Authors: John Scott-Railton*, Morgan Marquis-Boire*, Claudio Guarnieri*, and Marion Marschalek**
*Senior Researcher, Citizen Lab, Munk School of Global Affairs; **Cyphort
Summary
This report describes an extensive malware, phishing, and disinformation campaign active in several Latin American countries, including Ecuador, Argentina, Venezuela, and Brazil. The nature and geographic spread of the targets seems to point to a sponsor, or sponsors, with regional, political interests. The attackers, whom we have named Packrat, have shown a keen and systematic interest in the political opposition and the independent press in so-called ALBA countries (Bolivarian Alternative for the Americas), and their recently allied regimes. These countries are linked by a trade agreement as well as a cooperation on a range of non-financial matters.
After observing a wave of attacks in Ecuador in 2015, we linked these attacks to a campaign active in Argentina in 2014. The targeting in Argentina was discovered when the attackers attempted to compromise the devices of Alberto Nisman and Jorge Lanata. Building on what we had learned about these two campaigns, we then traced the group’s activities back as far as 2008.
This report brings together many of the pieces of this campaign, from malware and phishing, to command and control infrastructure spread across Latin America. It also highlights fake online organizations that Packrat has created in Venezuela and Ecuador. Who is responsible? We assess several scenarios, and consider the most likely to be that Packrat is sponsored by a state actor or actors, given their apparent lack of concern about discovery, their targets, and their persistence. However, we do not conclusively attribute Packrat to a particular sponsor.
Part 1: Packrat’s Seven Years of Activity
The authors on this report have been independently investigating malware and phishing campaigns in Latin America. This report is the result of discovering that the cases we have been investigating are linked by a common threat actor with targeting in several countries, including Venezuela, Ecuador, Argentina, and Brazil. We refer to this threat actor as Packrat, to highlight their preference for packed, commodity Remote Access Trojans (RATs), and their retention of the same domains and servers over many years.
Image 1: Some of Packrat’s known targets and activity types
Packrat has systematically targeted high profile political figures, journalists, and others in several countries with malware and phishing. In total we uncovered 12 different malware command and control domains, and over 30 samples of malware stretching over a seven year time period. Packrat also favors an interesting strategy: create and maintain fake opposition groups and news organizations, then use these to distribute malware and conduct phishing attacks.
Some of these organizations exist in name only, while others have a more elaborate online presence. Packrat has also created elaborate fake news organizations without any evidence we can find of malware or phishing activity.
Image 2: Packrat’s major activities
We chart Packrat’s activities back to at least 2008. Through correlation of network infrastructure, we identified several waves of activity, coupled with changes in tools and tactics. This section provides a brief chronology of Packrat’s network infrastructure and activities. For a detailed chronology of the malware used, see 3. The Evolution of Packrat’s Implants.
Packrat’s Greatest Hits
2008-2013
Tools and infrastructure used by Packrat suggest that they have been active since at least 2008. During this period, Packrat used hosting services in Brazil, and some of their malware samples were uploaded from Brazilian IP space to popular online virus scanning services. Some of the messages they sent also contained Brazilian bait content. While this is suggestive of Brazilian targeting, we have yet to find confirmed victims from this period.
2014
By 2014, Packrat was targeting high-profile Argentine lawyer Alberto Nisman, and well-known investigative journalist and television news host, Jorge Lanata. Maximo Kirschner, son of Argentina’s president, also announced that he was targeted. The screenshot he released of the phishing email he received is consistent with what we have seen, although we have not been able to verify his claims. In addition, a number of phishing domains with Ecuadorian and Venezuelan targeting that we identified became active during this period.
2015
2015 seems to have marked an extensive campaign of phishing and malware attacks targeting civil society and public figures, including parliamentarians in Ecuador. We observed a range of phishing domains and attacks, often using fake organizations during this period. We also found fake organizations and possible disinformation campaigns with targets in Ecuador, Venezuela and the Venezuelan diaspora.
1.1 Nisman and the Argentine Cases
In January 2015, controversial Argentine prosecutor Alberto Nisman was found dead of a gunshot under suspicious circumstances. Argentine news reported that a malicious file was found on his Android phone by the Buenos Aires Metropolitan Police forensic lab. The file was named “estrictamente secreto y confidencial.pdf.jar,” or “strictly secret and confidential” in English.
