Ozembera boma aku Iran ali pamavuto akulu. Kumayambiriro kwa masika, anthu osadziwika adasindikiza "kutulutsa kwachinsinsi" pa Telegalamu - zambiri zamagulu a APT ogwirizana ndi boma la Iran - OilRig и MuddyWater - zida zawo, ozunzidwa, kulumikizana. Koma osati aliyense. M'mwezi wa Epulo, akatswiri a Gulu-IB adapeza ma adilesi otayira a bungwe la Turkey ASELSAN A.Ş, lomwe limapanga ma wayilesi ankhondo anzeru ndi zida zodzitchinjiriza zamagulu ankhondo aku Turkey. Anastasia Tikhonova, Gulu-IB Advanced Threat Research Team Leader, ndi Nikita Rostovtsev, katswiri wachichepere ku Gulu-IB, adalongosola momwe ASELSAN A.Ş adawukira ndipo adapeza munthu yemwe angathe kutenga nawo mbali. MuddyWater.
Kuyatsa kudzera pa Telegraph
Kutulutsa kwamagulu aku Iran APT kudayamba ndikuti Lab Doukhtegan wina magwero a zida zisanu ndi chimodzi za APT34 (aka OilRig ndi HelixKitten), adawulula ma adilesi a IP ndi madera omwe akukhudzidwa ndi ntchitoyi, komanso zambiri za anthu 66 omwe adazunzidwa, kuphatikiza Etihad Airways ndi Emirates National Oil. Lab Doookhtegan adatulutsanso zambiri zokhudzana ndi zomwe gululi lidachita kale komanso zambiri za ogwira ntchito ku Unduna wa Zachidziwitso ku Iran ndi National Security omwe akuti amagwirizana ndi zomwe gululi likuchita. OilRig ndi gulu la APT logwirizana ndi Iran lomwe lakhalapo kuyambira chaka cha 2014 ndipo limayang'ana maboma, mabungwe azachuma ndi ankhondo, komanso makampani opanga mphamvu ndi matelefoni ku Middle East ndi China.
OilRig itawululidwa, kutayikirako kudapitilira - zambiri zokhudzana ndi zochitika za gulu lina la pro-state kuchokera ku Iran, MuddyWater, zidawonekera pamdima wakuda komanso pa Telegraph. Komabe, mosiyana ndi kutayikira koyamba, nthawi ino sikunali magwero a magwero omwe adasindikizidwa, koma zotayira, kuphatikiza zithunzi za magwero, ma seva owongolera, komanso ma adilesi a IP a omwe adazunzidwa kale. Panthawiyi, obera a Green Leakers adatenga udindo pakutulutsa kwa MuddyWater. Ali ndi mayendedwe angapo a Telegraph ndi masamba a darknet komwe amatsatsa ndikugulitsa zomwe zikugwirizana ndi ntchito za MuddyWater.
Azondi a Cyber ochokera ku Middle East
MuddyWater ndi gulu lomwe lakhala likugwira ntchito kuyambira 2017 ku Middle East. Mwachitsanzo, monga momwe akatswiri a Gulu-IB amanenera, kuyambira February mpaka Epulo 2019, achiwembu adatumiza mauthenga angapo achinyengo kwa boma, mabungwe amaphunziro, azachuma, matelefoni ndi makampani achitetezo ku Turkey, Iran, Afghanistan, Iraq ndi Azerbaijan.
Mamembalawa amagwiritsa ntchito kumbuyo kwa chitukuko chawo kutengera PowerShell, yomwe imatchedwa Mbiri ya POWERSTATS. Iye akhoza:
- sonkhanitsani zambiri zamaakaunti am'deralo ndi madambwe, ma seva afayilo omwe alipo, ma adilesi amkati ndi akunja a IP, dzina ndi kamangidwe ka OS;
- gwiritsani ntchito code yakutali;
- kwezani ndikutsitsa mafayilo kudzera pa C&C;
- kuzindikira kukhalapo kwa mapulogalamu owongolera omwe amagwiritsidwa ntchito posanthula mafayilo oyipa;
- Tsekani dongosolo ngati mapulogalamu osanthula mafayilo oyipa apezeka;
- chotsani mafayilo kumagalimoto am'deralo;
- kutenga skrini;
- letsa njira zotetezera muzinthu za Microsoft Office.
