Iranian pro-state hackers are in big trouble. Throughout the spring, unknown persons published “secret leaks” on Telegram - information about APT groups associated with the Iranian government - OilRig и muddy water — their tools, victims, connections. But not about everyone. In April, Group-IB specialists discovered a leak of email addresses of the Turkish corporation ASELSAN A.Ş, which produces tactical military radio stations and electronic defense systems for the Turkish armed forces. Anastasia Tikhonova, Group-IB Advanced Threat Research Team Leader, and Nikita Rostovtsev, Group-IB Junior Analyst, described the course of the attack on ASELSAN A.Ş and found a possible participant muddy water.
Flash via Telegram
The "drain" of Iranian APT-groups began with the fact that a certain Lab Dookhtegan the source codes of six APT34 tools (aka OilRig and HelixKitten), revealed the IP addresses and domains involved in the transactions, as well as data on 66 victims of hackers, among which were Etihad Airways and Emirates National Oil. Lab Dookhtegan also “leaked” both data on the group’s past operations and information about employees of the Iranian Ministry of Information and National Security who are allegedly connected with the group’s operations. OilRig is an Iran-linked APT group that has been around since 2014 and targets government, financial and military organizations, as well as energy and telecommunications companies in the Middle East and China.
After the OilRig exposure, the “leaks” continued – information about the activities of another pro-state group from Iran, MuddyWater, appeared on the darknet and Telegram. However, unlike the first leak, this time it was not the source codes that were published, but dumps, including screenshots of the sources, control servers, and IP addresses of past victims of hackers. This time, Green Leakers claimed responsibility for the MuddyWater leak. They own several Telegram channels and dark web sites where they advertise and sell data related to MuddyWater operations.
Cyber spies from the Middle East
muddy water is a group that has been operating since 2017 in the countries of the Middle East. For example, according to Group-IB experts, from February to April 2019, hackers conducted a series of phishing mailings aimed at government, educational organizations, financial, telecommunications and defense companies in Turkey, Iran, Afghanistan, Iraq and Azerbaijan.
Members of the group use a backdoor of their own design based on PowerShell, which is called POWERSTATS. He can:
- collect data about local and domain accounts, available file servers, internal and external IP address, OS name and architecture;
- perform remote code execution;
- upload and download files via C&C;
- determine the presence of debugging programs used in the analysis of malicious files;
- turn off the system if programs for analyzing malicious files are found;
- delete files from local drives;
- take screenshots;
- disable protective measures of Microsoft Office products.
At some point, the attackers made a mistake and researchers from ReaQta managed to get the final IP address, which was located in Tehran. Given the targets attacked by the group, as well as its tasks related to cyber espionage, experts suggested that the group represents the interests of the Iranian government.
Attack indicatorsC&C:
- gladiyator[.]tk
- 94.23.148[.]194
- 192.95.21[.]28
- 46.105.84[.]146
- 185.162.235[.]182
Files:
- 09aabd2613d339d90ddbd4b7c09195a9
- cfa845995b851aacdf40b8e6a5b87ba7
- a61b268e9bc9b7e6c9125cdbfb1c422a
- f12bab5541a7d8ef4bbca81f6fc835a3
- a066f5b93f4ac85e9adfe5ff3b10bc28
- 8a004e93d7ee3b26d94156768bc0839d
- 0638adf8fb4095d60fbef190a759aa9e
- eed599981c097944fa143e7d7f7e17b1
- 21aebece73549b3c4355a6060df410e9
- 5c6148619abb10bb3789dcfb32f759a6
Türkiye under the gun
On April 10, 2019, Group-IB specialists discovered a leak of email addresses of the Turkish company ASELSAN A.Ş, the largest military electronics company in Turkey. Its products include radar and avionics, electro-optics, avionics, unmanned systems, ground, naval and weapons systems, and air defense systems.
While studying one of the new samples of the POWERSTATS malware, Group-IB experts determined that the MuddyWater attacker group used as a decoy document a license agreement between Koç Savunma, an information and defense technology solutions company, and Tubitak Bilgem, an information security research center and advanced technologies. The contact person for Koç Savunma was Tahir Taner Tımış, who served as Programs Manager at Koç Bilgi ve Savunma Teknolojileri A.Ş. from September 2013 to December 2018. Later he started working for ASELSAN A.Ş.
Sample decoy document
After the user activates the malicious macros, the POWERSTATS backdoor is downloaded to the victim's computer.
Thanks to this decoy document's metadata (MD5: 0638adf8fb4095d60fbef190a759aa9e), the researchers were able to find three additional samples containing identical values, including the creation date and time, the username, and the list of contained macros:
- ListOfHackedEmails.doc (eed599981c097944fa143e7d7f7e17b1)
- asd.doc(21aebece73549b3c4355a6060df410e9)
- F35-Specifications.doc (5c6148619abb10bb3789dcfb32f759a6)
Screenshot of identical metadata of various honeypot documents
One of the discovered documents named ListOfHackedEmails.doc contains a list of 34 email addresses belonging to the domain @aselsan.com.tr.