An identically titled file was uploaded to VirusTotal from Argentina on the 29th of May, 2015. The file was a remote access toolkit, known as AlienSpy, which allowed an attacker the ability to record the activities of a target, access their email, their webcam, and more. However, the file was built for the Windows operating system, and could not have infected Nisman’s Android phone.
The initial analysis of the alienspy implant by Morgan Marquis–Boire revealed the command and control server of the attackers to be deyrep24.ddns.net. In addition to the malware apparently used to target Nisman, Lanata, and Kirschner (see below), three other samples[1] were found which used deyrep24.ddns.net as a command and control domain. One of these, 3 MAR PROYECTO GRIPEN.docx.jar, was a build of AlienSpy (See Packrat’s Implants) which masqueraded as a document containing communication between Ecuadorian President Rafael Correa and Ecuador’s Ambassador to Sweden concerning the acquisition of fighter jets.
After the finding was made public, other targets came forward. Prominent investigative journalist and television host Jorge Lanata revealed that he too had been targeted by the same malware. The president’s son, Maximo Kirschner, also claimed to have been targeted. We were unable to verify Kirschner’s claim, however, a screenshot showing his targeting was included in a report of this claim:
Image 3: A screenshot included in this report showing Maximo Kirschner’s targeting
The email which he claims to have received has an attachment named “Estrictamente Secreto y Confidencial.pdf.jar” (size 67.3kb) which is the same as the malware sent to Nisman and Lanata. Additionally, the sender’s email address (claudiobonadio88@gmail.com) purports to be well-known judge Claudio Bonadio. This similar to the targeting of Lanata, who also received an email also claiming to be from Claudio Bonadio (cfed.bonadio@gmail.com).
1.2 Ecuadorian Campaigns
In 2015, we began independently receiving a growing number of reports of phishing attacks via e-mail and SMS targeting journalists and other public figures in Ecuador. Some emails we examined had no political content, but were simple credential phishing for social media and email providers, like Gmail. Others, however, had explicit political content concerning a range of political figures and issues in Ecuador. Further investigation revealed an extensive campaign, as well as many fake organizations (See Section 6: Possible Deception Operations).
One of the authors developed a Gmail search query for strings associated with the attacks (See Appendix A: The Search Query). We shared this query with many potential targets, resulting in hits for phishing attacks, as well as suspicious Microsoft Word (DOCX) files sent to a range of journalists and public figures. These documents contained embedded RATs written in Java, including Adzok and AlienSpy (See Packrat’s Implants). Subsequently, using indicators found in the JAR files, as well as an updated Gmail query we were able to identify a larger set of malicious files and domains used by Packrat (See Appendix B: Malware Samples).
We found a dense web of interconnections between phishing and malware sites. Sites often shared registration information, or were hosted from the same servers. We determined that the malware samples typically communicated with daynews.sytes.net, which is linked to the Argentine cases. Ultimately, investigation of this infrastructure also revealed malware and infrastructure in Brazil, and fake sites in Venezuela.
1.3 Shared Command & Control Infrastructure
This section describes Packrat’s command and control infrastructure in narrative form, Appendix B provides a full list of Command & Control domains along with the related binaries and malware families.
Packrat’s deyrep24.ddns.net domain was created on November 7th, 2014, and at the time of Nisman’s targeting, pointed to the IP address: 50.62.133.49. This IP address belongs to a GoDaddy range for dedicated hosting, and on March 3rd, 2015, the domain moved to another GoDaddy IP: 192.169.243.65. Passive DNS records revealed that at the same time as this IP was being used by the deyrep24.ddns.net command and control domain, it was being used by the domain daynews.sytes.net which had been created on March 1st, 2015. Over the course of our joint investigation we found 5 samples of malware using this domain which were used to target journalists and civil society in Ecuador (See Appendix D: Seeding Domains for a larger list).
Packrat’s Command & Control Infrastructure
Image 4: Packrat’s Command and Control infrastructure [Click image for hires]
Searching for domains related to daynews.sytes.net lead us to taskmgr.serveftp.com which on the August 11th, 2014 was at the IP address 190.210.180.181, an IP address in Argentina, used by daynews.sytes.net for a brief period when it was first registered, before being quickly moved to GoDaddy hosting. The taskmgr.serveftp.com domain also returns to 190.210.180.181 on multiple dates in October of 2014, and May of 2015. On July 23rd, 2014, taskmgr.serveftp.com was hosted at 201.52.24.126, a Brazillian IP address, which was also hosting taskmgr.servehttp.com, and taskmgr.redirectme.com. We found a total of 15 malware samples using either taskmgr.servehttp.com or taskmgr.serveftp.com as command and control domains (or both in the case of several samples). The earliest of these samples had a compile time of December 24th, 2008, providing us with the earliest date we know of that Packrat was active. While it is possible that this timestamp is faked, we have seen no evidence of this on other samples by these attackers.
