGuvenligi

The SEA carried out attacks on Turkish government assets during June alongside but seemingly not in outright coordination with other hacktivists during the swell of anti-government protests. We don’t observe any anti-government activity by TurkGuvenligi reported in the open source, a point that we’ll further address in this post.

But back to the SEA and it’s efforts against the Turkish government. Months earlier, it was reported that the SEA successfully gained access to high level political discussions between officials in Turkey, Qatar, and Egypt. Al-Akhbar, along with Syrian website Ajel, released the contents of those documents.

Syrian Electronic Army and Turkey Timeline

Click for interactive timeline

With this defacement by TurkGuvenligi, we can surmise the SEA continues to attempt exfiltrating information from Turkish assets as Syria’s neighbor facilitates peace talks with Syrian rebel groups. Was TurkGuvenligi retaliating on behalf of the Turkish government?

What’s the story with TurkGuvenligi?

TurkGuvenligi Timeline

Click for interactive timeline

Using Recorded Future, we plotted out TurkGuvenligi’s activity over several years. The group used a DNS hijacking tactic back in 2010 against security firm Secunia that is remarkably similar to an attack by the SEA against Twitter during fall 2013, the latter of which saw Twitter’s DNS host Melbourne IT compromised.

The group’s targeting is diverse. It hit a variety targets in a similar DNS spoofing attack during September 2011 when TurkGuvenligi successfully compromised NetNames and Ascio, subsidiaries of Group NBT, redirecting traffic to Vodafone, BetFair, the Daily Telegraph, the Register, National Geographic, Acer, and UPS among others. They redirected traffic from exploit database 1337day.com in mid-2013 when the site wouldn’t ban a user allegedly posing as one of TurkGuvenligi’s founding members Agd_Scorp, and just prior to the SEA hack the group defaced popular cryptographic library OpenSSL.

So, what did we learn from this brief assessment? The group pentests and draw attention to vulnerabilities of sites and services they use such as 1337 and OpenSSL. They occasionally appear to hack simply for the lulz as they claimed the NetNames and Ascio attacks were carried out as part of “World Hackers Day” during 2011.

Temporal Clues to TurkGuvenligi Intentions

Defacing the SEA’s website is slightly different from other TurkGuvenligi activity in that it carries a hint of nationalism. Following this strand leads us to the discovery that while hacktivists took up arms with protesters against the Turkish government in early June, TurkGuvenligi was generally quiet. Their claimed activity on Zone-H from May 28, when protests broke out in Gezi Park, to July 9, consisted of just one defacement: an attack on AnonOps.com leaving this somewhat cryptic conspiracy theory message (note: if there are any Turkish readers out there, drop us a note in the comments as we’d appreciate a clean translation).

While it’s too big a step for the researchers on this blog to say members of this group are associated with the Turksih government, anomalies in TurkGuvenligi’s activity and the targets of other hacker groups give us clues as to what drives their work. We’ll continue to observe the interactions between nationalist hackers in Turkey and Syria as the region’s tempestuous geopolitical dynamics evolve.

Threat Intelligence Webinar: The Spread of POS Malware

POS Malware TimelineThe widely publicized data breach at Target put point-of-sale (POS) malware in the spotlight for security teams. Open source research by Recorded Future found POS malware attacks were on the rise even before the most recent attacks on retailers.

Recorded Future analysts are sharing their analysis on a live webinar today at 2:30 PM EST.

The webinar features in-depth open source threat intelligence analysis of the evolution and global impact of POS malware over several years leading up to the Target data breach. Specifically, the webinar will:

  • Show shifts in targeting and major incidents involving point-of-sale malware since 2011.
  • Discuss the global spread and increasing use of POS malware prior to the Target breach.
  • Provide a live demonstration of open-source threat intelligence analysis on BlackPOS malware from which the specific malware used against Target is believed to be derived.
  • Share how Recorded Future web intelligence can be used to tie together disparate technical informationinto a comprehensive understanding of fast evolving malware threats.

You can register for the live event or grab the recording here.

Visualizing RedKit Exploits

The private but popular RedKit exploit kit appears to be experiencing a resurgence based on a report by Kahu Security. Initially spotted back in May 2012, the exploit kit drew attention after cybercriminals used it in drive-by-download attacks from NBC’s compromised website in January 2013 and spam campaigns immediately after the Boston Marathon bombings.

These attacks featured iframes on the compromised websites performing simultaneous actions when rendered in a victim’s web browser. The exploit kit competes against and leverages some of the same exploits as CritXPack, Gong Da, Nuclear Pack, Cool, and Blackhole 2.0. Monitoring developments and adoption of RedKit may be of particular interest given the recent arrest in Russia of Blackhole’s creator.

