The hacker group Sednit specializes in attacks against isolated air-gapped networks.
Sednit Cybercrime Group, also known as Sofacy, APT28 or Fancy Bear has specialized in attacks against various organizations for many years. We recently discovered that this group began to specialize in attacks against air-gapped networks protected from the Internet. For this purpose, a special malicious program is used, with the help of which the confidential data of computers in a compromised network is stolen.
Earlier we wrote about the criminal activity of this group, which used its own set of exploits to compromise legitimate websites and subsequently infect users with malware. FireEye also reported on the activity of this group in its report on the APT28 group, as well as Trend Micro in the Operation Pawn Storm report. In this article we will focus on the new attack area of ​​this group, which uses the Win32 / USBStealer malware to steal confidential data from computer networks that are isolated from the Internet.
')
Our research shows that the Sednit team has been using Win32 / USBStealer malware since at least 2005. The targets of such attacks are various government organizations in Eastern Europe. Several versions of this malware have been used in attacks of varying degrees of complexity.
One of the security measures that can be used by the enterprise security service in order to prevent leakage of confidential data from computers connected to the corporate network is its isolation from the Internet by technical means. However, the use of removable media may be the starting point for leaking such data. It is assumed that some employee of the enterprise can transfer corporate data on a USB-drive, and they will be copied to a computer that has access to the worldwide network.
This scenario is used by the Sednit team when using Win32 / USBStealer . In this case, the scheme for obtaining confidential data using a malicious program will be multistage and consists of five stages.
Stage 1
In the first stage, attackers compromise a computer that has access to the Internet (for example, an employee’s home computer). Let's call it "Computer A". During the compromise process, Computer A becomes infected with a dropper of a malicious program that we detect as Win32 / USBStealer.D . The executable file of this dropper is called USBSRService.exe , and its fake resource section indicates that this file is the installer of the legitimate Russian program USB Disk Security .
Fig. Win32 / USBStealer dropper metadata .
The basic logic of the dropper is as follows:
Fig. The contents of the file AUTORUN.
When writing files to a removable drive, the dropper modifies the file metadata, namely, their “Last Access” and “Last Recorded” timestamps for values ​​that correspond to their counterparts in Windows system files. They are assigned the attributes of system and hidden files. Thus, an illusion of some kind of “systemic” malicious files is created. It is also worth noting that the decrypted in memory elements of the resource section are back encrypted after writing the files, which excludes their removal from the memory by any forensic analysis tools.
Stage 2
When an infected USB drive is inserted into a computer in an isolated enterprise network, Win32 / USBStealer will automatically install itself into the system. This will happen when the autorun feature is enabled on this computer. Let's call this computer, which works in an isolated air-gapped network, Computer B. As soon as Win32 / USBStealer gets control, it lists all the disks that are currently connected to the system, and, depending on the type of disk, uses a different pattern of its behavior.
The meaning of this last step is to group the files of interest in the malicious code into one local directory. This step can be called preparatory to this exfiltration data. It will happen as soon as the same removable drive is inserted into the USB port of Computer B. Once again, the types of files that are of interest to the malware are listed.
The initial period of use is calculated based on the compilation date of the executables from which these lists were extracted. We found very few references to most of these file names in open sources. Perhaps because they belong to narrowly specialized software. It is also interesting that the name Talgar (talgar.exe) coincides with the name of the city of Almaty region in the south-east of Kazakhstan.
The malware looks for these files listed above everywhere on hard drives, except for directories that have the same name as the following anti-virus products: Symantec, Norton, McAfee, ESET Smart Security, AVG9, Kaspersky Lab, Doctor Web.
Stage 3
This step assumes that the user inserts the infected USB drive back into Computer A, after he has already been to the isolated Computer B at the second stage. In this step, the malware component on computer A sends a set of Win32 / USBStealer commands that it must execute in step 4. To do this, the necessary commands are written into an encrypted file named COMPUTER_NAME.in in the drive root.
Stage 4
It is assumed that at the fourth stage, the same infected media will again get to Computer B. At the same time, instructions for the bot of the malicious program are already stored there, which it must execute. At this stage, the files chosen by the attackers should be copied from the directory that was created on Computer B in the second stage (file grouping). Then at the final stage they will be sent to the remote server of the attackers.
At this stage, Win32 / USBStealer decrypts the batch file ( COMPUTER_NAME.in ), which was dropped to the root of the USB drive in the previous step. This file contains commands that the bot must execute sequentially. A command is identified by a two-byte identifier, followed by a command argument.
