Pierluigi Paganini July 09, 2019

The malware samples shared by USCYBERCOM last week were first detected in December 2016 in attacks attributed to Iran-linked APT33.

Last week the United States Cyber Command (USCYBERCOM) uploaded to VirusTotal a malware used by Iran-linked APT33 group in attacks in Dec 2016 and Jan 2017.

Now experts at Kaspersky confirmed that the malware was used in attacks exploiting the CVE-2017-11774 vulnerability, two of the files (MD5: d87663ce6a9fc0e8bc8180937b3566b9, MD5:9b1a06590b091d300781d8fbee180e75) were first seen in 2016.

“USCYBERCOM’s VirusTotal executable object uploads appeared in our January 2017 private report “NewsBeef Delivers Christmas Presence”, an examination of a change in the tactics used in spear-phishing and watering hole attacks against Saudi Arabian targets.” reads a report published by Kaspersky. “Two files uploaded by USCYBERCOM are of particular interest. These were first seen Dec 2016 and Jan 2017: “

At the time, the security firm warned in a private report its customers of the threats. In particular, the researchers attributed the attacks at the NewsBeef threat actor (aka Charming Kitten, Newscaster, Ajax Security Team, and APT35).

The private report issued by Kaspersky in January 2017, titled ”  “NewsBeef Delivers Christmas Presence,” analyzed the evolution of TTPs of the NewsBeef group. Experts noticed that the threat actors added new tools to its arsenal, including macro-enabled Office documents, PowerSploit, and the Pupy backdoor. 

Pupy is an open source, multi-platform (Windows, Linux, OSX, Android), multi-function backdoor. The backdoor is mainly written in Python and borrows code from other open source attack tools, including PowerSploit, Mimikatz, laZagne, etc.

“Pupy can generate backconnect or bindport payloads in multiple formats: PE executables (x86/x64) for Windows, ELF binary/.so for Linux, reflective DLLs (x86/x64), pure Python files, PowerShell, apk, and Rubber Ducky script (Windows).” reads the report.

Attackers also carried out spear-phishing campaigns and watering hole attacks, primarily aimed at targets in Saudi Arabia (Government financial and administrative organizations, Government health organizations, Engineering and technical organizations, one British labor-related government organization (targeted multiple times)).). 

The NewsBeef threat actors were continuing to deploy malicious macro-enabled Office documents, poisoned legitimate Flash and Chrome installers, PowerSploit, and Pupy tools

Experts discovered that the compromised websites infected with an obfuscated JavaScript used to redirect visitors to NewsBeef-controlled hosts that tracked victims and served malware.

The Kaspersky report and the USCYBERCOM uploads confirm that Iran-linked APT groups use to share malware code, the malware has been associated with the COBALT GYPSY threat group, and also associated with the Shamoon.

“Previous reports on the NewsBeef APT noted the group’s reliance on open-source tools to launch simple, yet effective attacks. Historically, the group has used BeEF to track targets and deliver malicious payloads.” concludes the report. “However, as this recent campaign indicates, the NewsBeef APT appears to have shifted its intrusion toolset away from BeEF and towards macro-enabled malicious Office documents, PowerSploit, and Pupy. Despite this shift in toolset, the group still relies on old infrastructure as evidenced by their reuse of servers hosted by the service providers Choopa and Atlantic.net.”

Pierluigi Paganini

(SecurityAffairs – USCYBERCOM, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]