SAS 2019: 4 Stuxnet-Related APTs Form Gossip Girl, an ‘Apex Threat Actor’

Flowershop, Equation, Flame and Duqu appear to have a hand in the different phases of Stuxnet development, all working as part of an operation active as early as 2006.

SINGAPORE – The infamous Stuxnet family of industrial sabotage malware is likely the work of a mysterious “supra-group” that Chronicle researchers Juan Andres Guerrero Saad and Silas Cutler have dubbed Gossip Girl; and it’s a group that turns out to be larger and far busier than previously known.

In a session at the Security Analyst Summit 2019 in Singapore this week, Saad and Cutler said that in addition to the APT groups already linked to Stuxnet, including developers behind Duqu, Flame and the NSA-linked Equation Group, a fourth, previously unknown collaborator called Flowershop is also related.

They came to their conclusions by uncovering an early Stuxnet component that they dubbed “Stuxshop.”

In the session, they also unveiled other Gossip Girl research, including the discovery of Duqu 1.5, which represents a previously unknown middle stage of that malware’s code. And, the duo said they discovered a new iteration of the Flame malware, called Flame 2.0 – which demonstrates that this code was resurrected after it seemed to disappear, and that it was actually active between 2014 and 2016.Gossip Girl Supra Threat Actor

In examining links between all of these, Saad and Cutler said there is evidence of the existence of a modular, collaborative development framework overseen by a cluster of “apex threat actors” that they call Gossip Girl. Looking at the relationships between different APTs in the context of an umbrella group concept offers a useful and new perspective on sophisticated threat actor activity and community, they said.

Stuxnet was famously used against Iran’s nuclear infrastructure in 2011. The older Stuxnet component that the two researchers found turns out to share code with Flowershop, which is an even older spyware framework that was active as early as 2002, mainly targeting victims in the Middle East. It was first officially discovered by Kaspersky Lab researchers in 2015, and gained its name due to the recurring use of the word “flower” in the domains associated with some of its command-and-control (C2) servers.

The old code that Chronicle researchers found actually has four identified overlaps with Flowershop. According to the analysis, three of them “are very specific implementations of functionality to query infection markers in registry keys and check for the presence of internet proxy settings.” Meanwhile, “a fourth function overlap is a near complete reuse of code for evaluating the operating system version.”

The upshot? “Querying a multi-petabyte collection of both goodware and malware confirmed that this code is only shared by Flowershop and Stuxshop samples, implying the reuse of closed-source code.”

The findings would place the Flowershop team alongside the other three groups that appear to have a hand in the different phases of Stuxnet development (Equation, Flame and Duqu) all working as part of an operation active as early as 2006.

As Saad noted, “The value of this recent finding is twofold: First, it suggests that yet another team with its own malware platform was involved in the early development of Stuxnet. And secondly, it supports the view that Stuxnet is in fact the product of a modular development framework meant to enable collaboration among diverse, independent threat actors.”

Meanwhile, the code that the researchers have called Duqu 1.5 came to light because an incident response manager that Saad and Cutler knew had held onto the sample as forensic evidence of mysterious malware, which appeared on computers just before the 2015 P5+1 talks regarding Iran’s nuclear program in Switzerland.

Upon investigation, it turned out that the code provides evidence of a previously unknown middle stage of the Duqu malware (which is incidentally so-named based on the naming convention of the files created by its keylogging module, ‘~DQ<…>.tmp’).

Duqu is known to share code with Stuxnet (the researchers said that the main Stuxnet kernel drivers shared developmental links with Duqu’s ‘Tilde-D platform’, involving the threat actor in some of the central development of Stuxnet). However, where Stuxnet is best known as a destructive weapon, Duqu has mainly been used to spy on companies across a dozen countries in Europe, Africa and the Middle East. Interestingly, after a spate of activity in 2011, Duqu appeared to go dormant until 2015, when Kaspersky Lab announced the discovery of Duqu 2.0.

The new version “had been drastically overhauled to operate almost entirely in-memory (away from the prying eyes of most security software) and in a semi-wormlike fashion across an enterprise network,” Saad and Cutler said. It was found inside the venues hosting the P5+1 negotiations that resulted in the Iran deal, according to Kaspersky Lab.

The difference between Duqu 1.0 and Duqu 2.0 was so drastic that “the security community saw Duqu in two snapshots: as the Stuxnet-related modular platform of 2011-2012 and then as the unshrinking, memory-resident, 100+ module-strong juggernaut of 2015,” Saad and Cutler noted in their research – and it remained a mystery as to how Duqu managed to skip any in-the-wild evolutionary stage in-between.

The Chronicle team has solved that mystery by finding Duqu 1.5. They said that the Duqu 1.5 developers decided to rely on an encrypted file on disk to store the submodules that are loaded directly into memory – thus managing to stay under the radar.

“The benefit of this method is that it requires incident responders at a site of infection to identify and retrieve this seemingly innocuous file,” according to the analysis, released Tuesday at SAS 2019. “If the parent malware is uploaded to VirusTotal, this alone won’t enable researchers to retrieve the submodules and gain insights into the scope of the attackers’ operations.”

The important takeaway, according to the researchers, is that the developers behind Duqu were willing to completely overhaul their operations after being caught, and took pains to do it in stealth mode – giving evidence of the existence of a new, collaborative, iterative and highly targeted approach to malware development that they see as the hallmark of the Gossip Girl supra-group.

And finally, the researchers have discovered a new version of Flame, which is an all-in-one cyberespionage toolkit that also shares code overlaps with Stuxnet (specifically, Kaspersky Lab found in 2012 that an older version of Stuxnet older version of Stuxnet included a Flame plugin, Resource 207). The discovery of a new version of Flame is important given that sometime in late May 2012, Flame C2 servers began to distribute a “suicide” module to remaining Flame infections, thus destroying their operations. As a side-effect of this, the research community was able to get a full list of the components and directories that the malware used. “By all accounts, this was considered the death of Flame,” said Saad and Cutler.

However, that turns out to have been a ruse. In looking at old Flame samples, a subset turned out to have timestamped compilation dates with the range of February to March 2014, nearly two years after Flame operations were thought to be abandoned.

“While the malware is clearly built on the Flame source code, it includes new counter-measures against researcher meddling,” the Chronicle team said, adding that research in to Flame 2.0 is ongoing and that the code remains a bit of a mystery.

“We hope that announcing these findings at an early stage will encourage a collaborative environment in the threat intelligence space,” they said.

When the Stuxshop, Duqu 1.5 and Flame 2.0 findings are taken together, what emerges is the picture of related yet disparate groups, all tied to Stuxnet in some way, that continued (or, perhaps, continue, present tense) to stealthily work on their separate projects well past when they were thought to be active. Understanding them as part of a larger umbrella organization offers important benefits to the research community, the analysts argued.

“Gossip Girl isn’t the first supra threat actor unearthed by the research community, it’s only the first to be described in comprehensive terms,” they said in a Tuesday blog on the findings. “A focus on this ‘multi-tenant’ model of modular malware development and deployment should allow for a higher-fidelity understanding of: the trends followed by seemingly diverse threat actors, the closed-door sharing of techniques and tools, and the organizational complexities behind clusters of malicious activity that defy simplistic attribution claims.”

Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.

A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.

 

Suggested articles