| Timeline of the report updates |
|---|
April 29, 2016, brief report and sample analysis report were drafted. May 12, 2016, comprehensive analysis report was completed. June 20,2016, the public version of the report was updated. |
1. Overview
Operation Sphinx is a cyber-espionage activity in the Middle East. The main victims are political and military organizations in Egypt, Israel and possibly other countries. Sensitive data theft is what the attackers plotted for during the period from June, 2014 to November, 2015 when the activity was in its prime. We encountered some timestamps of the samples to be as early as December, 2011 which suggests the attack might be started much earlier, though further sound proof is needed. The main approach of Sphinx is watering hole attack on social websites. Until now, we have obtained 314 pieces of sample malicious codes and 7 C2 domains.
A common method attackers use to hide their trace is to cloak malicious exe files with Word or PDF icons so that users will not tell the difference without looking into the file attribution or property. The Sphinx attackers adopt it as well, but they also attempt to conceal the attacks by making the master program “invisible”. In our analysis, Sphinx’ master program was found to be disguised with Word icon in order to trap users to click. Upon clicking, the master program released several DLL files. The files can be categorized into 9 types of plugin modules by functionality. The core DLL fill could be self-started after registering as a plugin of the resource management panel. Then, based on different configurations, remote injection was triggered to inject other functional DLL to corresponding running process. This way, when the malware was running, the master program had already been split into several imperceptible pieces. That decreases the risk for the targets to realize the existence of the malware. Multiple encryption algorithms were adopted simultaneously to hamper the detection.
Seeing from the PDB paths, we suspect that the attackers were using continuous integration tools, which indicts that the scale of operation may massive and the developers of the malware are professionals in relevant fields. Furthermore, we speculate that some third party organizations were involved in helping develop the malware to support the Middle East’s attackers.
2. Payload Delivery
1) Watering Holes on Social Websites
One of the lure documents was found in the comments area on Israeli Army’s Facebook. It shows the attackers took advantage of this social websites to deliver the payload because their targets often visit it. This is the watering hole that has been seen as compromise vector in many cyber-attacks. Traditionally, watering holes attacks can be categorized into two types by approach:
- Attackers will usually study and capture the website that their targets often visit. Then malware code (usually the scripts exploit some vulnerability) is directly embedded on the site. Now, the site is infected with Trojan and the trap is ready for victims. When the targets visit the site and click infected pages, the malware will be implanted in their computer if the network environment matches attackers preset conditions.
- Attackers will capture a website and replace certain application or link on it with malicious download link. Once target visits the site and download the file in the link, malware will be implanted in the victim’s computer. Typical cases are the Havex Trojan[1] (also known as Dragonfly or Energetic Bear) unrevealed in 2014 and OceanLotus in late May, 2015[2].
The commonness the two approaches share is attackers need to obtain the authorization to modify the website they aim to capture. However, in Sphinx attacks, it is much easier to get authorized to deploy the watering holes because they just need to simply register a Facebook account. That is all they need to be free to scatter malicious links in the comments’ area. It is a new approach in setting up watering holes in APT attacks.
Picture 1 Location of the samples on Facebook
The table below shows detailed download link and MD5 of the RAR file from the link:
| Malicious Download Link | |
|---|---|
| Status of the Domain | |
| MD5 of the Downloaded RAR File | 1e4ed1704e31917f8652aa0078a85459 |
Lure documents in the RAR file are about the amendment on individual income tax regulations. The original exe icon has been replaced with a PDF or Word icon to induce targets to click.
Picture 2 Lure documents in RAR file folder
With in-depth analysis, we found that 10 social website accounts in total were compromised in the attacks, including Israeli Army, Israeli Navy and other accounts related with Israeli military and government. Malicious comments are intense from late January to early February in 2015. The content containing a malicious link are mostly about the aforementioned adjustments of individual income tax.
*Please review Appendix A for a whole list of the sites.
