Iranian pro-tsoom fwv hackers muaj teeb meem loj. Thoob plaws lub caij nplooj ntoos hlav, cov neeg tsis paub tau tshaj tawm "txo zais zais" ntawm Telegram - cov ntaub ntawv hais txog APT pawg cuam tshuam nrog tsoomfwv Iranian - OilRig ΠΈ Muddy Dej - lawv cov cuab yeej, cov neeg raug tsim txom, kev sib txuas. Tab sis tsis yog hais txog txhua tus. Thaum lub Plaub Hlis, Pawg-IB cov kws tshaj lij tau tshawb pom qhov xau ntawm qhov chaw xa ntawv ntawm lub tuam txhab Turkish ASELSAN A.Ε, uas tsim cov xov tooj cua tub rog thiab hluav taws xob tiv thaiv rau cov tub rog Turkish. Anastasia Tikhonova, Group-IB Advanced Threat Research Team Leader, thiab Nikita Rostovtsev, tus kws tshuaj ntsuam me me ntawm Pawg-IB, tau piav qhia txog qhov kev tawm tsam ntawm ASELSAN A.Ε thiab pom muaj tus neeg tuaj koom. Muddy Dej.
Illumination ntawm Telegram
Kev xau ntawm Iranian APT pawg pib nrog qhov tseeb tias qee qhov Lab Doukhtegan cov lej cim ntawm rau APT34 cov cuab yeej (aka OilRig thiab HelixKitten), tau qhia txog IP chaw nyob thiab cov npe koom nrog hauv kev ua haujlwm, nrog rau cov ntaub ntawv ntawm 66 tus neeg raug tsim txom ntawm hackers, suav nrog Etihad Airways thiab Emirates National Oil. Lab Doookhtegan kuj tau nthuav tawm cov ntaub ntawv hais txog pab pawg ua haujlwm yav dhau los thiab cov ntaub ntawv hais txog cov neeg ua haujlwm ntawm Iranian Ministry of Information thiab National Security uas raug liam tias cuam tshuam nrog pab pawg ua haujlwm. OilRig yog ib pab pawg Iran-txuas APT uas muaj txij li puag ncig xyoo 2014 thiab tsom mus rau tsoomfwv, cov koom haum nyiaj txiag thiab tub rog, nrog rau cov tuam txhab hluav taws xob thiab kev sib txuas lus hauv Middle East thiab Tuam Tshoj.
Tom qab OilRig raug nthuav tawm, cov xau txuas ntxiv - cov ntaub ntawv hais txog kev ua ub no ntawm lwm pab pawg neeg txhawb nqa los ntawm Iran, MuddyWater, tau tshwm sim hauv qhov tsaus ntuj thiab hauv Telegram. Txawm li cas los xij, tsis zoo li thawj qhov xau, lub sijhawm no nws tsis yog cov lej uas tau tshaj tawm, tab sis cov khoom pov tseg, suav nrog cov screenshots ntawm lub hauv paus code, tswj servers, nrog rau IP chaw nyob ntawm yav dhau los cov neeg raug tsim txom ntawm hackers. Lub sijhawm no, Green Leakers hackers tau ua lub luag haujlwm rau kev xau txog MuddyWater. Lawv muaj ob peb Telegram channels thiab darknet qhov chaw uas lawv tshaj tawm thiab muag cov ntaub ntawv ntsig txog kev ua haujlwm MuddyWater.
Cyber ββββcov neeg soj xyuas los ntawm Middle East
Muddy Dej yog ib pab pawg uas tau ua haujlwm txij li xyoo 2017 hauv Middle East. Piv txwv li, raws li Pab Pawg-IB cov kws tshaj lij sau tseg, txij Lub Ob Hlis mus txog Lub Plaub Hlis 2019, cov neeg nyiag nkas tau ua ntau qhov kev xa ntawv phishing tsom rau tsoomfwv, cov koom haum kev kawm, nyiaj txiag, kev sib txuas lus thiab cov tuam txhab tiv thaiv hauv Turkey, Iran, Afghanistan, Iraq thiab Azerbaijan.
