Pierluigi Paganini December 19, 2017

Experts from McAfee Labs collected evidence that links DragonFly malware to other hacking campaigns, like BlackEnergy and TeamSpy attacks.

On September 6, Symantec published a detailed analysis of the Dragonfly 2.0 campaign that targeted dozens of energy companies this year. Threat actor is the same behind the Dragonfly campaign observed in 2014.

Further analysis conducted by McAfee Labs lead the experts into believing that the Operation Dragonfly is linked to earlier attacks.

The investigation conducted by McAfee Labs and the Advanced Threat Research team uncovered related attacks targeting the pharmaceutical, financial, and accounting industries.

The experts noticed the same techniques, tactics, and procedures (i.e. spear phishing, watering holes, and exploits of supply-chain technologies) were the same used in previous campaigns.

“By compromising well-established software vulnerabilities and embedding within them “backdoor” malware, the victims think they are installing software from a trusted vendor, while unaware of the supply-side compromise.” reads the analysis published by McAfee Labs.

Once compromised the target network, attackers used remote-desktop protocol to hop among internal or external systems, they connect either to a control server or use an internal compromised server to conduct operations.

Researchers observed threat actors using several backdoors and utilities, in one case a Trojan used in 2017 attacks was also used in a July 2013 attack.

Experts correlated the malware by analyzing their hashes, both contained the same TeamViewer that was spotted by the Hungarian security company Crysys in a report about the TeamSpy malware.

The TeamSpy hackers hit a large variety of high-level subjects including Russia-based Embassy for a not revealed undisclosed country belonging to both NATO and the European Union, multiple research and educational organizations in France and Belgium, an electronics company located in Iran and an industrial manufacturer located in Russia

Crysys researchers mentioned the same hash used in the recent attacks and correlated it to a sample that was compiled on 2011:09:07 – 09:27:58+01:00.

“Although the report attributes the attacks to a threat actor or actors and shared tactics and procedures, the motivations behind TeamSpy appear similar to those of the Dragonfly group. With identical code reuse, could the TeamSpy campaign be the work of Dragonfly?” continues McAfee Labs.

The experts discovered that the 2017 sample contained code blocks associated with BlackEnergy malware.

BlackEnergy sample from 2016 (at left) alongside a Dragonfly sample from 2017. (Source McAfee)

“Self-deleting code is very common in malware, but it is usually implemented by creating a batch file and executing the batch instead of directly calling the delete command, as we see in the preceding examples.” continues the analysis.

“The BlackEnergy sample used in our comparison was captured in the Ukraine on October 31, 2015, and was mentioned in our post on the evolution of the BlackEnergy Trojan. It is remarkable that this piece of code is almost identical in both samples, and suggests a correlation between the BlackEnergy and Dragonfly campaigns.”

The experts pointed out an evolution of the code in the backdoors developed by the threat actors and the reuse of code in their campaigns.

The malicious code is fairly sophisticated in hiding details of their attacks, making hard the attribution through the use of false flags.

Pierluigi Paganini

(Security Affairs –  SCADA,  Dragonfly)

[adrotate banner=”5″]

[adrotate banner=”13″]