Here’s a Recorded Future timeline of reports about RedKit since 2012 including notable campaigns and discovery of new vulnerabilities added to the kit:

RedKit Exploit Kit Timeline

View the interactive timeline

Cybercriminals have compromised several high profile sites including but not limited to NBC assets and the Segway website to carry out their operations with RedKit. Security experts have also reported pharmaceutical sites and Japanese commercial channels as hosts for RedKit EK servers.

Here’s a more detailed look at addition of RedKit of exploits for specific vulnerabilities, some of which was already very nicely detailed by Malwaggedon, as well as the malware being dropped on successful exploitation and other exploit kits with which it has been partnered:

RedKit Exploit Timeline

View the interactive timeline

RedKit EK initially included two exploits – targeting CVE-2010-0188 (Adobe Acrobat and Reader LibTIFF) and CVE-2012-0507 (Java AtomicReferenceArray) – before expanding to include at least nine different exploits. The most recent additions – targeting CVE-2013-0431 and CVE-2013-1493 – were observed in the compromise of Segway’s website.

What’s an example of RedKit in action? On April 16, the Kelihos and Cutwail botnets began sending out spam with subject lines related to the Boston bombing. The emails referred recipients to a site that would compromise their systems via the RedKit exploit kit and install bot software as well as the ZeroAccess trojan used to mine Bitcoin.

RedKit Exploit Network

View the interactive timeline

Monitor Exploit Developments

Out of the above information discovery conducted using Recorded Future, we put together a list of the nine vulnerabilities, most of them related to Java, exploited by RedKit and set up a monitoring dashboard that displays recently discussed technical details.

Reach out to us at Recorded Future if you’d be interested in real-time alerts on these or related issues, and please also drop by the Naked Security blog by Sophos that has provided two in-depth blog posts on RedKit.

‘Islamic Cyber Resistance’ Breaks Iranian Hacker Silence, Exposes Links to SEA

The freeze on Iranian hacktivist activity during nuclear negotiations was broken last week although it doesn’t appear to be government sponsored. The Islamic Cyber Resistance (ICR), not yet discussed on this blog, retaliated against the December 4 assassination of a Hezbollah leader, Hassan Laqiss, by leaking documents  and sensitive information related to the Saudi Army, the Saudi Binladin Group, and the Israel Defense Forces.

Interestingly, the heretofore little known group with links to the Iranian hacker community claims to have previously conducted operations with the Syrian Electronic Army.


The ICR, whose activity is being touted on Iranian hacker forums and a document drop site, claims to have worked in tandem with the SEA earlier this year in hacks against Kuwaiti mobile operator Zain Group (August 10, 2013) and a NASA subdomain (June 22, 2013).

Based on the open source data available to us, it does not appear the ICR has tight operational coordination with other Iran-linked groups the Qassam Cyber Fighters, Parastoo, and the Iranian Cyber Army. Instead, the ICR has so far acted on a pro-Shia, anti-Saudi, and anti-Israel platform rather than a nationalistically driven, pro-Iran agenda.

What’s the Link to Iran?

Information security blogger Kryp3ia mentions the ICR’s links to Anonymous and the SEA in passing while also describing its unique ties to an Iran-based Wikileaks-style in a wide ranging blog post. We’ll seek to expand on his impressive work.

The Kryp3ia post comprehensively details the Wikileak.ir connection back to an IT professional in Tehran so we’ll focus on the Quickleak link. Below you can see the domain registration information for Quickleak.org, created December 5, 2012, includes an admin contact email of domain@zone-hc.com.

The admin contact Mohhamad Rad is also the registrant of Zone-hc, an Iranian website defacement forum modeled after Zone-H.


Both the Wikileak.ir website and Quickleak.org Twitter account should be considered valuable resources in monitoring and assessing risk from the ICR. It may even be reasonable to glean early warning of potential targets:

Screen Shot 2013-12-20 at 3.59.08 PM

Get alerts on the content of both Wikileak.ir and Quickleak.org in Recorded Future here and here.

What’s the ICR’s History?

Islamic Cyber Resistance Attacks Timeline

Click here for live visualization

The group’s first information leak on February 25, 2013 contained contact information of Bahraini Military and Intelligence High-Ranked personnel and all High-Ranked United States military personnel located in “Fifth-Base” in Bahrain “in Support of people resistance in Bahrain”. A connection of note is how the data leak claimed a relationship: “‘Islamic Cyber Resistance’ and Wikileak.ir are releasing information…” The Fars News Agency also refers to Wikileaks.ir in the context of ICR as “its website.”

