He pilikia nui ka poʻe hackers pro-government Iran. I loko o ka pūnāwai, ua paʻi ka poʻe ʻike ʻole i nā "leaks huna" ma Telegram - ʻike e pili ana i nā hui APT e pili ana me ke aupuni Iran - OilRig и Wai ʻala - kā lākou mau mea hana, nā mea i hoʻopilikia ʻia, nā pilina. ʻAʻole naʻe e pili ana i nā mea a pau. I ʻApelila, ʻike ka poʻe loea Group-IB i kahi leaka o nā leka uila o ka hui Turkish ʻo ASELSAN A.Ş, e hana ana i nā lekiō pūʻali koa tactical a me nā ʻōnaehana pale uila no nā pūʻali koa Turkish. Anastasia Tikhonova, Group-IB Advanced Threat Research Team Leader, a Nikita Rostovtsev, ka mea kākau moʻolelo ʻōpio ma Group-IB, i wehewehe i ke ʻano o ka hoʻouka ʻana iā ASELSAN A.Ş a loaʻa i kahi mea komo. Wai ʻala.
Ke kukui ma o Telegram
Ua hoʻomaka ka leak o nā hui APT Iran me kahi Lab Doukhtegan nā kumu kumu o nā mea hana APT34 ʻeono (aka OilRig a me HelixKitten), i hōʻike i nā IP address a me nā kikowaena i komo i nā hana, a me nā ʻikepili ma 66 mau mea i loaʻa i nā hackers, me Etihad Airways a me Emirates National Oil. Ua hoʻokuʻu pū ʻo Lab Doookhtegan i ka ʻikepili e pili ana i nā hana o ka hui i hala a me ka ʻike e pili ana i nā limahana o ka Iranian Ministry of Information and National Security i ʻōlelo ʻia e pili ana i nā hana o ka hui. ʻO OilRig kahi hui APT pili i Iran i noho ʻia mai ka makahiki 2014 a ke kuhikuhi nei i nā hui aupuni, kālā a me nā pūʻali koa, a me nā hui ikehu a me ke kelepona ma ka Middle East a me Kina.
Ma hope o ka hōʻike ʻia ʻana o OilRig, ua hoʻomau ʻia nā leaks - ʻike ʻia ka ʻike e pili ana i nā hana a kekahi pūʻulu pro-state mai Iran, ʻo MuddyWater, ma ka darknet a ma Telegram. Eia naʻe, ʻaʻole like me ka leak mua, i kēia manawa ʻaʻole ia nā kumu kumu i paʻi ʻia, akā nā dumps, me nā kiʻi kiʻi o nā kumu kumu, nā kikowaena mana, a me nā helu IP o nā mea i hala i hala o nā hackers. I kēia manawa, ua lawe ka poʻe hackers Green Leakers i ke kuleana no ka leak e pili ana iā MuddyWater. Loaʻa iā lākou kekahi mau ala Telegram a me nā pūnaewele darknet kahi e hoʻolaha a kūʻai aku ai lākou i ka ʻikepili e pili ana i nā hana ʻo MuddyWater.
Nā kiu Cyber mai ka Hikina Waena
Wai ʻala he hui i hana ʻia mai ka makahiki 2017 i ka Middle East. No ka laʻana, e like me ka ʻike ʻana o ka poʻe loea Group-IB, mai Pepeluali a ʻApelila 2019, ua hoʻokō nā mea hackers i kahi ʻano o nā leka phishing e kuhikuhi ana i ke aupuni, nā hui hoʻonaʻauao, kālā, kelepona a me nā hui pale i Turkey, Iran, Afghanistan, Iraq a me Azerbaijan.
Hoʻohana nā lālā o ka hui i kahi backdoor o kā lākou hoʻomohala ʻana ma muli o PowerShell, i kapa ʻia POWERSTATS. Hiki iā ia:
- e hōʻiliʻili i ka ʻikepili e pili ana i nā moʻokāki kūloko a me ka domain, nā kikowaena faila i loaʻa, nā IP IP kūloko a me waho, inoa a me ka hoʻolālā OS;
- hoʻokō i ka hoʻokō code mamao;
- hoʻouka a hoʻoiho i nā faila ma o C&C;
- ʻike i ka hele ʻana o nā polokalamu debugging i hoʻohana ʻia i ka nānā ʻana i nā faila hewa;
- e pani i ka ʻōnaehana inā loaʻa nā polokalamu no ka nānā ʻana i nā faila hewa;
- holoi i nā faila mai nā kaʻa kūloko;
- lawe i nā screenshots;
- hoʻopau i nā hana palekana i nā huahana Microsoft Office.