Picture 3 C2 domain took over by Kaspersky using sinkhole technique
2) Lure Documents
There are two types lure documents and the contents can tell APT researchers what fields and geos the attackers were targeting.
- Egypt – Arabic
Picture 4 Lure documents – 1
In the original lure document[3], the YouTube video links showing the arrests of students from Al-Azhar University that against the coup are included at the end of the file.
Picture 5 Lure Document – 2
The name “annonymous rabaa” on the picture is an Egyptian hacker group that compromise government official sites to protest the slaughter in August, 2013.
- Israel – Hebrew
Picture 6 Lure document – 3
This document quotes the adjustments of Israeli individual income tax.
3) Self-camouflage
The malware either cloak itself with documentation and image icon, or with application icon. The picture below shows a fake Adobe Flash installer file.
Picture 7 Impersonation of a document
Picture 8 Impersonation of an Adobe Flash application
With the former approach, no document or image will pop-up upon clicking; while with the latter approach, the legitimate installer file will be released after the malware finishes its installation.
The 9 plugin modules are disguised as Office components. In earlier version of the malware, the installation directory is %UserProfile%\AppData\Roaming\officeplugin. But later versions changed the path to be under C:\Program Files{GUID}, for instance, C:\Program Files{59f0641e-45ac-11e5-af9e-b8ca3af5855f} is a piece of malware that pretends to be a system component.
Picture 9 File Property of the Malware
3. Malware Analysis – ROCK
1) Functionality Brief
ROCK Trojan plays a main role in the Sphinx attacks. This malware family was developed by the attackers themselves or was customer-made by a third party group. We also found a variant of the njRAT family in another sample which we will introduce in another chapter.
The malware impersonated Word documents, images or installation programs in the attempt to disguise itself as PDF files, pictures or Flash installers to induce the users to click.
The main purpose is to steal sensitive information from the victims, such as system information, account & password and search history saved in the browser. It also monitors victims through Skype chatting history, cameras, microphones and keyboard & mouse logging. The information collected will then be encrypted and passed back to specific C2 servers.
2) Infrastructure
Picture 10 Infrastructure of the malware
Configuration data of all the modules is saved in JSON configuration file. The file decides, to name a few, whether to run the module or not, what encryption key to use on the data files, what pixels and intervals of the screenshots and audio recordings are required, as well we what running process the master program should be injected in. It also provides the user ID (rkuid), due date, C2 address, etc.
Picture 11 Modules and Functionalities
The dropper releases 20 DLL files in total with ten 32-bit and ten 64-bit. Each module is composed of two versions to be compliant with 32-bit and 64-bit system.
| Module name | Functionality |
|---|---|
| zcore | Master program |
| zulib | API function encapsulation |
| plgcmd | Obtain system info, screenshots, startup/end progress |
| plgcomm | Communication |
| plginput | Mouse and keyboard logging |
| plgurl | Monitor the content in web browser’s (IE, FireFox, Chrome) address bar |
| plgskype | Save and pass back Skype chatting history, screenshots and audio records |
| plgavbug | Monitor through camera and microphone, send back the records |
| plgusrstl | Steal user information, including account name & password, search history, cookies, Pidgin (IM software) account |
| plgfsflt | Monitor and pass back data of specific file types like doc, docx, ppt, pptx, xls, xlsx, odf, txt, pdf, rtf, jpg, jpeg, gif, png |
When the master program Zcore is started, it decrypts the configuration file under installation directory and decides whether to inject into certain process according to the module status (true/false) in the configuration file.
Function modules:
- dll core module: mainly responsible for loading other function modules and injecting them to certain process; register, update and uninstall modules, distribute logs and messages
- dll command module: obtain system information, delete file and directory, take screenshots, upload saved documents, start and end process.
- dll communication module: transfer data generated and encrypted by other modules to specific C2 server. The module sends a request to the server per minute to acquire remote commands.
The cross-process communication between each module is completed via WM_COPYDATA messages. Every message begins with 0x34AB541 which is the unique identification. The body of the message is transferred in JSON codes.