Packrat’s Command and Control Infrastructure
Domain
Relevant Resolution
Relevant Date of resolution
deyrep24.ddns.net
50.62.133.49
November 7th, 2014
192.169.243.65
March 3rd, 2015
daynews.sytes.net
192.169.243.65
March 3rd, 2015
190.20.180.181
March 1st, 2015
taskmgr.serveftp.com
190.210.180.181
August 11th, 2014
201.52.24.126
July 23rd, 2014
186.220.1.84
July 11th, 2014
taskmgr.servehttp.com
186.220.1.84
June 24th, 2014
201.52.24.126
July 23rd, 2014
186.220.1.84
July 11th, 2014
186.220.11.67
August 15th, 2014
taskmgr.redirectme.com
201.52.24.126
July 23rd, 2014
186.220.1.84
July 11th, 2014
ruley.no-ip.org
186.220.1.84
July 11th, 2014
189.100.148.188
September 6th, 2012
lolinha.no-ip.org
189.100.148.188
September 6th, 2012
wjwj.no-ip.org
189.100.148.188
September 6th, 2012
conhost.servehttp.com
186.220.11.67
August 15th, 2014
dllhost.servehttp.com
186.220.11.67
August 15th, 2014
wjwjwj.no-ip.org
179.208.187.216
March 25th, 2014
186.220.1.84
June 24th, 2014
wjwjwjwj.no-ip.org
179.208.187.216
March 25th, 2014
On July 11th 2014, all ‘taskmgr’ domains were hosted on 186.220.1.84, an IP address in Brazil. At the same time, this IP address was hosting ruley.no-ip.org. We managed to find a malware sample[2] using both ruley.no-ip.org and taskmgr.servehttp.com as command and control domains. On September 6th, 2012, ruley.no-ip.org was hosted at 189.100.148.188, another Brazillian IP address, along with two other domains lolinha.no-ip.org and wjwj.no-ip.org. We found two samples configured with all three of these domains as command and control servers, three samples which used both ruley.no-ip.org and wjwj.no-ip.org, two samples just using wjwj.no-ip.org, and one sample just using ruley.no-ip.org. On August 15th, 2014, taskmgr.servehttp.com was hosted on 186.220.11.67, another IP address in Brazil. On the same date, this IP hosted both conhost.servehttp.com and dllhost.servehttp.com. We found two samples configured with both conhost.servehttp.com and dllhost.servehttp.com as command and control servers.
In addition to these domains, the domains wjwjwj.no-ip.org and wjwjwjwj.no-ip.org appear to be related. On March 25th, 2014 both wjwj.no-ip.org and wjwjwj.no-ip.org point to 179.208.187.216. On June 24th, 2014, both taskmgr.servehttp.com and wjwjwjwj.no-ip.org pointed to 186.220.1.84. We didn’t manage to find malware samples related to either wjwjwj.no-ip.org or wjwjwjwj.no-ip.org.
The command and control servers behind these domains were hosted with a variety of providers around Latin America, including: Uruguay Montevideo Administración Nacional De Telecomunicaciones, Argentina Buenos Aires Nss S.A. (IPLAN), and Claro Brazil.
Packrat has also used servers in Europe and the US, including Portlane AB in Sweden and GoDaddy in the United States.
We have notified hosting providers in order to facilitate the shutdown of Packrat’s infrastructure.
Part 2: Recent Malware Attacks in Ecuador
Packrat is active in many countries, but it is in Ecuador that we were able to gather the most systematic evidence of their activities, as well as connect directly with targets and victims. We are also tracking active attacks against Ecuadorian targets at the time of writing.
Image 5: Some of Packrat’s known target groups in Ecuador
Using email inbox search queries that we shared with potential targets (See: Appendix A), as well as analysis of malware databases and seeding infrastructure, we collected a diverse set of malware and phishing attacks targeting journalists, public figures, politicians, and other prominent individuals (see: 5. Packrat’s Persistent Phishing Campaigns for examples).