Cov tswvcuab hauv pab pawg siv lub nraub qaum ntawm lawv tus kheej txoj kev loj hlob raws li PowerShell, uas yog hu ua POWERSTATS. Nws tuaj yeem:
- sau cov ntaub ntawv hais txog cov nyiaj hauv zos thiab cov npe, cov ntaub ntawv muaj nyob hauv thiab sab nraud IP chaw nyob, lub npe thiab OS architecture;
- nqa tawm tej thaj chaw deb code execution;
- upload thiab download tau cov ntaub ntawv ntawm C&C;
- kuaj pom muaj cov kev pab cuam debugging siv hauv kev txheeb xyuas cov ntaub ntawv tsis zoo;
- kaw lub kaw lus yog tias cov kev pab cuam los tshuaj xyuas cov ntaub ntawv tsis zoo raug pom;
- rho tawm cov ntaub ntawv los ntawm lub zos drives;
- coj screenshots;
- lov tes taw ntsuas kev ruaj ntseg hauv Microsoft Office cov khoom.
Qee lub sij hawm, cov neeg tawm tsam tau ua yuam kev thiab cov kws tshawb fawb los ntawm ReaQta tswj kom tau txais qhov chaw nyob IP kawg, uas nyob hauv Tehran. Muab lub hom phiaj tawm tsam los ntawm pab pawg, nrog rau nws cov hom phiaj cuam tshuam txog kev soj ntsuam cyber, cov kws tshaj lij tau hais tias pab pawg sawv cev rau kev txaus siab ntawm tsoomfwv Iranian.
Attack indicatorsC&C:
- gladiyator[.]tk
- 94.23.148[.]194
- 192.95.21[.]28
- 46.105.84[.]146
- 185.162.235[.]182
Cov Ntaub Ntawv:
- 09aabd2613d339d90ddbd4b7c09195a9
- cfa845995b851aacdf40b8e6a5b87ba7
- a61b268e9bc9b7e6c9125cdbfb1c422a
- f12bab5541a7d8ef4bbca81f6fc835a3
- a066f5b93f4ac85e9adfe5ff3b10bc28
- 8a004e93d7ee3b26d94156768bc0839d
- 0638adf8fb4095d60fbef190a759aa9e
- eed599981c097944fa143e7d7f7e17b1
- 21aebece73549b3c4355a6060df410e9
- 5c6148619abb10bb3789dcfb32f759a6
TΓΌrkiye raug tua
Thaum Lub Plaub Hlis 10, 2019, Pawg-IB cov kws tshaj lij tau tshawb pom qhov xau ntawm chaw xa ntawv ntawm lub tuam txhab Turkish ASELSAN A.Ε, lub tuam txhab loj tshaj plaws hauv kev ua tub rog hluav taws xob hauv Turkey. Nws cov khoom muaj xws li radar thiab electronics, electro-optics, avionics, unmanned systems, av, naval, riam phom thiab huab cua tiv thaiv systems.
Kawm txog ib qho ntawm cov qauv tshiab ntawm POWERSTATS malware, Pawg-IB cov kws tshaj lij tau txiav txim siab tias MuddyWater pab pawg neeg tawm tsam siv los ua cov ntaub ntawv pov thawj daim ntawv tso cai ntawm KoΓ§ Savunma, lub tuam txhab tsim cov kev daws teeb meem hauv cov ntaub ntawv thiab kev tiv thaiv thev naus laus zis, thiab Tubitak Bilgem. , lub chaw tshawb fawb txog kev ruaj ntseg thiab cov thev naus laus zis siab heev. Tus neeg hu rau KoΓ§ Savunma yog Tahir Taner TΔ±mΔ±Ε, uas tuav txoj haujlwm ntawm Tus Thawj Saib Xyuas Haujlwm ntawm KoΓ§ Bilgi thiab Savunma Teknolojileri A.Ε. txij lub Cuaj Hlis 2013 txog Lub Kaum Ob Hlis 2018. Tom qab ntawd nws pib ua haujlwm ntawm ASELSAN A.Ε.