3) C2 Communication
The message is transferred in data package to server port 80 through HTTP POST. Sensitive strings in the package are replaced after querying the mapping table of JSON configuration file.
Picture 12 C2 Communication
Picture 13 Restored Strings of C2 Communication
C2 communication modules is injected into the browser process and the port used to send data to C2 server is port 80, these two methods perfectly cloak the attack among the normal traffic.
4) Attack Techniques
Random file names
The module files are re-named randomly after being released by the Dropper and the names are stored in the JSON file (usually nouns in English, for instance, gendarme.dll, jerques.dll).
Picture 14 File name of the modules
String Encryption
All the strings are encrypted by several encryption algorithms.
Picture 15 String Encryption
API function encapsulation
A great amount of API functions (over 300) are encapsulated in zulib (a dynamic dll library) to hamper static analysis from security software.
Runtime without master program
The core module is started up as an extension of explorer.exe. Other modules are injected into certain processes according to the configuration file. Therefore, there is no master program running during the malware runtime which makes the malicious activities hard to be noticed. Even though sometimes users may sense the abnormity, they would still relax their vigilance at last with checking attempt ending up in vain.
Process injection
The master module runs in a legitimate explorer which security software will not intercept. Communication module is usually injected into the browser process. But if there is no browser process, the malware will give up communicating with C2 server. The data theft module is injected into security software so as to make the malware’s trace inconspicuous when it traverses files.
PE and config file encryption
PE files in the dropper are compressed by zlib and encrypted by AES algorithms, as well as the configuration files released by the dropper.
No matter on dynamic or static combat, the attack tactics indicts that these malware developers must have spent time and efforts studying security software to compile customer-made malware so as to avoid detection and cover its trace.
4. Correlation Analysis
1) Attackers’ Facebook Accounts
These Facebook accounts played important roles in the watering hole attacks.
2) PDB Paths
| PDB paths |
|---|
| C:\Users\user\bamboo-agent-home\xml-data\build-dir\ROCK-RW2-BRW6R\x64\Release-RkLibDll |
| Z:\rootkits\windows\zico\x64 |
| Z:\build\rootkits\windows\zico\Release |
We have the below discoveries based on the PDB paths:
- The ID of the developer is zico
- The name of the program is ROCK-RW2-BRW6R
- The internal name used is rootkits
3) Lure Documents
| File Name | English |
|---|---|
| ملف المعتقلات بجامعة الازهر فك الله أسرهن (1).pdf | Detention of Al-Azhar University students the file may Allah free them(1).pdf |
| استراتيجية الحراك الثوري للمقاومة الشعبية\File1.pdf | Revolutionary movement of people’s resistance strategy/File1.pdf |
| מס הכנסה מלכודת\מס הכנסה- עדכונים.pdf | Adjustment on individual income tax.pdf |
| تنظيم المجموعات الثورية\File1.pdf | Organizing revolutionary groups/File1.pdf |
| ولاية سيناء-مخطط السيطرة الكامن\امن المطارد.pdf | The state of the Sinai-scheme/underlying security control Chaser.pdf |
| ولاية سيناء-مخطط السيطرة الكامن\توجيه السيارات المفخخة ضد المباني.pdf | The state of the Sinai-scheme/underlying car bombs directed against buildings control.pdf |
| ولاية سيناء-مخطط السيطرة الكامن\هندسة المتفجرات من فلسطين.pdf | The state of the Sinai-scheme/underlying explosives engineering control of Palestine.pdf |
The file names give us the hint that the attacks are related with Egypt and Israel.
4) njRAT
52f461a133e95328ccd9ba7f70e2f3e6 is a remote control released by the samples and disguised in an Adobe.pdf icon. The remote control is a variant of njRAT malware family which is prevalent in the Middle East.