2.1 Previous Reports of Packrat Malware in Ecuador
There are public reports, as well as social media mentions, that point to politically-linked malware attacks Ecuador by Packrat. For example, Ecuadorian freedom of expression organization Fundamedios reported that public figures, satirical news organizations, the director of Fundamedios, and others, had received suspicious messages and phishing attempts. Fundamedios later updated their reporting to note that Access Now had stated that some of these attacks shared command and control infrastructure with the malware that was reportedly used to target Nisman. There are also indications on Twitter of phishing attacks and malware. We have been able to link many of these reports to Packrat.
2.2 Common Techniques
We observed a range of social engineering techniques used to send malware to Ecuadorian targets. In the cases where we observed seeding, we found that the malware was often accompanied by political bait content, frequently relevant to Ecuador’s opposition. In other cases, the seeding was personalized to the intended victim. The most common delivery mechanism was via Microsoft Word DOCX files containing malicious Java. However, in other cases, attackers used fake updates.
Common Seeding Techniques
Emailed as attached malicious files
As links to malware hosted on sites controlled by the attackers
On Google Drive or Onedrive
Popups or fake update notifications on politically themed / lookalike sites
Packrat often uses email senders and websites in its social engineering that appear similar to real persons and organizations. For example, they registered ecuadorenvivo.co, which looks like the genuine domain of the Ecuador En Vivo news website (ecuadorenvivo.com). Packrat then sent e-mails purporting to be e-mail news updates (a practice by the real Ecuador En Vivo) from the ecuadorenvivo.co domain.
Packrat also sometimes creates identical paths to real news stories, and hides them under clickable links. For example:
Typical Lookalike Domain
What the target sees:
http://ecuadorenvivo.com/videos/el-meme-que-volvio-loco-a-correa.html
HREF of the actual malicious link:
http://ecuadorenvivo.co/videos/el-meme-que-volvio-loco-a-correa.html
2.3 Three Attacks in Detail
To illustrate Packrat’s approach, this section describes three recent attacks in detail. The attacks date from between Spring and Fall 2015. Targets of these attacks include Ecuadorian journalists and public figures.
2.3.1 Attack 1: Email from a fake opposition movement
Throughout April 2015, multiple targets received e-mails from the “Movimento Anti Correista” (English: “Anti Correa Movement”), a fictitious group (based on open source searches and consultation with individuals familiar with the region) that purports to be opponents of Ecuador’s current president, Rafael Correa. The emails contained a Microsoft Word DOCX attachment containing Adzok malware (See: Section 3. The Evolution of Packrat’s Implants), as well as text and graphics to bolster the fiction.
Example Seeding E-mail from “Movimento Anti Correista”
Image 6: Example Seeding E-mail from “Movimento Anti Correista”
Seeding text translation:
Subject: Foul Play by Rafael Correa Against the Opposition
Body:
We are sharing with you this leaked document about President Rafael Correa’s dirty tricks against the opposition
(Open on a PC, this cannot be read on a phone.)Coming soon more leaks on: www[.]movimientoanticorreista.com
The e-mail seems intended for several purposes. It is obviously designed to trick the target into downloading and viewing the document, but it also seems to be an effort to establish the legitimacy of the domain, and the identity of the movement.
The Malicious Attachment
Name La jugada sucia De Correa ante la oposición.ppt
Type: Microsoft Word Document file (.docx)
MD5: ea7bcf58a4ccdecb0c64e56b9998a4ac
Image 7: Seeding email with text
Embedded in this document is software called “Adzok – Invisible Remote Administrator.” Analysis of the malware can be found in Section 3: The Evolution of Packrat’s Implants and the configuration of this implant can be found in Appendix C: Malware Configuration.
2.3.2 Attack 2: You are being spied on!
This attack is designed to create a sense of fear and concern in the target, leading to the file being opened. The e-mail is customized for the target’s name, and claims that the target is being spied on by SENAIN, Ecuador’s National Intelligence Secretariat. The attachment purports to be a list of Twitter users spied on by SENAIN. Interestingly, the purported sender is “Guillermo Lasso,” the defeated challenger in Ecuador’s last presidential election.
