Updates to Sofacy, Turla Highlight 2017 Q2 APT Activity

Attackers behind APT campaigns have kept busy in Q2 2017, adding new ways to bypass detection, crafting new payloads to drop, and identifying new zero days and backdoors to help them infect users and maintain persistence on machines.

Attackers behind advanced persistent threat campaigns have kept busy over the past several months, adding new ways to bypass detection, crafting new payloads to drop, and identifying new zero days and backdoors to help them infect users and maintain persistence on machines.

Juan Andres Guerrero-Saade and Brian Bartholomew, members of Kaspersky Lab’s Global Research and Analysis Team, described some of tactics the researchers have seen in Q2 2017 in a webinar Tuesday morning. The company used the webinar and the quarterly report it was based on to help pull back the veil on threats previously covered by its private intelligence reporting service.

A chunk of the presentation was spent recapping tweaks recently made by Russian-speaking groups Sofacy and Turla.

Sofacy, the group implicated by a December DHS report to election hacks, began using two new macro techniques in April. One abused Windows’ certutil utility to extract payloads—the first time the researchers had seen that technique used—another embedded payloads in the EXIF metadata of malicious Office documents.

“After we started digging into this we found that they were actually using this technique dating back to December 2016,” Bartholomew said, adding that what made the techniques interesting is that they were used to target French political party members prior to the French election on April 23 and May 7.

In June, the researchers noticed that Sofacy had updated a payload, written in Delphi, called Zebrocy. The new iteration, version 5.1 of Zebrocy, implemented new encryption keys and minor string obfuscations, something which helps it bypass detection capabilities, Bartholomew said.

Bartholomew said the researchers were able to tie Zebrocy to Sofacy in mid-2016.

“There were some infrastructure ties there,” Bartholomew said, “There was also another payload called Delphocy that was also written in Delphi. In late 2015 we started seeing Delphi payloads pop up from this group, which we hadn’t seen before. We don’t know why that’s the case, it could be that they hired a developer who just refuses to write anything but Delphi. Either way, once Zebrocy was discovered, it was found in parallel to another Sofacy infection, once we started digging into it there was a little bit of shared code in the Delphi—compared to the other Delphocy payload—and ties to the infrastructure to Sofacy.”

Earlier this spring researchers said they were able to make a potential link between Turla, the APT linked to Moonlight Maze at SAS earlier this year, and Sofacy. Like Sofacy was doing around the same time, Turla was spotted using an EPS zero day (CVE-2017-0261) to target foreign ministries and governments.

“What’s interesting about that is that it may actually indicate a shared supply chain between Turla and Sofacy,” Bartholomew said.

Bartholomew also took time on Tuesday to discuss BlackOasis, a Middle Eastern-speaking group that’s believed to be a client of Gamma Group, the UK-based firm that specializes in surveillance and monitoring equipment, such as FinFisher.

He claims the group, which he’s spent the better chunk of a year and a half researching, has been spotted using several zero days in the past, including CVE-2016-4117, CVE-2016-0984, and CVE-2015-5119. Bartholomew says that what makes it interesting is that the group was the first seen using CVE-2017-0199, an OLE2Link zero-day, in the wild before it was detected. The exploit’s end payload, he adds, is a new variant of FinSpy heavily fortified to prevent analysis by researchers.

“We’re currently trying to look into that, write some decryptors for it and will probably write another report on that in the next couple of months,” Bartholomew said.

Citing their technical sophistication and development, Guerrero-Saade was eager to discuss a crop of English speaking APT actors, including those behind an Equation Group backdoor, EQUATIONVECTOR. While the backdoor has been around since 2006, Guerrero-Saade said what makes it interesting is the fact that it’s the first example of a NOBUS—NObody But US backdoor—they’ve seen in the wild. The backdoor, a passive and active staging backdoor, could be used to execute shellcode payloads, according to the researcher.

Another backdoor, Gray Lambert—an extension of the Lamberts APT group—is much more modern implementation, Guerrero-Saade said. It waits, sleeps, and sniffs the network until it’s ready to be used.

“What makes this NOBUS backdoor particularly interesting is that it provides attackers with a sort of surgical precision over a network of multiple infected machines,” Guerrero-Saade said. “With Gray Lambert installed on these machines [attackers] can essentially decide how they’re going to space their payloads, their commands and attacks.”

The researchers suggest that users should expect more of the same tactics, techniques, and procedures (TTPs) from APT groups going forward. It’s likely countries that have upcoming elections, Germany and Norway for example, will become targets for misinformation campaigns like the one mounted by the Sofacy group. Controversial lawful surveillance tools, like those peddled by the Gamma Group to BlackOasis and those sold by the NSO Group to the Mexican government, will remain popular as well, Guerrero-Saade and Bartholomew said.

The trend of destructive malware disguised as ransomware will likely continue as well, Guerrero-Saade says, but admits it’s a curious question whether or not the technique will ever be embraced by cybercriminals.

“We’ve been talking about incompetent people entering the ransomware space for a quite some time now,” Guerrero-Saade said, “We’re going to see people who are poor coders and won’t even bother to buy an already prepared kit, just essentially trying to leverage something that deletes all the files, or doesn’t do anything but tries to get money out of naïve or unsuspecting victims. The notion of wipers as ransomware is quite different. It’s an interesting phenomenon.”

“Sabotage attacks and wiper attacks are a strange occurrence, they don’t happen that often. I think over the past 10 years we’ve looked at 10 cases tops. They’re very rare components. For the most part I think it has to do with the level of access that you’re burning whenever you use them,” Guerrero-Saade said, “If you’re a cyberespionage actor, if you have access to a network at that point, a Sony or Saudi Aramco, where you can target thousands of machines, the idea of burning that loudly, raising the security profile of the organization as a whole and creating public fallout is extremely costly. It’s a strange circumstance where the calculus pays off.”

While it may not be a popular technique for cybercriminals on a lower level, Guerrero-Saade said, it’s not out of the realm of possibility for APT gangs to continue to use the vector to create havoc.

“Let’s say we have all the means for a sabotage attack and we want to disguise it as ransomware or as something potentially treatable, it’s not necessarily that different from what the Lazarus Group did with Sony, or some other South Korean targets, where first they asked for money and then dumped data anyways. It’s an evolution that’s particularly troubling,” Guerrero-Saade said.

Suggested articles