Sample decoy document
Tom qab tus neeg siv activates macro phem, lub POWERSTATS backdoor yog downloaded rau tus neeg raug tsim txom lub computer.
Ua tsaug rau cov metadata ntawm daim ntawv decoy no (MD5: 0638adf8fb4095d60fbef190a759aa9e) Cov kws tshawb fawb tuaj yeem nrhiav tau peb cov qauv ntxiv uas muaj cov txiaj ntsig zoo ib yam, suav nrog hnub tsim thiab sijhawm, tus neeg siv lub npe, thiab cov npe ntawm macros muaj:
- ListOfHackedEmails.doc (eed599981c097944fa143e7d7f7e17b1)
- asd.doc (21aebece73549b3c4355a6060df410e9)
- F35-Specifications.doc (5c6148619abb10bb3789dcfb32f759a6)
Screenshot ntawm zoo tib yam metadata ntawm ntau yam ntaub ntawv decoy
Ib qho ntawm cov ntaub ntawv tshawb pom nrog lub npe ListOfHackedEmails.doc muaj ib daim ntawv teev npe ntawm 34 email chaw nyob ntawm tus sau @aselsan.com.tr.
Cov kws tshaj lij pab pawg-IB tau tshawb xyuas email chaw nyob hauv cov ntaub ntawv xa tawm hauv pej xeem thiab pom tias 28 ntawm lawv tau raug cuam tshuam hauv kev tshawb pom yav dhau los. Txheeb xyuas qhov sib xyaw ntawm cov dej xau pom muaj txog 400 tus cim tshwj xeeb uas cuam tshuam nrog cov npe no thiab cov passwords rau lawv. Nws yog qhov ua tau tias cov neeg tawm tsam siv cov ntaub ntawv tshaj tawm no los tawm tsam ASELSAN A.Ε.
Screenshot ntawm cov ntaub ntawv ListOfHackedEmails.doc
Cov duab thaij duab ntawm cov npe ntawm ntau dua 450 tau pom tus ID nkag mus-password khub hauv kev xau pej xeem
Ntawm cov qauv tshawb pom kuj muaj ib daim ntawv nrog lub npe F35-Specifications.doc, xa mus rau F-35 fighter dav hlau. Cov ntaub ntawv bait yog ib qho tshwj xeeb rau F-35 ntau lub luag haujlwm fighter-bomber, qhia txog lub dav hlau tus yam ntxwv thiab tus nqi. Lub ntsiab lus ntawm cov ntaub ntawv decoy no ncaj qha ntsig txog US tsis kam muab F-35s tom qab Qaib Cov Txwv qhov kev yuav S-400 tshuab thiab kev hem thawj ntawm kev xa cov ntaub ntawv hais txog F-35 Lightning II rau Russia.
Tag nrho cov ntaub ntawv tau txais qhia tias lub hom phiaj tseem ceeb ntawm MuddyWater cyber attacks yog cov koom haum nyob rau hauv Qaib Cov Txwv.
Leej twg yog Gladiyator_CRK thiab Nima Nikjoo?
Ua ntej, thaum Lub Peb Hlis 2019, cov ntaub ntawv tsis zoo tau tshawb pom tsim los ntawm ib tus neeg siv Windows nyob rau hauv lub npe menyuam yaus Gladiyator_CRK. Cov ntaub ntawv no kuj tau faib POWERSTATS backdoor thiab txuas nrog C&C server nrog lub npe zoo sib xws gladiyator[.]tk.