Image 8: Email with the purported sender as “Guillermo Lasso,” the defeated challenger in Ecuador’s last presidential election
Seeding text translation:
Subject: [Target’s Name] spied on by SENAIN
Body:
Greetings,G.L
Note: Open this on your personal computer. It can’t be opened by smartphones.
Like Attack 1, the malware is not delivered with an exploit, but rather requires that the victim double clicks on the file and accepts any prompts before executing it.
The document instructs the target to click:
Image 9: Document instructing the target to click
English Translation
In English: TO READ ALL THE TWEETS DOUBLE CLICK ON THE GRAPHIC OF TWITTER
When the image is double clicked, the victim is infected with malware from the AlienSpy family. Examining the configuration file of the malware reveals that the malware uses the the C2 server daynews.sytes.net, which is a domain common to several Packrat attacks. Interestingly, we found that the same document (identical MD5) was re-purposed for several other attacks.
File Name
MD5
LOS TUITEROS ESPIADOS POR SENAIN.docx
efc0009d76a2057f86c5f00030378c72
Los trinos de Rafael Correa.docx
efc0009d76a2057f86c5f00030378c72
Detailed analysis of the malware can be found in Section 3 and the configuration of this implant can be found in Appendix C.
2.3.3 Attack 3: “Exclusive Information about Correa’s Lies”
This attack was served via a link to a fake political website hosting malicious content. The e-mail served to direct the victim to the site. Interestingly, the attack attempts to trick the target into believing that it originates from the legitimate investigative journalism site Focus Ecuador. Packrat appears to have acquired the .tk and .info domains of the same name, just as they had with Ecuador En Vivio.
De: Focus Ecuador <focusedtior1@gmail.com>
Fecha: [September, 2015 REDACTED]
Asunto: FOCUS ECUADOR ADELANTA EL VIDEO DEL ESCANDALO
Para: [REDACTED]
El informe sobre las mentiras de Correa: ver video exclusivo: http://focusecuador.tk/
English Translation
From: Focus Ecuador <focusedtior1@gmail.com>
Date: [September, 2015 REDACTED]
Subject: FOCUS ECUADOR THE VIDEO SCANDAL
To: [REDACTED]
Information on the lies of Correa see the exclusive video: http://focusecuador.tk/
The email also contains a tracking image from the domain mesvr.com, which is commonly used by ReadNotify, a service used to track the delivery of emails. It appears that the attackers were hoping to gain additional information about their targets, such as possibly de-anonymizing the IP addresses of targets who might be reluctant to open files.
The focusecuador.tk lookalike website contained content scraped from the legitimate site, but also showed victims a Flash update notification. When clicked, the link triggered the download of “plugin_video.jar”.
The fake Flash update notification
Image 10: Fake Flash update
This is not a flash update, but a bundle of the AlienSpy / Adwind Remote Access Toolkit. When executed, this java-based malware establishes communications with Packrat’s familiar Command & Control server at 46.246.89.246 (daynews.sytes.net). Analysis of the malware reveals an identical configuration to the LOS TUITEROS ESPIADOS POR SENAIN.docx and the Los trinos de Rafael Correa.docx samples.
Attack 3: Binary
Name: plugin_video.jar
Type: Java Archive (JAR)
MD5: 74613eae84347183b4ca61b912a4573f
Detailed analysis of the malware can be found in Section 3 and the configuration of this implant can be found in Appendix C.
2.4 Packrat Speaks!
During the course of our behavioral analysis of Attack 3, a Packrat operator began to communicate to one of the Citizen Lab researchers in Spanish and English on an infected machine.
Image 11: Threats and taunts as they appeared on the Citizen Lab researcher’s screen
The taunts were delivered as popups and text displayed in Internet Explorer. The tone was threatening and vulgar. This one reads “You like playing the spy where you shouldn’t, you know it has a cost: your life!” Some of the messages sound stilted or non-idiomatic in the original Spanish, which might or might not be intentional, or provide clues as to the native dialect (or mother tongue) of the operator.
More Taunts: Translated English and Original Spanish
Translation
Original
Now you are in trouble ! Lammer!
Ahora si estás en líos ! Lammer !
You think you’re living, we have your IP!
Te crees vivo, tenemos tu IP
You keep analyzing processes
Tu sigue analizando procesos
We are going to analyze your brain with a bullet and your family too
Vamos a analizar tu cerebro con una bala y en la de tu famila
Take care of your family
Cuida a tu familia!
