Some slightly messy notes re: todays JAR report release

This could and should probably be more organized. The report (here¬†https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296.pdf) first goes over what attack vectors were used in very general terms. Nothing particularly surprising. It then dumps, tersely but importantly, a fat list of what current and historic groups, operations, and malwares are involved, directly or though being otherwise linked. This isn’t really *that* much more than just saying “It’s Fancy/Cozy Bear, aka Advanced Persistent Threat 28 and 29”, but despite being mostly a list of names and aliases, it gives a pretty good chain-of-proof in terms of linking up why, exactly, APT28/29 would be the aggressor here, and why it couldn’t really be anyone else. It’s kind of hard to get around except by claiming the specifics about these intrusions aren’t true, which is sort of possible – there isn’t much released about it nor, really, could there be, since it’d be little snipplets of access logs that can’t really be verified.

So while parsing through them, I jotted down these notes/links on the side. They vary in certainty and accuracy from “It’s been considered pretty much common knowledge among security people for decades” to “it’s the impression I got from reading the top three google hits”. It’s far from the last word, just *a* word, if nothing else to myself, so I have someplace to start if I read more.

<something>Duke (Modular infectors/payloads. Series of variations through the decades using new exploits and paths to infect with any of the Fancy/Cozy/Energetic payloads. Chaning command-and-control, but mostly unified at any point in time, prior to deploying payload (which then has it’s own C&C, if there is one)
https://cdn.securelist.com/files/2014/07/themysteryofthepdf0-dayassemblermicrobackdoor.pdf

BlackEnergy V2/3 (Modular payload/infector, DDoS bot. Has been used by the .ru underground for profit since ’07. It’s unclear if it was coopted by Fancy, allowed by Fancy to be coopted by the underground, or under what other arrangement the botnet(s) operate. v1.0 is very simple and do not look state-sponsored, v3 is advanced enough and gets spread by complicated enough vecorts to almost certainly be.)
https://www.sentinelone.com/wp-content/uploads/2016/01/BlackEnergy3_WP_012716_1c.pdf

Shedding Light on BlackEnergy With Open Source Intelligence

Carberb (Banking trojan/cred steal. Source leaked in 2013, many variants since)
https://www.rsaconference.com/writable/presentations/file_upload/ht-t06-dissecting-banking-trojan-carberp_copy1.pdf (slides – short short version)
http://delaat.net/rp/2012-2013/p42/report.pdf (more thourough report)

CHOPSTICK/CORESHELL (General purpose payload/payload modules. Overlapping use, closely linked to APT28 aka Fancy. Almost downloaders (download from central, run), but with minimalist inital kits for immediate recon/persistence)
https://tools.cisco.com/security/center/viewAlert.x?alertId=39835

Relentless Sofacy APT Attacks Armed With Zero Days, New Backdoors

Crouching Yei (2010- capaign originally thought to be a Cozy (APT29) creation, but shown to overlap with Fancy. Sometimes called Eneregetic Bear and considered a separate APT. Appears to be a joint operation or an organizationally separate group cooperating with both)

Dionis (Infector, ~2010-, linked to Cozy. Various vectors throughout updates)

Dragonfly (2013 campaign aimed at the western energy grid. Consided a product of Energetic Bear(aka Crouching Yeti), wherever they fit into the sceme of things. Uses a fairly isolated set of payloads and command and control infrastructure, and could probably have remained operational beyond *duke, blackeneregy, et al)
https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf

HAMMERTOSS (mid-2015 payload. Very stealthy payload, communicating over twitter/github. Focus on segnaography (hiding hot data inside innocent-looking data) and stealth over efficiency. Otherwise, average small downloader-with-some-bonuses. Attributed to Cozy)
https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf

Havex (2014 payload. Remote Admin Tool. Part of the dragonfly campaign, fairly narrowly targeted at US energy systems. The name sometimes includes some of the spreading tactics, such as exploit kits injected into sites likely to be vistited by true targets)

OLDBAIT (2014(ish, long running) payload. Credential stealer. Harvests login/pass/keyfiles from popular browsers/clients (extensible) and sends them back to command and control)

Pawn Storm (2005-ongoing intelligence gathering campain. Very broad, tragets in russia, ukraine, usa, nato at large, gov and media, Includes waves of all Fancy payloads, spearphishing, iOS infections, fake sites, etc. Overly broad term often nearly meaning “anything Fancy is up to at the moment”)

Quedagh (BlackEnergy infector. More like a sub-module to blackenergy v3)

Sandworm (2014 infector. Used a particular set of exploits to spread a variety of payloads. Mostly notable for using enough unpatched exploits at once to be an obviously state-sponsored piece of code)

Seadaddy (+ SeaDuke, part of the infector stream. Hid in python code, which doesn’t compile and stays human readable, a fairly unusual vector)

SEDNIT/SEDKIT (Exploit kit series. Exploits browsers to install payloads when the user visits a site they’re installed at (watering hole exploit). Targeted to stick to infecting likely targets and otherwise do nothing, and mostly loaded on sites likely to be visited by good targets. Fancy product)

Sofancy (alias for Fancy/APT28/Fancy Bear)

SYNful knock (Cisco router plant/backdoor payload. Grants remote control of several Cisco routers. Sometimes confused for an exploit but isn’t – it’s code injected into a router firmware by arbitrary means which then allows remote control of it, just like most payloads (though extremely rarely aimed at routers))
https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html

SOURFACE (payload. Downloader/installer. Seems mostly introduced as another layer as getting and installing a larger payload after chopsticks/coreshell became increasingly contested)

Tiny Baron (payload. ~2014 remote control payload)

Waterbug (group of infetors/stage one payloads. Could be an operation or group of people who made them rather than the malware itself depending on who is speaking. Focusing on spearphishing/driveby attacks, with complex payloads. Clearly connected to Fancy/Cozy, but mostly using separate command and control)
https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf

Leave a Reply