Cremes is a new advanced cyber spyware malware.
A week ago, FSB specialists published an intriguing press release about malware that was discovered on computers of state, as well as scientific and military institutions. The signs described by FSB specialists indicated a well-prepared so-called. state-sponsored cyber attack, which used highly targeted (highly targeted), unique components for each victim. Our anti-virus lab also received samples of this malware and ESET AV products detect them as Win32 / Cremes and Win64 / Cremes .
The findings of our experts coincided with the findings of Symantec, which published their report on the Cremes study (Remsec). By its complexity, new malware resembles the previously known cyber weapon, such as Flame, Regin and EvilBunny. With Flame and EvilBunny, Cremes is related to the use of scripts in the Lua language. The new cyber grouping was called Strider and used Cremes to steal valuable information from its victims.
')
According to Symantec, the Strider cyber group has been active since at least October 2011 and specialized in cyber attacks by various government agencies in Russia, China, Sweden and Belgium. A striking feature of Strider is its rigid focus on concrete and interesting ones for attacking targets, often in cyber attacks unique malware samples were used.
Cremes is a real cyber espionage platform that uses a modular architecture that gives you the flexibility to compromise your victims, as is the case with Flame or Regin. In addition to stealing important information from the victims' computers, Cremes performs an important backdoor function, giving the attacker access and sending commands to the bot on an infected machine. Cremes uses Lua scripts in its work, this feature was previously observed in Flame (Fiveeyes, Equation) and EvilBunny (Snowglobe, Animal Farm). Cremes also uses in its work the mechanisms of compromising isolated air-gapped networks, which we observed earlier in the use of the hacker group Sednit (APT28, Fancy Bear, Pawn Storm).
According to Symantec, Cremes includes the following components.
To run your code in kernel mode, the Cremes components can use a non-standard approach, which is to exploit vulnerabilities in the obsolete legitimate Agnitum Outpost and AVAST drivers. Drivers are in the components of Cremes.
Fig. Information about the legitimate Agnitum Outpost driver used by Cremes.
ESET antivirus products detect malware strider cybergroups under universal signatures:
Win32 / Cremes
Win64 / Cremes
www.virusradar.com
The findings of our experts coincided with the findings of Symantec, which published their report on the Cremes study (Remsec). By its complexity, new malware resembles the previously known cyber weapon, such as Flame, Regin and EvilBunny. With Flame and EvilBunny, Cremes is related to the use of scripts in the Lua language. The new cyber grouping was called Strider and used Cremes to steal valuable information from its victims.
')
According to Symantec, the Strider cyber group has been active since at least October 2011 and specialized in cyber attacks by various government agencies in Russia, China, Sweden and Belgium. A striking feature of Strider is its rigid focus on concrete and interesting ones for attacking targets, often in cyber attacks unique malware samples were used.
Cremes is a real cyber espionage platform that uses a modular architecture that gives you the flexibility to compromise your victims, as is the case with Flame or Regin. In addition to stealing important information from the victims' computers, Cremes performs an important backdoor function, giving the attacker access and sending commands to the bot on an infected machine. Cremes uses Lua scripts in its work, this feature was previously observed in Flame (Fiveeyes, Equation) and EvilBunny (Snowglobe, Animal Farm). Cremes also uses in its work the mechanisms of compromising isolated air-gapped networks, which we observed earlier in the use of the hacker group Sednit (APT28, Fancy Bear, Pawn Storm).
According to Symantec, Cremes includes the following components.
- Special loader with the name of the file MSAOSSPC.DLL, which is responsible for loading files from the disk and their execution in the system. Payload files are stored on the disk in encrypted form.
- Lua modules that are used by malware to perform some of their tasks, including the following.
- A network bootloader that specializes in downloading executable files from a network and launching them for execution. RSA / RC6 encryption can be used for this.
- A host loader that is used to decrypt and load at least three other Lua modules into running processes. The names of these modules are as follows: ilpsend, updater, kblog (keylogger).
- A keylogger used to obtain information about the keys pressed by the user and transfer this information to the control server of the attackers. This module contains the string "Sauron" in its code. Given its capabilities, we can assume that the authors named this module in honor of the all-seeing eye of the Lord of the Rings.
- A network implant that is responsible for listening to network connections using protocols, including ICMP, PCAP and RAW.
- A simple backdoor based on a named pipe that is used to control through named pipes and can execute files transferred to it.
- An enhanced backdoor based on a named pipe, which, unlike its predecessor, is also capable of accepting other commands for modifying files.
- HTTP backdoor that includes several URLs governing C & C servers.
To run your code in kernel mode, the Cremes components can use a non-standard approach, which is to exploit vulnerabilities in the obsolete legitimate Agnitum Outpost and AVAST drivers. Drivers are in the components of Cremes.
Fig. Information about the legitimate Agnitum Outpost driver used by Cremes.
ESET antivirus products detect malware strider cybergroups under universal signatures:
Win32 / Cremes
Win64 / Cremes
www.virusradar.com
Source: https://habr.com/ru/post/307372/
All Articles