We have your picture
Ya tenesmos tu fotografia
You like playing the spy where you shouldn’t, you know it has a cost, your life!
Te gusta jugar a la espía y meterte donde no debes, pues debes saber que tiene un costo, tu vida!
Take your time and scan processes, we’re going to get you quickly
Analiza tranquilo los procesos, que te llega rapido
Several taunts also came through in mangled English:
“We gou You Punk!!” [sic]
“Your are playing with fire, will get burn !”
Perhaps aiming for surprise value, the attackers also used Windows text-to-speech functionality to have the infected machine play out some of their Spanish-language taunts.
Dim message, sapi
message=”Analiza tranquilo los procesos”
Set sapi=CreateObject(“sapi.spvoice”)
sapi.Speak message
This occurred a second time in October, when the attackers again taunted a researcher, followed by using the implant to issue a remote shutdown command to the infected device.
It is unusual, though not unheard of, for attack operators to engage with researchers. This kind of engagement could be considered a serious breach of operational security. Packrat took exception to these unwritten rules. It may be that Packrat has experienced other cases of individuals touching their infrastructure, or attempting to analyze their files, especially after some of their infrastructure was exposed. Since Packrat prefers to leave the infrastructure online, they may be trying to discourage unwelcome attention.
3. The Evolution of Packrat’s Implants
Over the past seven years Packrat has used several different types of malware, much of it off-the-shelf RATs, such as Cybergate, Xtreme, AlienSpy, and Adzok. While these malware families are known to researchers, Packrat typically obfuscates their malware using a range of tools, including: an unknown VB6 crypter, AutoIt3Wrapper, UPX, PECompact, PEtite, and Allatori Obfuscator. This layer of obfuscation means that Packrat’s attacks frequently escaped detection by antivirus when the attacks were deployed. This section describes these tools, roughly grouped into distinct time periods.
Image 12: Packrat malware families
3.1. 2008-2014: Packed RATS, mostly CyberGate
Between 2008 and 2014, Packrat made extensive use of off-the-shelf RATs encapsulated in AutoIt3Wrapper, a runtime packer. This packer is written in AutoIt, a compilable scripting language for automating tasks in Windows. The use of an initial obfuscation layer seems to have been enough to thwart or at least misguide detection, as well as leverage some basic anti-debugging techniques.
The majority of implants that are then dropped and executed appear to be CyberGate RAT. In 2013 and 2014, Packrat seems to have adopted XtremeRAT as well. Cybergate and Xtreme are both written in Delphi and share code with each other and other Delphi based RATs, SpyNet and Cerberus.
Many of these attacks included embedded decoy Office documents that are opened at execution of the implant, likely in the context of a targeted attack. Among the documents we found are résumés of purported Brazilian citizens, as well as purported payment receipts of the Association of Lawyers of Sao Paulo, Brazil.
Image 13: A résumé
These attacks suggest that Packrat had Portuguese speaking targets during this period. Based on the specifics of the bait documents, it seems likely that they were Brazilian.
Image 14: Payment receipt
The majority of the implants we found were configured to beacon back to a Command & Control, taskmgr.servehttp.com, although a few others include ruley.no-ip.org, lolinha.no-ip.org, and taskmgr.serveftp.com (See Appendix B for a complete list).
3.1.1 Analysis of CyberGate RAT
The CyberGate RAT samples we analyzed were, as mentioned above, typically wrapped in a layer of AutoIt. Code and strings found in the binary indicate that it is based on the Spy-Net RAT version 2.6. This RAT was developed by a Brazilian hacker using the handle spynetcoder and is outlined on the Spy-Net RAT ‘official’ website.
CyberGate’s Infection Routine
After unpacking from the applied runtime packer, CyberGate runs its second stage, which is likeley the infection routine. This injects the third stage, a DLL, into a running process. Once implanted, CyberGate then deploys a range of techniques for persistence and monitoring.
The third stage module picks from three execution paths (based on mutexes, which can also be set by a prior infection):
Password gathering (mutex: “_x_X_PASSWORDLIST_X_x_”)
Block mouse and keyboard input to any other application (mutex: “_x_X_BLOCKMOUSE_X_x_”)
Infection routine
CyberGate Anti Analysis
The infection routine comes with a set of anti-analysis features packaged in a single function. CyberGate searches for a range of virtual and sandbox environments.[3] It also checks for user space debuggers through the IsDebuggerPresent API, and for SoftICE and Syser through their respective pipes. The malware performs breakpoint detection on the function entries of the listed anti-analysis features by checking whether the first byte of each function equals ‘CC’, the bytecode indicating a breakpoint.