Qhov no yuav tau ua tiav tom qab tus neeg siv Nima Nikjoo tau tshaj tawm hauv Twitter thaum Lub Peb Hlis 14, 2019, sim txiav txim siab obfuscated code cuam tshuam nrog MuddyWater. Hauv cov lus hais rau qhov tweet no, tus kws tshawb fawb tau hais tias nws tsis tuaj yeem qhia cov cim qhia txog kev cuam tshuam rau cov malware no, vim tias cov ntaub ntawv no tsis pub lwm tus paub. Hmoov tsis zoo, cov ntawv tshaj tawm twb tau muab tshem tawm, tab sis cov kab ntawm nws tseem nyob hauv online:
Nima Nikjoo yog tus tswv ntawm Gladiyator_CRK profile ntawm Iranian video hosting sites dideo.ir thiab videoi.ir. Nyob rau ntawm lub xaib no, nws ua qauv qhia PoC siv los lov tes taw cov cuab yeej tiv thaiv kab mob los ntawm ntau tus neeg muag khoom thiab hla cov sandboxes. Nima Nikjoo sau txog nws tus kheej tias nws yog tus kws tshaj lij kev ruaj ntseg network, nrog rau tus kws tshaj lij rov qab thiab tus kws tshuaj ntsuam xyuas malware uas ua haujlwm rau MTN Irancell, lub tuam txhab Iranian kev sib txuas lus.
Screenshot ntawm cov yeeb yaj duab khaws tseg hauv Google tshawb nrhiav:
Tom qab ntawd, thaum Lub Peb Hlis 19, 2019, tus neeg siv Nima Nikjoo ntawm lub social network Twitter tau hloov nws lub npe menyuam yaus mus rau Malware Fighter, thiab tseem tshem tawm cov lus tshaj tawm thiab cov lus pom. Cov profile ntawm Gladiyator_CRK ntawm qhov video hosting dideo.ir kuj raug tshem tawm, ib yam li hauv YouTube, thiab qhov profile nws tus kheej tau hloov npe hu ua N Tabrizi. Txawm li cas los xij, yuav luag ib hlis tom qab (Lub Plaub Hlis 16, 2019), tus account Twitter tau pib siv lub npe Nima Nikjoo dua.
Thaum lub sij hawm txoj kev tshawb no, Pab Pawg-IB cov kws tshaj lij pom tau tias Nima Nikjoo twb tau hais txog kev cuam tshuam nrog cybercriminal kev ua ub no. Thaum Lub Yim Hli 2014, Iran Khabarestan blog tau tshaj tawm cov ntaub ntawv hais txog cov tib neeg cuam tshuam nrog cybercriminal pawg Iranian Nasr Institute. Ib qho kev tshawb nrhiav FireEye tau hais tias Nasr Lub Tsev Haujlwm yog ib tus neeg cog lus rau APT33 thiab kuj tau koom nrog DDoS kev tawm tsam ntawm Asmeskas cov tsev txhab nyiaj thaum xyoo 2011 thiab 2013 uas yog ib feem ntawm kev sib tw hu ua Operation Ababil.
Yog li ntawd nyob rau tib lub blog, Nima Nikju-Nikjoo tau hais, leej twg tab tom tsim malware los soj xyuas Iranians, thiab nws email chaw nyob: gladiyator_cracker@yahoo[.]com.
Cov duab thaij duab ntawm cov ntaub ntawv ntaus nqi rau cybercriminals los ntawm Iranian Nasr Institute:
Kev txhais cov ntawv tseem ceeb rau hauv Lavxias: Nima Nikio - Spyware Developer - Email:.
Raws li tuaj yeem pom los ntawm cov ntaub ntawv no, email chaw nyob yog txuam nrog qhov chaw nyob siv hauv kev tawm tsam thiab cov neeg siv Gladiyator_CRK thiab Nima Nikjoo.
Tsis tas li ntawd, Lub Rau Hli 15, 2017 tsab xov xwm tau hais tias Nikjoo tsis muaj kev saib xyuas me ntsis hauv kev tshaj tawm cov ntawv xa mus rau Kavosh Security Center ntawm nws qhov kev xav tau. Noj tias Kavosh Security Center tau txais kev txhawb nqa los ntawm Iranian lub xeev los pab nyiaj rau tsoomfwv cov neeg nyiag khoom.