I kekahi manawa, ua hewa ka poʻe hoʻouka a ua loaʻa i nā mea noiʻi mai ReaQta ka leka uila IP hope loa, aia ma Tehran. Hāʻawi ʻia i nā pahuhopu i hoʻouka ʻia e ka hui, a me kāna mau pahuhopu e pili ana i ka cyber spionage, ua manaʻo ka poʻe loea e hōʻike ana ka hui i nā pono o ke aupuni Iran.
Nā hōʻailona hoʻouka kauaK&K:
- gladiator[.]tk
- 94.23.148[.]194
- 192.95.21[.]28
- 46.105.84[.]146
- 185.162.235[.]182
Waihona:
- 09aabd2613d339d90ddbd4b7c09195a9
- cfa845995b851aacdf40b8e6a5b87ba7
- a61b268e9bc9b7e6c9125cdbfb1c422a
- f12bab5541a7d8ef4bbca81f6fc835a3
- a066f5b93f4ac85e9adfe5ff3b10bc28
- 8a004e93d7ee3b26d94156768bc0839d
- 0638adf8fb4095d60fbef190a759aa9e
- eed599981c097944fa143e7d7f7e17b1
- 21aebece73549b3c4355a6060df410e9
- 5c6148619abb10bb3789dcfb32f759a6
ʻO Türkiye ma lalo o ka hoʻouka kaua
Ma ʻApelila 10, 2019, ua ʻike ka poʻe loea o Group-IB i kahi leak o nā leka uila o ka hui Turkish ʻo ASELSAN A.Ş, ka hui nui loa ma ke kahua o ka uila uila ma Turkey. ʻO kāna mau huahana he radar a me ka uila, electro-optics, avionics, unmanned system, land, naval, mea kaua a me nā ʻōnaehana pale ea.
Ma ke aʻo ʻana i kekahi o nā laʻana hou o ka POWERSTATS malware, ua hoʻoholo ka poʻe loea Group-IB ua hoʻohana ka hui ʻo MuddyWater o nā mea hoʻouka kaua ma ke ʻano he palapala maunu i kahi palapala laikini ma waena o Koç Savunma, kahi hui e hana ana i nā hopena ma ke kahua o ka ʻike a me nā ʻenehana pale, a me Tubitak Bilgem , he kikowaena noiʻi palekana ʻike a me nā ʻenehana holomua. ʻO ka mea hoʻopili no Koç Savunma ʻo Tahir Taner Tımış, nāna i paʻa i ke kūlana o Programs Manager ma Koç Bilgi ve Savunma Teknolojileri A.Ş. mai Kepakemapa 2013 a hiki i Dekemaba 2018. Ma hope mai ua hoʻomaka ʻo ia e hana ma ASELSAN A.Ş.
Laʻana palapala hoʻopunipuni
Ma hope o ka hoʻohana ʻana o ka mea hoʻohana i nā macros ʻino, hoʻoiho ʻia ka POWERSTATS backdoor i ke kamepiula o ka mea i pepehi ʻia.
Mahalo i ka metadata o kēia palapala hoʻopunipuni (MD5: 0638adf8fb4095d60fbef190a759aa9e) ua hiki i nā mea noiʻi ke loaʻa i ʻekolu mau laʻana i loaʻa nā waiwai like, me ka lā a me ka manawa i hana ʻia, ka inoa inoa, a me ka papa inoa o nā macros i loaʻa:
- ListOfHackedEmails.doc (eed599981c097944fa143e7d7f7e17b1)
- asd.doc (21aebece73549b3c4355a6060df410e9)
- F35-Specifications.doc (5c6148619abb10bb3789dcfb32f759a6)
Kiʻi o nā metadata like ʻole o nā palapala hoʻopunipuni like ʻole
ʻO kekahi o nā palapala i ʻike ʻia me ka inoa ListOfHackedEmails.doc Loaʻa i kahi papa inoa o nā helu leka uila 34 no ka waihona @aselsan.com.tr.
Ua nānā ka poʻe loea o Group-IB i nā leka uila i nā leaks i loaʻa i ka lehulehu a ʻike ʻia he 28 o lākou i hoʻopaʻapaʻa ʻia i nā leaks i ʻike mua ʻia. ʻO ka nānā ʻana i ka hui ʻana o nā leaks i loaʻa i hōʻike ʻia ma kahi o 400 mau loiloi kūʻokoʻa e pili ana i kēia kahua a me nā ʻōlelo huna no lākou. Ua hoʻohana paha nā mea hoʻouka i kēia ʻikepili i loaʻa i ka lehulehu e hoʻouka iā ASELSAN A.Ş.