Panthawi ina, otsutsawo adalakwitsa ndipo ofufuza a ReaQta adakwanitsa kupeza adilesi yomaliza ya IP, yomwe inali ku Tehran. Poganizira zolinga zomwe gululi likuukira, komanso zolinga zake zokhudzana ndi cyber espionage, akatswiri anena kuti gululi likuyimira zofuna za boma la Iran.
Zizindikiro zowukiraC&C:
- gladiator[.]tk
- 94.23.148[.]194
- 192.95.21[.]28
- 46.105.84[.]146
- 185.162.235[.]182
Mafayilo:
- 09aabd2613d339d90ddbd4b7c09195a9
- cfa845995b851aacdf40b8e6a5b87ba7
- a61b268e9bc9b7e6c9125cdbfb1c422a
- f12bab5541a7d8ef4bbca81f6fc835a3
- a066f5b93f4ac85e9adfe5ff3b10bc28
- 8a004e93d7ee3b26d94156768bc0839d
- 0638adf8fb4095d60fbef190a759aa9e
- eed599981c097944fa143e7d7f7e17b1
- 21aebece73549b3c4355a6060df410e9
- 5c6148619abb10bb3789dcfb32f759a6
Türkiye akuwukiridwa
Pa Epulo 10, 2019, akatswiri a Gulu-IB adapeza kuti ma adilesi akutayikira a kampani yaku Turkey ya ASELSAN A.Ş, kampani yayikulu kwambiri pazamagetsi zankhondo ku Turkey. Zogulitsa zake zikuphatikizapo radar ndi zamagetsi, electro-optics, avionics, machitidwe osayendetsedwa, nthaka, zankhondo, zida ndi machitidwe otetezera mpweya.
Pophunzira chimodzi mwazitsanzo zatsopano za pulogalamu yaumbanda ya POWERSTATS, akatswiri a Gulu-IB adatsimikiza kuti gulu la owukira la MuddyWater likugwiritsa ntchito ngati nyambo mgwirizano walayisensi pakati pa Koç Savunma, kampani yomwe ikupanga mayankho pazambiri komanso matekinoloje achitetezo, ndi Tubitak Bilgem. , malo ofufuzira zachitetezo chazidziwitso komanso matekinoloje apamwamba. Wolumikizana ndi Koç Savunma anali Tahir Taner Tımış, yemwe adagwira udindo wa Programs Manager ku Koç Bilgi ve Savunma Teknolojileri A.Ş. kuyambira Seputembara 2013 mpaka Disembala 2018. Pambuyo pake adayamba kugwira ntchito ku ASELSAN A.Ş.
Chitsanzo cha decoy document
Wogwiritsa ntchito akatsegula ma macros oyipa, POWERSTATS backdoor imatsitsidwa ku kompyuta ya wozunzidwayo.
Chifukwa cha metadata ya chikalata ichi (MD5: 0638adf8fb4095d60fbef190a759aa9e) ofufuza adatha kupeza zitsanzo zina zitatu zomwe zili ndi zinthu zofanana, kuphatikizapo tsiku ndi nthawi yolengedwa, dzina lolowera, ndi mndandanda wa macros omwe ali:
- ListOfHackedEmails.doc (eed599981c097944fa143e7d7f7e17b1)
- asd.doc (21aebece73549b3c4355a6060df410e9)
- F35-Specifications.doc (5c6148619abb10bb3789dcfb32f759a6)
Chithunzi cha metadata yofananira ya zolemba zosiyanasiyana zachinyengo
Chimodzi mwazolemba zopezeka ndi dzina ListOfHackedEmails.doc lili ndi mndandanda wa ma adilesi 34 a imelo omwe ali muderali @aselsan.com.tr.
Akatswiri a Gulu-IB adayang'ana ma adilesi a imelo m'malo otayikira omwe amapezeka pagulu ndipo adapeza kuti 28 mwa iwo adasokonezedwa ndi kutayikira komwe kunapezeka kale. Kuyang'ana kusakanikirana kwa kutayikira komwe kulipo kunawonetsa zolowetsa zapadera za 400 zomwe zimagwirizanitsidwa ndi derali ndi mawu achinsinsi awo. Ndizotheka kuti achiwembu adagwiritsa ntchito zomwe zidapezeka pagulu kuukira ASELSAN A.Ş.