Commands 0x0003 and 0x0005 operate with a special file that the malicious program creates on the local disk of Computer B. It contains templates of information about files in the format “Root = Path = Day”. Each time you boot Windows, Win32 / USBStealer executes the 0x0002 command for files from this list.
The command 0x0008 is used to detect files that may be of interest to attackers. We can assume that the attackers start the attack with this command, and then use the 0x0002 and 0x0003 commands to collect data.
For teams that perform operations to copy files to removable media, a special backup method is provided. If the malware cannot copy files to the media, for example, it is write-protected, the files will be copied to a special directory on the local disk. In the future, the malicious code will try to copy them from there when another infected media is connected.
Stage 5
At this stage, the infected USB drive again goes to Computer A. The malicious program then transfers the files copied from Computer B to the remote server.
Conclusion
The Win32 / USBStealer malware shows the specific targeting of the Sednit group intruders towards corporate users of air-gapped networks. We also noticed the following interesting features:
Fig. Compilation date of the malicious file (Timestamp).
Some questions are still open. For example, in what specific way did the initial infection by Computer A malware occur. We can assume that phishing messages were used for this. It may be noted that the FireEye report about this group mentioned by us at the beginning of the material contains information about the campaign for sending phishing messages. In this case, the messages indicated the following text: "USB storage.".
Earlier we wrote about the criminal activity of this group, which used its own set of exploits to compromise legitimate websites and subsequently infect users with malware. FireEye also reported on the activity of this group in its report on the APT28 group, as well as Trend Micro in the Operation Pawn Storm report. In this article we will focus on the new attack area of ​​this group, which uses the Win32 / USBStealer malware to steal confidential data from computer networks that are isolated from the Internet.
')
Our research shows that the Sednit team has been using Win32 / USBStealer malware since at least 2005. The targets of such attacks are various government organizations in Eastern Europe. Several versions of this malware have been used in attacks of varying degrees of complexity.
One of the security measures that can be used by the enterprise security service in order to prevent leakage of confidential data from computers connected to the corporate network is its isolation from the Internet by technical means. However, the use of removable media may be the starting point for leaking such data. It is assumed that some employee of the enterprise can transfer corporate data on a USB-drive, and they will be copied to a computer that has access to the worldwide network.
This scenario is used by the Sednit team when using Win32 / USBStealer . In this case, the scheme for obtaining confidential data using a malicious program will be multistage and consists of five stages.
Stage 1
In the first stage, attackers compromise a computer that has access to the Internet (for example, an employee’s home computer). Let's call it "Computer A". During the compromise process, Computer A becomes infected with a dropper of a malicious program that we detect as Win32 / USBStealer.D . The executable file of this dropper is called USBSRService.exe , and its fake resource section indicates that this file is the installer of the legitimate Russian program USB Disk Security .
Fig. Win32 / USBStealer dropper metadata .
The basic logic of the dropper is as follows:
- It monitors the connection to the removable storage system through the creation of a window with a callback function , which will be called in the event of such an event.
- As soon as the removable drive is inserted into the system, the dropper decrypts several elements of its resource section of the executable file. One of them is another Win32 / USBStealer executable file, which is copied to a removable drive under the name USBGuard.exe . The second element of the resource section is an AUTORUN.INF file, the contents of which are presented below.
- Files are copied to the root of a removable drive and, if the autorun function is enabled, they will be executed as soon as the drive is inserted into the computer with autorun enabled, or by double clicking on the drive icon (see AUTORUN.INF format below). The “Startup” setting for Windows was eliminated back in 2009 by updating KB971029 . However, our data show that attackers started using Win32 / USBStealer four years earlier, that is, in 2005. In addition, for computers that operate on air-gapped networks, the absence of updates is considered to be quite common.
- In the last step, the malware copies an empty file called destktop.in to the root of the disk. This serves as a signal to the malicious program that this drive has already been connected to a computer that has access to the Internet.
Fig. The contents of the file AUTORUN.
When writing files to a removable drive, the dropper modifies the file metadata, namely, their “Last Access” and “Last Recorded” timestamps for values ​​that correspond to their counterparts in Windows system files. They are assigned the attributes of system and hidden files. Thus, an illusion of some kind of “systemic” malicious files is created. It is also worth noting that the decrypted in memory elements of the resource section are back encrypted after writing the files, which excludes their removal from the memory by any forensic analysis tools.