5) Geo-location of C2
Picture 16 Associations between samples and CC
C2 IP 196.205.194.60 is one of the samples that locate in Egypt. Incoherence, the C2 IP 196.205.194.61 of njRAT released by it is also in Egypt. | MD5 | Malware Family | C&C IP | Geo location | |----------------------------------|----------------|----------------|--------------| | 52f461a133e95328ccd9ba7f70e2f3e6 | ROCK | 196.205.194.60 | Egypt | | c80b3fb9293a932b4e814a32e7ca76d3 | njRAT | 196.205.194.61 | Egypt |
Appendix A: Sample Sources in Hebrew
| Links to Social Websites | Site Owners | Dates |
|---|---|---|
| hxxps://www.facebook.com/320924244852/photos/pb.320924244852.-2207520000.1449772632./10150705915184853/?type=3&theater | Shayetet 13 – Israeli special forces unit | 9:01pm, Jan. 31, 2015 |
| hxxps://www.facebook.com/527045137305930/videos/918743024802804/ | Israel Defense Forces (IDF) | 8:33pm, Jan. 31, 2015 |
| hxxp://statuscope.co.il/%D7%9E%D7%99-%D7%94%D7%99%D7%90-%D7%94%D7%99%D7%97%D7%99%D7%93%D7%94-%D7%94%D7%98%D7%9B%D7%A0%D7%95%D7%9C%D7%95%D7%92%D7%99%D7%AA-%D7%A9%D7%9C-%D7%96%D7%A8%D7%95%D7%A2-%D7%94%D7%99%D7%9D-%D7%90%D7%A9%D7%A8-%D7%96%D7%9B%D7%AA%D7%94-%D7%91%D7%AA%D7%97%D7%A8%D7%95%D7%AA?id=c917c8e2 | Israeli Navy | 11:15:25, Feb. 4, 2015 |
| hxxps://www.facebook.com/555898814436639/photos/a.556290817730772.145251.555898814436639/1019290754764107/?type=3&p=10 | Israeli political commentaries | 3:36pm, Feb. 2, 2015 |
| hxxps://www.facebook.com/miri.regev.il/photos/a.538483556248464.1073741833.118410851589072/751248248305326/?type=1&theater | Israeli Culture and Sports Minister – Miri Regev | 6:09pm, Feb. 3, 2015 |
| hxxps://www.facebook.com/maarivonline/videos/641901115916051/ | Israeli media -Maariv Online | 6:22pm, Feb. 1, 2015 |
| hxxps://webcache.googleusercontent.com/search?q=cache:nBi1mbSVr4MJ:https://www.facebook.com/%25D7%2592%25D7%2593%25D7%2595%25D7%2593-%25D7%25A7%25D7%25A8%25D7%25A7%25D7%259C-603984316296466/+&cd=6&hl=en&ct=clnk&gl=us | Caracal Batallion – infantry combat battalion of the IDF | 5:33, Jan. 31, 2015 |
| hxxps://webcache.googleusercontent.com/search?q=cache:rtCajoBx_3QJ:https://www.facebook.com/Israe.Army/+&cd=8&hl=en&ct=clnk&gl=us | Israeli Army | 2:14, Feb. 1, 2015 |
| hxxps://www.facebook.com/%D7%97%D7%99%D7%9C-%D7%94%D7%99%D7%9D-553700681378193/ | Israeli Navy | 9:00pm, Jan. 31, 2015 |
| hxxps://www.facebook.com/IAFGiyus/photos/a.364384073628468.82320.321086041291605/846002125466658/?type=1&theater | Israeli Air Force | Feb. 3, 2015 |
Appendix B: Updated Detection Results of the Samples
[1] Havex Hunts For ICS/SCADA Systems, https://www.f-secure.com/weblog/archives/00002718.html
[2] APT Group OceanLotus, http://blogs.360.cn/blog/oceanlotus-apt/
[3] hxxps://docs.google.com/file/d/0ByavzARTLomhc3hFeFhGN1JOOE0/edit?pli=1
Comments