Chithunzi cha chikalata ListOfHackedEmails.doc
Chithunzi cha mndandanda wazopitilira 450 zomwe zapezeka zolowera-achinsinsi pakutulutsa kwapagulu
Pakati pa zitsanzo zomwe zapezedwa panalinso chikalata chokhala ndi mutuwo F35-Specifications.doc, ponena za ndege yankhondo ya F-35. Chikalata cha nyambo ndi ndondomeko ya ndege ya F-35 yowombera mabomba ambiri, kusonyeza makhalidwe ndi mtengo wa ndegeyo. Mutu wa chikalata chachinyengo ichi chikugwirizana mwachindunji ndi kukana kwa US kupereka F-35s pambuyo pogula Turkey ya machitidwe a S-400 ndi kuopseza kusamutsa zambiri za F-35 Mphezi II ku Russia.
Deta yonse yomwe idalandilidwa idawonetsa kuti zolinga zazikulu za MuddyWater cyber kuwukira ndi mabungwe omwe ali ku Turkey.
Kodi Gladiyator_CRK ndi Nima Nikjoo ndi ndani?
M'mbuyomu, mu Marichi 2019, zolembedwa zoyipa zidapezeka zopangidwa ndi wogwiritsa ntchito m'modzi wa Windows pansi pa dzina loti Gladiyator_CRK. Zolemba izi zidagawanso POWERSTATS backdoor ndikulumikizidwa ku seva ya C&C yokhala ndi dzina lofanana gladiator[.]tk.
Izi mwina zidachitika pambuyo poti wogwiritsa Nima Nikjoo adalemba pa Twitter pa Marichi 14, 2019, kuyesera kuti azindikire kachidindo kosagwirizana ndi MuddyWater. M'mawu a tweet iyi, wofufuzayo adanena kuti sakanatha kugawana nawo zizindikiro zosokoneza pulogalamu yaumbandayi, chifukwa izi ndi zachinsinsi. Tsoka ilo, positiyi yachotsedwa kale, koma zotsatira zake zimakhalabe pa intaneti:
Nima Nikjoo ndi mwiniwake wa mbiri ya Gladiyator_CRK pamasamba aku Iran omwe amachitira mavidiyo Dideo.ir ndi videoi.ir. Patsambali, akuwonetsa zaposachedwa za PoC kuletsa zida za antivayirasi kuchokera kwa ogulitsa osiyanasiyana ndikudutsa ma sandbox. Nima Nikjoo alemba za iye kuti ndi katswiri wa chitetezo pamanetiweki, komanso katswiri wofufuza za pulogalamu yaumbanda yemwe amagwira ntchito ku MTN Irancell, kampani yaku Iran yaku Iran.
Chithunzi cha makanema osungidwa pazotsatira zakusaka kwa Google:
Pambuyo pake, pa Marichi 19, 2019, wogwiritsa ntchito Nima Nikjoo patsamba lochezera la Twitter adasintha dzina lake kukhala Malware Fighter, ndikuchotsanso zolemba ndi ndemanga. Mbiri ya Gladiyator_CRK pa kanema wochititsa dideo.ir idachotsedwanso, monga zinalili pa YouTube, ndipo mbiriyo idasinthidwanso kukhala N Tabrizi. Komabe, pafupifupi mwezi umodzi pambuyo pake (Epulo 16, 2019), akaunti ya Twitter idayambanso kugwiritsa ntchito dzina loti Nima Nikjoo.
Pa kafukufukuyu, akatswiri a Gulu-IB adapeza kuti Nima Nikjoo adatchulidwa kale zokhudzana ndi zigawenga zapaintaneti. Mu Ogasiti 2014, blog ya Iran Khabarestan idafalitsa zambiri za anthu omwe amagwirizana ndi gulu la zigawenga za pa intaneti la Iranian Nasr Institute. Kafukufuku wina wa FireEye adati Nasr Institute inali kontrakitala wa APT33 komanso idachita nawo ziwonetsero za DDoS pamabanki aku US pakati pa 2011 ndi 2013 ngati gawo la kampeni yotchedwa Operation Ababil.
