An APT group with its sights on selective targets, most of those in Israel, has been using an elusive malware implant to steal data from groups with state and political interests.
The gang, called Volatile Cedar by researchers at Check Point Software Systems, has been working since 2012 and could have ties to the Lebanese government or a political group operating in the country.
“This is the first time we are aware of cyber capabilities of some kind from an actor in Lebanon. It’s not surprising, a matter of time really before anyone in the government or a major political group developed capabilities in that realm,” said Shahar Tal, vulnerability research manager at Check Point Software Technologies.
Tal said many of the confirmed targets belong to organizations in Israel, as well as neighboring countries, including Turkey. Those targets include defense contractors, telecommunications companies, IT companies, media outlets and educational institutions.
The implant, called Explosive, is a remote access Trojan that goes to great lengths to not only steal data from its victims, but also to hide its presence from victims and security software. The implant has been used only a handful of times, and if a version is detected by antivirus or intrusion detection, for example, a new version of the same implant is quickly developed.
Check Point said it has found five variants of Explosive since it was first used in November 2012. Each time, new attack features or obfuscation were added; versions 1-3 evolved quickly to encrypt network traffic, add clipboard monitoring and other surveillance features, to a pair of a rarer versions of the malware called KS and Micro. KS does not use a backdoor for communication, instead data is stored on the compromised server to be moved later by the attackers. Micro, meanwhile, could be the predecessor to Explosive, Check Point said, adding that it detected only a few samples.
Rather than use phishing as an initial means of infecting an organization, Volatile Cedar campaigns generally target publicly exposed Windows servers, Check Point said, using these as an initial foothold in order to eventually pivot to other machines on the target network.
“Spear phishing is the expected way to go,” Tal said. “This is actually a pretty effective way of entering networks. If you have web hacking skills, you’re going to get something on that webserver. Once you’re inside the webserver, there’s usually little protection going from the outside to the intranet.”
Tal said organizations may sacrifice security for productivity on internal-facing systems, instead relying on security around the webserver to keep intruders out.
“It’s a unique pivot point where you basically open a portal on internal network and are uninterrupted by most firewall solutions,” Tal said. “People are not aware of this. They don’t generally segment their network enough because they trust the webserver to block everything coming in, but once you successfully take over a web application, it’s not protected from the inside.”
Once a public server is discovered, the attackers scan it for vulnerabilities and if they find one, inject a Web shell code that is used as a backdoor to send stolen data and new commands and configurations to the compromised machine, including the Explosive Trojan.
“This Trojan allows the attackers to send commands to all targets via an array of C&C servers. The command list contains all the functionality required by the attacker to maintain control and extract information from the servers and includes keylogging, clipboard logging, screenshots, run commands, etc,” the report says. “Occasionally, mostly in cases where large data extractions are required, the attacker installs an additional SSH tunnel which is connected to PLink servers controlled by the attacker.”
Check Point says Explosive contains a main executable binary and a DLL with backend API calls. The binary contains the Trojan’s logic, while the DLL contains exported API functions.
“The Explosive DLL file is dynamically loaded by the main executable at runtime whenever it is needed, and unloaded when the desired action is complete,” the report says. “This separation is probably designed to support quick functionality patches by the attackers, and to avoid heuristic detection of the main executable by common AV engines and other protection software.”
Explosive creates several threads, including a keylogger, clipboard logger, memory monitor, and a means to check in with its command and control server to determine whether the connection is alive and secure before sending data or receiving further commands. Those commands include the ability to dump Internet Explorer browsing history, steal saved passwords, get registry values, list running processes, run a command line, send files to a command server, delete specified files, get folder contents, kill Explosive processes, remove traces, and restart.
As for attribution, while not definitive, Check Point said it was able to connect enough dots to point the finger at Lebanon. For example, compile times point to work hours in the region. The first command and control servers in the operation were hosted at a Lebanese web host, not typical of other APT campaigns. Also, DNS registration information on some of the infrastructure servers led to connections in Lebanon, as did some of the DNS contact information, which had ties to social media accounts with Lebanese political leanings.
“It’s not NSA-grade malware, but it’s also, not script kiddie level,” Tal said. “They’re not replacing firmware, but they are implementing stealth features and eliminating what analytic tools would flag. What they lack in technical skill, they make up for in operation discipline.”