APT

Expert identifies new Nazar APT group referenced in 2017 Shadow Brokers leak

A security expert uncovered an old APT operation, tracked Nazar, by analyzing the NSA hacking tools included in the dump leaked by Shadow Brokers in 2017.

Juan Andres Guerrero-Saade, a former Kaspersky and Google researcher, uncovered an old APT operation, tracked Nazar, by analyzing the NSA hacking tools included in the dump leaked by Shadow Brokers in 2017.

The campaign was previously attributed to China-linked APT Emissary Panda (aka APT27TG-3390Bronze Union, and Lucky Mouse), it is referenced as SIG37 in one of the documents included in the Shadow Brokers dump.

Guerrero-Saade discovered that the SIG37 campaign references hacking activities dated back as far as 2008 that was carried out by an unknown threat actor, the expert tracked it as Nazar.

Native Farsi speakers told the expert that the term ‘nazar’ translates to ‘supervision’ or ‘monitoring’ from Persian to Roman characters. A more recognizable alternative interpretation is the nazar amulet used for protection against ‘evil eye’.”

The researcher presented his findings in a speech at the OPCDE virtual cybersecurity summit.

The name ‘Nazar’ comes from the debug paths he found in the dump alongside Farsi resources in some of the malware droppers.

The analysis of the submissions times in VirusTotal for the artifacts employed in the Nazar campaign allowed the expert to date the campaign between 2010 and 2013.

The Nazar subcomponents were all submitted to VirusTotal from Iran, a circumstance that suggests that the campaign aimed at Iranian entities.

It was impossible to determine the extent of the campaign because the command and control (C&C) are no more active.

“It’s hard to understand the scope of this operation without access to victimology (e.g.: endpoint visibility or command-and-control sinkholing).” reads a blog post published by Guerrero-Saade.

“Somehow, this operation found its way onto the NSA’s radar pre-2013, as far as I can tell, it’s eluded specific coverage from the security industry. A possible scenario to account for the disparate visibility between the NSA and Western researchers when it comes to this cluster of activity is that these samples were exclusively encountered on Iranian boxes overlapping with EQGRP implants.”

Nazar uses a modular toolkit, its main dropper silently registers multiple DLLs as OLE controls in the Windows registry via ‘regsvr32.exe’. The malware registers the orchestrator (‘Data.bin’), masqueraded as the generic Windows service host process (‘svchost.exe’), as a service (‘EYService’) to achieve persistence.

The droppers are wrongly identified as packed by Armadillo but in reality they’re built with the now defunct Chilkat software, the attackers used ‘Zip2Secure’ to create self-extracting executables.

“The packing alone has led the droppers to be detected under generic AV detections but the subcomponents have low-to-no detections at this time.” continues the expert.

The malware uses Subcomponent DLLs to implement hot mic and screengrab features, along with keylogging features. The malicious code leverages two custom resources, ‘godown.dll’and ‘filesystem.dll’ treated as type libraries and registered as OLE controls, to enumerate attached drives, traverse folder structures, and handle some C&C functionality.

The malicious code uses kernel driver to sniff packets from the victim machine’s interfaces and parse them for specific strings.

“SIG37 has proven a rewarding mystery, unearthing a previously undiscovered subset of activity worthy of our attention.” concludes the expert. “Apart from several places where more skilled reverse engineers can contribute to better understanding the samples already discovered, there’s an opportunity for threat hunters with access to diverse data sets and systems to figure out just how big this iceberg really is.”

Please give me your vote for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
https://docs.google.com/forms/d/e/1FAIpQLSe8AkYMfAAwJ4JZzYRm8GfsJCDON8q83C9_wu5u10sNAt_CcA/viewform

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Nazar, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco warns of password-spraying attacks targeting Secure Firewall devices

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…

3 hours ago

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

6 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

20 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 day ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

2 days ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

This website uses cookies.