Image 15: CyberGate Anti Analysis
CyberGate Process Injection
The infection routine fetches the encrypted implant from the resource section, and upon decryption attempts to inject its implant into the Windows system shell process (explorer.exe). If this fails, CyberGate launches an explorer.exe process on its own, injects its implant into it, and then completes the setup. Additionally, another instance of the CyberGate implant is injected into a default browser process, which runs invisibly.
The infection routine drops a copy of itself into different directories, depending on the Windows version: /System, /Windows, or /Program Files. The implant’s name varies: taskhost.exe, regedit.exe, or taskmgr.exe are all common. The infection routine also writes a copy of the encrypted implant into the %TEMP% directory and names it XX–XX–XX.txt.
To achieve persistence, the second stage writes registry keys so that CyberGate is run at startup:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\%GUID%\StubPath: “C:\WINDOWS\System32\regedit.exe”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\Policies: “C:\WINDOWS\System32\regedit.exe”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msconfig: “C:\WINDOWS\System32\regedit.exe”
Password Collection
If tasked with password collection, the second stage binary grabs passwords from a range of locations, including: the No-ip Dynamic Update Client (DUC), MSN messenger, Firefox, and Internet Explorer. The credentials are collected from the Windows Registry, browser profiles, the RAS dial up settings, Local Security Authority (LSA) settings, MS ProtectedStorage, MS IntelliForms, and the credential store.
CyberGate’s Functionality
The CyberGate implant runs two instances. The first runs in the default browser process, and acts as the monitoring component. Meanwhile, the explorer.exe instance serves as ‘watchdog,’ ensuring persistence and making sure the infector binary on disk doesn’t disappear.
Image 16: Searching for indicators of an existing Spy-Net installation
The CyberGate implant comes with the same credential stealing capabilities as the infector, and is extended by routines to spy on Chrome and STEAM credentials as well. Also inherited from the infector, the implant owns the same anti-analysis routine protecting it from sandboxes and debuggers.
Beyond the capabilities seen in the infector, CyberGate has a range of features that provide an attacker with a full spectrum of monitoring and remote control functionality.
CyberGate capabilities include:
Collecting detailed information about the infected system
Activation and control of the webcam and microphone
Screenshot capture
Blocking user input (e.g. keyboard and mouse)
Control over processes, windows, applications, devices, drive, ports, TCP & UDP connections, the clipboard, registry keys and values etc.
Control over the filesystem
Download and execution of further binaries
Exfiltration via FTP
Collection of information on installed security products
Interestingly, CyberGate gathers information on installed security products through the Windows Management Instrumentation (WMI) by launching cscript.exe on a hardcoded .vbs-script. The script requests name and version number of installed antivirus and firewall solutions and dumps the data to a file:
Set objSecurityCenter = GetObject(“winmgmts:.rootSecurityCenter”)
Set colFirewall = objSecurityCenter.ExecQuery(“Select * From FirewallProduct”,,48)
Set colAntiVirus = objSecurityCenter.ExecQuery(“Select * From AntiVirusProduct”,,48)
Set objFileSystem = CreateObject(“Scripting.fileSystemObject”)
Set objFile = objFileSystem.CreateTextFile(“%FILEPATH%”, True)
Enter = Chr(13) + Chr(10)
CountFW = 0
CountAV = 0For Each objFirewall In colFirewall
CountFW = CountFW + 1
Info = Info & “F” & CountFw & “) ” & objFirewall.displayName & ” v” & objFirewall.versionNumber &
Enter
NextFor Each objAntiVirus In colAntiVirus
CountAV = CountAV + 1
Info = Info & “A” & CountAV & “) ” & objAntiVirus.displayName & ” v” & objAntiVirus.versionNumber &
EnterobjFile.WriteLine(Info)
objFile.Close
Collected data is stored in dump files on disk and exfiltrated to the remote server component by HTTP or FTP.
3.1.2 Analysis of XTremeRAT
XTremeRAT is commercial off-the-shelf malware, often available cracked, and used to monitor victim machines. While used by apolitical hackers, XTremeRAT has been extensively used by government-linked malware groups to target the opposition during the ongoing Syrian Civil War, as well as by other politically-motivated groups in the Middle East and North Africa. It has also been extensively analyzed, and we encourage interested readers to review some of these analyses.