Kiʻi kiʻi o ka palapala ListOfHackedEmails.doc
Kiʻi kiʻi o kahi papa inoa o nā mea ʻoi aku ma mua o 450 i ʻike ʻia i nā paʻa inoa inoa-huaʻōlelo i nā leaka lehulehu
Ma waena o nā laʻana i ʻike ʻia, aia kekahi palapala me ke poʻo inoa F35-Specifications.doc, e pili ana i ka mokulele mokulele F-35. ʻO ka palapala maunu kahi kikoʻī no ka F-35 multi-role fighter-bomber, e hōʻike ana i nā ʻano a me ke kumukūʻai o ka mokulele. ʻO ke kumuhana o kēia palapala hoʻopunipuni e pili pono ana i ka hōʻole ʻana o ʻAmelika e hoʻolako i nā F-35 ma hope o ke kūʻai ʻana o Turkey i nā ʻōnaehana S-400 a me ka hoʻoweliweli o ka hoʻoili ʻana i ka ʻike e pili ana i ka F-35 Lightning II i Russia.
ʻO nā ʻikepili a pau i loaʻa i hōʻike ʻia ʻo nā pahuhopu nui o nā hoʻouka kaua pūnaewele ʻo MuddyWater he hui i Turkey.
ʻO wai ʻo Gladiyator_CRK a me Nima Nikjoo?
Ma mua, i Malaki 2019, ua ʻike ʻia nā palapala hewa i hana ʻia e kekahi mea hoʻohana Windows ma lalo o ka inoa inoa ʻo Gladiyator_CRK. Ua māhele pū kēia mau palapala i ka POWERSTATS backdoor a pili i kahi kikowaena C&C me ka inoa like gladiator[.]tk.
Ua hana ʻia paha kēia ma hope o ka hoʻopuka ʻana o ka mea hoʻohana ʻo Nima Nikjoo ma Twitter ma Malaki 14, 2019, e hoʻāʻo ana e hoʻokaʻawale i nā code obfuscated e pili ana me MuddyWater. Ma nā ʻōlelo i kēia tweet, ua ʻōlelo ka mea noiʻi ʻaʻole hiki iā ia ke kaʻana like i nā hōʻailona o ka hoʻololi ʻana no kēia polokalamu malware, no ka mea he hūnā kēia ʻike. ʻO ka mea pōʻino, ua hoʻopau ʻia ka pou, akā mau nā meheu o ia mea ma ka pūnaewele:
ʻO Nima Nikjoo ka mea nona ka ʻaoʻao Gladiyator_CRK ma nā pūnaewele hoʻolaha wikiō Iranian dideo.ir a me videoi.ir. Ma kēia pūnaewele, hōʻike ʻo ia i ka hoʻohana ʻana o PoC e hoʻopau i nā mea hana antivirus mai nā mea kūʻai like ʻole a kāpae i nā sandboxes. Ua kākau ʻo Nima Nikjoo e pili ana iā ia iho he loea palekana pūnaewele ʻo ia, a me kahi ʻenekini hoʻohuli a me ka loiloi malware e hana ana no MTN Irancell, kahi hui kelepona Iranian.
Kiʻi o nā wikiō i mālama ʻia ma nā hualoaʻa Google:
Ma hope mai, i ka lā Malaki 19, 2019, ua hoʻololi ka mea hoʻohana ʻo Nima Nikjoo ma ka ʻoihana pūnaewele Twitter i kona inoa inoa iā Malware Fighter, a ua holoi pū i nā pou a me nā ʻōlelo pili. Ua holoi ʻia ka ʻaoʻao o Gladiyator_CRK ma ka hoʻolaha wikiō dideo.ir, e like me ka hihia ma YouTube, a ua kapa hou ʻia ka inoa iā N Tabrizi. Eia naʻe, kokoke i hoʻokahi mahina ma hope (ʻApelila 16, 2019), hoʻomaka ka moʻolelo Twitter e hoʻohana hou i ka inoa ʻo Nima Nikjoo.
I ka wā o ke aʻo ʻana, ua ʻike nā loea Group-IB ua ʻōlelo ʻia ʻo Nima Nikjoo e pili ana i nā hana cybercriminal. I ʻAukake 2014, ua paʻi ka blog Iran Khabarestan i ka ʻike e pili ana i nā poʻe i pili me ka hui cybercriminal Iranian Nasr Institute. Ua hōʻike ʻia kahi noiʻi FireEye ʻo Nasr Institute he mea hana ʻaelike no APT33 a ua komo pū i nā hoʻouka kaua DDoS ma nā panakō US ma waena o 2011 a me 2013 ma ke ʻano o kahi hoʻolaha i kapa ʻia ʻo Operation Ababil.
No laila, ma ka moʻomanaʻo like, ua ʻōlelo ʻia ʻo Nima Nikju-Nikjoo, ka mea e hoʻomohala nei i ka malware e kiu i nā Iranians, a me kāna leka uila: gladiator_cracker@yahoo[.]com.