Cov ntaub ntawv hais txog lub tuam txhab uas Nima Nikjoo ua haujlwm:
Twitter tus neeg siv Nima Nikjoo's LinkedIn profile teev nws thawj qhov chaw ua haujlwm ua Kavosh Security Center, qhov chaw nws ua haujlwm txij xyoo 2006 txog 2014. Thaum nws ua haujlwm, nws tau kawm ntau yam malware, thiab tseem cuam tshuam nrog kev thim rov qab thiab cuam tshuam txog kev ua haujlwm.
Cov ntaub ntawv hais txog lub tuam txhab Nima Nikjoo ua haujlwm rau LinkedIn:
Muddy Dej thiab siab rau tus kheej
Nws yog qhov xav paub tias pawg MuddyWater ua tib zoo saib xyuas tag nrho cov lus ceeb toom thiab cov lus los ntawm cov kws paub txog kev ruaj ntseg cov ntaub ntawv tshaj tawm txog lawv, thiab txawm txhob txwm tshaj tawm cov chij cuav thaum xub thawj txhawm rau txhawm rau pov cov kws tshawb fawb tawm ntawm cov ntxhiab tsw. Piv txwv li, lawv thawj qhov kev tawm tsam dag ntxias cov kws tshaj lij los ntawm kev tshawb pom kev siv DNS Messenger, uas feem ntau cuam tshuam nrog FIN7 pawg. Hauv lwm qhov kev tawm tsam, lawv tau tso cov hlua Suav rau hauv txoj cai.
Tsis tas li ntawd, cov pab pawg nyiam tawm cov lus rau cov kws tshawb fawb. Piv txwv li, lawv tsis nyiam tias Kaspersky Lab tso MuddyWater hauv qhov chaw thib 3 hauv nws qhov kev hem thawj rau xyoo. Nyob rau tib lub sijhawm, ib tus neeg - suav tias yog pawg MuddyWater - tau rub tawm PoC ntawm kev siv rau YouTube uas cuam tshuam LK antivirus. Lawv kuj tau tso cov lus tawm hauv qab tsab xov xwm.
Screenshots ntawm video ntawm disabling Kaspersky Lab antivirus thiab cov lus hauv qab no:
Nws tseem nyuaj rau kev txiav txim siab tsis meej txog kev koom tes ntawm "Nima Nikjoo". Cov kws tshaj lij pab pawg-IB tab tom txiav txim siab txog ob lub qauv. Nima Nikjoo, qhov tseeb, tej zaum yuav yog ib tus neeg nyiag nkas los ntawm MuddyWater pab pawg, uas tau tshwm sim vim nws tsis saib xyuas thiab nce kev ua haujlwm ntawm lub network. Qhov kev xaiv thib ob yog tias nws txhob txwm tshaj tawm "pom" los ntawm lwm tus tswv cuab ntawm pawg txhawm rau txhawm rau hloov kev xav tsis thoob ntawm lawv tus kheej. Txawm li cas los xij, Pawg-IB txuas ntxiv nws cov kev tshawb fawb thiab yuav qhia nws cov txiaj ntsig.
Raws li rau Iranian APTs, tom qab ib tug series ntawm xau thiab xau, lawv tej zaum yuav ntsib ib tug loj "debriefing" - hackers yuav raug yuam kom hloov lawv cov cuab yeej, ntxuav lawv lem thiab nrhiav tau "moles" nyob rau hauv lawv cov qeb. Cov kws tshaj lij tsis tau txiav txim siab tias lawv tseem yuav siv sijhawm sijhawm, tab sis tom qab lub sijhawm luv luv, Iranian APT kev tawm tsam txuas ntxiv ntxiv.
Tau qhov twg los: www.hab.com