Chifukwa chake mubulogu yomweyi, Nima Nikju-Nikjoo adatchulidwa, yemwe amapanga pulogalamu yaumbanda kuti akazonde anthu aku Iran, ndi imelo yake: gladiyator_cracker@yahoo[.]com.
Chithunzi chojambulidwa cha zigawenga za pa intaneti zochokera ku Iranian Nasr Institute:
Kumasulira kwa mawu owonetsedwa mu Chirasha: Nima Nikio - Wopanga mapulogalamu aukazitape - Imelo:.
Monga tikuwonera pazomwezi, imelo adilesi imalumikizidwa ndi adilesi yomwe imagwiritsidwa ntchito pakuwukira komanso ogwiritsa ntchito Gladiyator_CRK ndi Nima Nikjoo.
Kuphatikiza apo, nkhani ya June 15, 2017 inanena kuti Nikjoo anali wosasamala potumiza zonena za Kavosh Security Center pakuyambiranso kwake. Idyani kuti Kavosh Security Center imathandizidwa ndi dziko la Iran kuti lipereke ndalama kwa anthu ozembera boma.
Zambiri za kampani yomwe Nima Nikjoo amagwira ntchito:
Mbiri ya LinkedIn ya Nima Nikjoo ya Twitter imatchula malo ake oyamba ntchito ngati Kavosh Security Center, komwe adagwira ntchito kuyambira 2006 mpaka 2014. Pantchito yake, adaphunzira zaumbanda zosiyanasiyana, komanso adagwiranso ntchito zotsutsana ndi zosokoneza.
Zambiri za kampani yomwe Nima Nikjoo adagwirirapo ntchito pa LinkedIn:
MuddyWater komanso kudzidalira kwambiri
Ndizodabwitsa kuti gulu la MuddyWater limayang'anira mosamala malipoti onse ndi mauthenga ochokera kwa akatswiri achitetezo azidziwitso omwe amafalitsidwa za iwo, ndipo ngakhale dala anasiya mbendera zabodza poyamba kuti aponye ofufuza kununkhira. Mwachitsanzo, kuwukira kwawo koyamba kunasokeretsa akatswiri pozindikira kugwiritsa ntchito DNS Messenger, yomwe nthawi zambiri imalumikizidwa ndi gulu la FIN7. M'zinthu zina, adayika zingwe zaku China mu code.
Kuphatikiza apo, gululi limakonda kusiya mauthenga kwa ofufuza. Mwachitsanzo, sanakonde kuti Kaspersky Lab adayika MuddyWater pamalo a 3 pachiwopsezo cha chaka. Nthawi yomweyo, wina - mwina gulu la MuddyWater - adayika PoC yachinyengo pa YouTube yomwe imalepheretsa LK antivayirasi. Anasiyanso ndemanga pansi pa nkhaniyi.
Zithunzi za kanema wakuletsa Kaspersky Lab antivayirasi ndi ndemanga pansipa:
Zidakali zovuta kunena momveka bwino za kutenga nawo gawo kwa "Nima Nikjoo". Akatswiri a Gulu-IB akuganizira za mitundu iwiri. Nima Nikjoo, ndithudi, akhoza kukhala wowononga gulu la MuddyWater, yemwe adadziwika chifukwa cha kusasamala komanso kuchuluka kwa ntchito pa intaneti. Njira yachiwiri ndi yakuti “anavumbulutsidwa” mwadala ndi anthu ena a m’gululo n’cholinga chothetsa kukayikira kwawo. Mulimonsemo, Gulu-IB ikupitiliza kafukufuku wake ndipo ifotokozanso zotsatira zake.
Ponena za ma APT aku Iran, pambuyo pa kutayikira ndi kutayikira kambiri, iwo mwina adzakumana ndi "kukambitsirana" kwakukulu - obera adzakakamizika kusintha zida zawo, kuyeretsa mayendedwe awo ndikupeza "mamolek" omwe angakhalepo m'magulu awo. Akatswiri sananene kuti atenga nthawi, koma atatha kupuma pang'ono, kuukira kwa Iranian APT kunapitiliranso.
Source: www.habr.com