Group-IB specialists checked the email addresses in the publicly available leaks and found that 28 of them were compromised in previously discovered leaks. Checking the mix of available leaks showed about 400 unique logins associated with this domain and passwords for them. Perhaps the attackers used this publicly available data to attack ASELSAN A.Ş.
Screenshot of ListOfHackedEmails.doc
Screenshot of a list of more than 450 detected login-password pairs in public leaks
Among the discovered samples was also a document with the title F35-Specifications.docreferring to the F-35 fighter. The decoy document is a specification for the F-35 multi-functional fighter-bomber, indicating the characteristics of the aircraft and the price. The topic of this decoy document directly relates to the US refusal to supply F-35s after Turkey's purchase of the S-400 systems and the threat to transfer information about the F-35 Lightning II to Russia.
All the data received indicated that organizations located in Turkey were the main target of the MuddyWater cyber attacks.
Who are Gladiyator_CRK and Nima Nikjoo?
Earlier, in March 2019, malicious documents created by one Windows user under the nickname Gladiyator_CRK were discovered. These documents also distributed the POWERSTATS backdoor and connected to a C&C server with a similar name. gladiyator[.]tk.
This may have been done after Nima Nikjoo posted a Twitter post on March 14, 2019 in which he is trying to decode obfuscated code related to MuddyWater. In the comments to this tweet, the researcher said that he could not share the indicators of compromise for this malware, as this information is confidential. Unfortunately, the entry has already been deleted, but its traces remain on the network:
Nima Nikjoo is the owner of the Gladiyator_CRK profile on the Iranian video hosting sites dideo.ir and videoi.ir. On this site, he demonstrates PoC exploits to disable anti-virus tools of various vendors and bypass sandboxes. About himself, Nima Nikjoo writes that he is a network security specialist, as well as a reverse engineer and malware analyst who works for MTN Irancell, an Iranian telecommunications company.
Screenshot of saved videos in Google search results:
Later, on March 19, 2019, Twitter user Nima Nikjoo changed his nickname to Malware Fighter and deleted related posts and comments. The Gladiyator_CRK profile on the video hosting dideo.ir was also deleted, as well as on YouTube, and the profile itself was renamed to N Tabrizi. However, almost a month later (April 16, 2019), the Twitter account began using the name Nima Nikjoo again.
During the research, Group-IB specialists found that Nima Nikjoo had already been mentioned in connection with cybercriminal activities. In August 2014, the Iran Khabarestan blog published information about individuals associated with the Iranian Nasr Institute cybercriminal group. One of FireEye's investigations stated that Nasr Institute was an APT33 contractor and was also involved in DDoS attacks on US banks between 2011 and 2013 as part of a campaign called Operation Ababil.
So the same blog mentioned Nima Nikju-Nikjoo, who was developing malware to spy on Iranians, and his email address is: gladiyator_cracker@yahoo[.]com.
Screenshot of data attributed to cybercriminals from the Iranian Nasr Institute:
Translation of the selected into Russian: Nima Nikio - Spyware Developer - Email Address:.
As can be seen from this information, the email address is associated with the address used in the attacks and users Gladiyator_CRK and Nima Nikjoo.
In addition, the June 15, 2017 article stated that Nikjoo appeared to be somewhat sloppy in publishing links to the Kavosh Security Center company in his resume. Eat that the Kavosh Security Center is supported by the Iranian state to fund pro-government hackers.
Information about the company Nima Nikjoo worked for:
Twitter user Nima Nikjoo's LinkedIn profile lists Kavosh Security Center as his first job, where he worked from 2006 to 2014. During his work, he studied various malware, and also dealt with reverse and obfuscation-related work.
Information about the company Nima Nikjoo worked for on LinkedIn:
MuddyWater and inflated self-esteem
It is curious that the MuddyWater group carefully monitors all the reports and messages of information security experts published about them, and even deliberately left false flags at first to throw researchers off the trail. For example, their first attacks misled experts as they discovered the use of DNS Messenger, which was commonly associated with the FIN7 group. In other attacks, they inserted strings in Chinese into the code.
In addition, the group is very fond of leaving messages to the researchers. For example, they didn't like the fact that Kaspersky Lab placed MuddyWater in 3rd place in its threat rating for the year. At the same time, someone - presumably the MuddyWater group - uploaded to YouTube a PoC exploit that disables the LK antivirus. They also left a comment under the article.
Screenshots of the video on disabling Kaspersky Lab antivirus and the comment below it:
So far, it is difficult to draw an unambiguous conclusion about the involvement of "Nima Nikjoo". Group-IB experts are considering two versions. Nima Nikjoo may indeed be a hacker from the MuddyWater group who came to light due to his negligence and increased online activity. The second option is that he was specially “lit up” by other members of the group in order to divert suspicion from themselves. In any case, Group-IB continues its research and will definitely report its results.
As for Iranian APTs, after a series of leaks and leaks, they are likely to face a serious "debriefing" - hackers will be forced to seriously change their tools, clean up traces and find possible "moles" in their ranks. Experts did not rule out that they would even take a timeout, but after a short break, the Iranian APT attacks continued again.
Source: habr.com