After the Bahrain information leak, the next time we find the phrase Cyber Resistance in this context is related to OpIsrael: a Facebook post by Anonymous Algeria (see below) and a tweet from @SyrianFortress (account now deleted) saying, “They call it ‘cyber terrorism’, but we call it CYBER-RESISTANCE BITCHES #Syria #Israel #Palestine #zionist #SEA #OpIsrael.”

ICR Anonymous

Definitively linking ICR and the manager(s) of Anonymous Algeria’s Facebook feed or the @SyrianFortress Twitter account isn’t possible based on this information in the open source, but the appearance of this phrasing in both sources is notable. Hashtags used by @SyrianFortess linking the cyber resistance phrasing to the Syrian Electronic Army and tweets referencing both @Official_SEA12 and @SyrianFortress is additional evidence, and in our body of research, the earliest clues of ties between the pro-Assad group and the Islamic Cyber Resistance.

Syrian Fortress and SEA

The ICR claims to have hacked a sub-domain of NASA during June 2013 and, as mentioned above, Kuwait mobile operator Zain Group during August 2013. Another hack was claimed during mid-October in a post on Quickleak announcing leaked information from Janes Defense.

Interestingly, confidential information from Jane’s was procured and leaked earlier in the year by Iranian hacker group Parastoo. It’s possible the trivial biographical data leaked by ICR was captured during and recycled out of Parastoo’s infiltration of Jane’s.

Then, as with other Iranian hacker organizations, the ICR went dark around mid-October before re-emerging with these most recent hacks after the assassination of Hassan Laqiss.

Have Hacktivists Previously Retaliated for Hezbollah Targeting?

Only once. And even that Syrian Electronic Army hack related Hezbollah is one with dubious attribution: it remains unclear whether the SEA actually hit Israeli SCADA systems during May following Israeli strikes on a Hezbollah-bound missiles in Syria.

A group “Remember Emad” was part of the OpIsrael campaign on April 7, 2013, mentioned in an announcement by Parastoo as responsible for releasing data from Israeli universities related to aerospace, electronic, and nuclear-related studies. Remember Emad previously hacked an Israeli credit card company (August 2012); the namesake of their organization, Emad Mughniyeh, was killed in a car bomb blast in Damascus on February 12, 2008.

The ICR’s simultaneous action against both Israel and assets they link to Al-Qaeda is interesting given Laqiss’ assassination is being claimed by a Sunni militant group. While there are suspicions this was arranged by Israel, one wonders if the assassination wasn’t simply a convenient political narrative to leak IDF information.

How Does the Timing of ICR Attacks Track Other Hackers?

Past claims from high ranking US officials have linked the Syrian Electronic Army to the Iranian government. However, in the absence of hard evidence, the timing of attacks doesn’t suggest SEA coordination with the prominent Iranian hacker groups the Qassam Cyber Fighters, Parastoo, and Iranian Cyber Army.

Could the ICR consist of hackers that also belong to QCF, Parastoo, and ICA?

Targets and Connections Iranian Hackers

Click here for interactive view

Possibly, but the timing of attacks by ICR suggests independence from other Iran-linked groups in the same way the lack of overlapping operations between those groups suggests coordination. For example:


In sum, several factors lead us to believe the Islamic Cyber Resistance is operating independent of the Iranian government and the QCF, Parastoo, and ICA.

First, the group is not targeting with the precision that reflects a state-driven operation. The Qassam Cyber Fighters targeted banks following international sanctions on Iran, Parastoo went after scientific and international organizations focused on the Iranian nuclear program,  and the ICA attacked domestic political dissidents.

Second, we previously found the Syrian Electronic Army not linked to those three Iran-based groups whereas we find multiple connections between the ICR and SEA in Twitter communication and propaganda. The ICR claimed collaboration with the SEA on Wikileak.ir while Quickleak.org reported the groups as partners; none of the other Iran-linked groups have announced partnerships while the Syrian Electronic Army has been known to partner with other hacktivists when it benefits their cause.

Also, several months after the ICR’s first claimed hack, themes of “cyber resistance” appeared on Twitter channels linked to the SEA. More recently, the SEA included multiple posts on its Facebook page calling out Saudi Arabia as imperialist and terrorist-backing with regards to the Syrian civil war.

Lastly, ICR activities overlap with QCF, Parastoo, or ICA operations, which suggests a lack of coordination. It’s been shown that the other three groups avoid stepping on each others’ toes and remain subdued as nuclear negotiations progress.

Copyright © 1996-2010 Analysis Intelligence. All rights reserved.
iDream theme by Templates Next | Powered by WordPress