Stage 2
When an infected USB drive is inserted into a computer in an isolated enterprise network, Win32 / USBStealer will automatically install itself into the system. This will happen when the autorun feature is enabled on this computer. Let's call this computer, which works in an isolated air-gapped network, Computer B. As soon as Win32 / USBStealer gets control, it lists all the disks that are currently connected to the system, and, depending on the type of disk, uses a different pattern of its behavior.
- If the detected disk is removable and is labeled as a desktop.in file located in the root of the disk (i.e., this detected drive was already present in the system with Internet connection), then the malicious program creates a directory in the root of this disk, where the name is the computer name. This operation allows operators to distinguish between computers into which an infected drive has been inserted. Subsequently, this data will be used when sending data to the attacker's server, when the drive returns to Computer A connected to the Internet.
- If the disk is not removable, Win32 / USBStealer performs special preparation for the procedure of subsequent exfiltration (theft) of data.
The meaning of this last step is to group the files of interest in the malicious code into one local directory. This step can be called preparatory to this exfiltration data. It will happen as soon as the same removable drive is inserted into the USB port of Computer B. Once again, the types of files that are of interest to the malware are listed.
- Files with the extensions ".skr", ".pkr" or ".key". The first two refer to the PGP Desktop cryptographic files. They store public and private encryption keys. The third extension is often used by other cryptographic tools for storing similar keys.
- Files whose names match the list below. We found two lists of such files, they are listed in the table below.
The initial period of use is calculated based on the compilation date of the executables from which these lists were extracted. We found very few references to most of these file names in open sources. Perhaps because they belong to narrowly specialized software. It is also interesting that the name Talgar (talgar.exe) coincides with the name of the city of Almaty region in the south-east of Kazakhstan.
The malware looks for these files listed above everywhere on hard drives, except for directories that have the same name as the following anti-virus products: Symantec, Norton, McAfee, ESET Smart Security, AVG9, Kaspersky Lab, Doctor Web.
Stage 3
This step assumes that the user inserts the infected USB drive back into Computer A, after he has already been to the isolated Computer B at the second stage. In this step, the malware component on computer A sends a set of Win32 / USBStealer commands that it must execute in step 4. To do this, the necessary commands are written into an encrypted file named COMPUTER_NAME.in in the drive root.
Stage 4
It is assumed that at the fourth stage, the same infected media will again get to Computer B. At the same time, instructions for the bot of the malicious program are already stored there, which it must execute. At this stage, the files chosen by the attackers should be copied from the directory that was created on Computer B in the second stage (file grouping). Then at the final stage they will be sent to the remote server of the attackers.
At this stage, Win32 / USBStealer decrypts the batch file ( COMPUTER_NAME.in ), which was dropped to the root of the USB drive in the previous step. This file contains commands that the bot must execute sequentially. A command is identified by a two-byte identifier, followed by a command argument.
Commands 0x0003 and 0x0005 operate with a special file that the malicious program creates on the local disk of Computer B. It contains templates of information about files in the format “Root = Path = Day”. Each time you boot Windows, Win32 / USBStealer executes the 0x0002 command for files from this list.
The command 0x0008 is used to detect files that may be of interest to attackers. We can assume that the attackers start the attack with this command, and then use the 0x0002 and 0x0003 commands to collect data.
For teams that perform operations to copy files to removable media, a special backup method is provided. If the malware cannot copy files to the media, for example, it is write-protected, the files will be copied to a special directory on the local disk. In the future, the malicious code will try to copy them from there when another infected media is connected.
Stage 5
At this stage, the infected USB drive again goes to Computer A. The malicious program then transfers the files copied from Computer B to the remote server.
Conclusion
The Win32 / USBStealer malware shows the specific targeting of the Sednit group intruders towards corporate users of air-gapped networks. We also noticed the following interesting features:
- The operation has been going on for almost 10 years. We detected a file with a malware compilation date of May 2005, as shown in the screenshot below. The date the file was compiled also corresponds to the version of the compiler that was used to compile the file at that time. Other malware files that were detected also have realistic compilation dates, which allows us to say that this data is not fake.
- The obvious focus of the attack. As we have already mentioned, the names and extensions of files used to steal, let us speak about the obvious focus of this attack.
Fig. Compilation date of the malicious file (Timestamp).
Some questions are still open. For example, in what specific way did the initial infection by Computer A malware occur. We can assume that phishing messages were used for this. It may be noted that the FireEye report about this group mentioned by us at the beginning of the material contains information about the campaign for sending phishing messages. In this case, the messages indicated the following text: "USB storage.".
Source: https://habr.com/ru/post/243309/
All Articles