Kiʻi kiʻi o ka ʻikepili i pili i nā cybercriminals mai ka Iranian Nasr Institute:
Unuhi o ka kikokikona i kaha ʻia ma ka ʻōlelo Lūkini: Nima Nikio - Mea Hoʻolālā Kiu - Leka uila:.
E like me ka ʻike ʻia mai kēia ʻike, pili ka leka uila me ka helu i hoʻohana ʻia i ka hoʻouka ʻana a me nā mea hoʻohana ʻo Gladiyator_CRK a me Nima Nikjoo.
Hoʻohui ʻia, ʻo ka ʻatikala ʻo Iune 15, 2017 i hōʻike ʻia ua mālama ʻole ʻo Nikjoo i ka hoʻouna ʻana i nā kuhikuhi i Kavosh Security Center ma kāna hoʻomau. ʻAi i kākoʻo ʻia ka Kavosh Security Center e ka mokuʻāina ʻo Iran e hoʻolilo kālā i nā poʻe hackers pro-government.
ʻIke e pili ana i ka hui kahi i hana ai ʻo Nima Nikjoo:
Hoʻopaʻa inoa ka mea hoʻohana Twitter ʻo Nima Nikjoo's LinkedIn profile i kāna wahi hana mua ma Kavosh Security Center, kahi āna i hana ai mai 2006 a 2014. I ka wā o kāna hana, ua aʻo ʻo ia i nā polokalamu malware like ʻole, a ua hana pū me ka hana hoʻohuli a me ka obfuscation.
ʻIke e pili ana i ka hui a Nima Nikjoo i hana ai ma LinkedIn:
MuddyWater a me ka manaʻo kiʻekiʻe
He mea kupanaha ka nānā pono ʻana o ka hui ʻo MuddyWater i nā hōʻike a me nā leka mai ka poʻe loea palekana ʻike i paʻi ʻia e pili ana iā lākou, a me ka haʻalele ʻana i nā hae wahaheʻe i ka wā mua i mea e hoʻolei ai i nā mea noiʻi mai ka ʻala. No ka laʻana, hoʻopunipuni ka poʻe akamai i kā lākou hoʻouka mua ʻana ma ka ʻike ʻana i ka hoʻohana ʻana o DNS Messenger, i pili maʻamau me ka hui FIN7. I nā hoʻouka ʻē aʻe, ua hoʻokomo lākou i nā kaula Kina i loko o ke code.
Eia kekahi, makemake ka hui e waiho i nā leka no nā mea noiʻi. No ka laʻana, ʻaʻole lākou makemake i ka Kaspersky Lab i hoʻonoho iā MuddyWater ma kahi 3 i kāna helu hoʻoweliweli no ka makahiki. I ka manawa like, ua hoʻouka kekahi - ʻo ka hui ʻo MuddyWater - i kahi PoC o kahi hoʻohana i YouTube e hoʻopau i ka antivirus LK. Ua waiho pū lākou i kahi manaʻo ma lalo o ka ʻatikala.
ʻO nā kiʻi o ke wikiō ma ka hoʻopau ʻana iā Kaspersky Lab antivirus a me ka ʻōlelo ma lalo nei:
He mea paʻakikī loa ka hana ʻana i kahi hopena maopopo ʻole e pili ana i ke komo ʻana o "Nima Nikjoo". Ke noʻonoʻo nei ka poʻe loea Group-IB i ʻelua mana. ʻO Nima Nikjoo, ʻoiaʻiʻo, he hacker mai ka hui ʻo MuddyWater, i ʻike ʻia ma muli o kona mālama ʻole a hoʻonui i ka hana ma ka pūnaewele. ʻO ka lua o ka koho ʻana ʻo ia i "hōʻike" ʻia e nā lālā ʻē aʻe o ka hui i mea e hoʻohuli ai i ka kānalua mai o lākou iho. I kekahi hihia, hoʻomau ʻo Group-IB i kāna noiʻi a hōʻike maoli i kāna mau hopena.
No Iranian APTs, ma hope o ke ʻano o nā leaks a me nā leaks, e kū paha lākou i kahi "debriefing" koʻikoʻi - e koi ʻia nā mea hackers e hoʻololi koʻikoʻi i kā lākou mau mea hana, hoʻomaʻemaʻe i ko lākou mau ala a loaʻa i nā "mole" i ko lākou pae. ʻAʻole i hoʻoholo ka poʻe loea e lawe lākou i kahi manawa, akā ma hope o ka hoʻomaha pōkole, ua hoʻomau hou ka hoʻouka ʻana o Iranian APT.
Source: www.habr.com