While often packed, XTreme RAT itself has limited stealth and persistence functionality. Its monitoring capabilities are also straightforward. The versions we analyze here have no code obfuscation. XTreme Rat is implemented as client/server architecture, where the infected machine acts as server, while the C&C component is the client.
This version of Xtreme Rat’s capabilities include:
Logging keystrokes
Logging the name of the foreground desktop application
Sniffing the clipboard for passwords
Downloading and executing binaries via HTTP, presumably to install second stage malware
Image 17: Installation of the XTreme RAT keylogger module
Xtreme RAT operation and keylogging functionality
The Xtreme RAT implant sniffs the clipboard contents via the keylogger window, using a clipboard viewer that it also installs. The viewer receives the window message WM_DRAWCLIPBOARD every time the clipboard changes, and provides access to Clipboard contents. Clipboard and keylogger data is dumped to a .dat-file that, along with the configuration file (.cfg), is located in the […]\Application Data\Microsoft\Windows folder for the current user. Both filenames are dictated by XTreme RAT’s configuration.
XTreme RAT data files
C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\RJokLSZBj.cfg
C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\RJokLSZBj.dat
The dump file is exfiltrated via push to FTP. XTreme RAT comes with preconfigured FTP server credential placeholders (ftpuser/ftppass) to log on to ftp.ftpserver.com, which are then switched for updated values received from the C&C at runtime.
The XTreme RAT implant also creates a mutex named following the same naming scheme as configuration and dump file (e.g. “RJokLSZBjPERSIST”). The RAT’s configuration is fetched from the .rsrc-section and encrypted using RC4, with the key “CONFIG”. The same algorithm and key combination has been seen in use before in other variants of XTreme RAT.
This variant of XTreme RAT uses explorer.exe as a container for remote threads to carry out specific functions. Thread injection can happen on at least three occasions.
Possible injections of explorer.exe by XTreme RAT:
A ‘watchdog’ thread to restore persistence keys, and to locate and run the infector binary. To increase stealth, the dropping module changes the timestamp of the dropped infector.
A thread for deleting of XTreme RAT’s files on disk
The entire keylogging code and FTP push functionality
3.2: 2014- 2015 AlienSpy Dominates
Over the past two years, Packrat has been using an evolving family of off-the-shelf malware known as AlienSpy. The software began as the free RAT “Frutas,” and was identified in 2013 during a campaign in Mexico. This was subsequently adapted for commercial sale as the “Premium RAT” Adwind. Adwind could be purchased for $75 for a single license, and up to $250 for multiple licenses. Then, by 2013, AdWind was renamed UNRECOM (UNiversal REmote COntrol Multi-platform), and was detected in targeted attacks in the Middle East.
The software was most recently branded “AlienSpy,” and was again found by security researchers in targeted spying operations. At the time of this report, the latest re-packaging of this RAT is known as JSocket. For the purposes of this report, we’ll refer to all variants of this spyware as “AlienSpy.” AlienSpy is a relatively full-featured RAT with a range of features, such as recording the victim’s keystrokes, audio eavesdropping via a device’s built-in microphone, remote viewing of the desktop, and the ability to turn on a victim’s webcam “without user notification.” Alienspy has been extensively analyzed by malware researchers, including reports by ProofPoint and Fidelis.
3.2.1 Packrat’s Alienspy Deployment
From 2014 to early 2015, Packrat’s preferred technique was to send AlienSpy implants as attachments in phishing emails with the extension ‘.pdf.jar.’ The default setting in Windows is to hide file extensions, thus making it appear to be a “.pdf” file. With some minor differences, all the samples from this time period are built in a similar manner. There’s an outer .jar (Java archive) file containing a folder named META-INF and two files: Favicon.ico and Principal.class. Upon execution, Principal.class unzips the contents of “Favicon.ico” (not an icon file, but a .zip archive), and looks for a filename containing “.jar”.
Contents of Favicon.ico
0doc.jar
1Estrictamente Secreto y Confidencial.pdf
Once it finds the right file (in this case 0doc.jar), it drops it to a randomly-named temp file starting with a constant string and invokes Java to run it.
Inside the .jar file from “Favicon.ico”
META-INF/MANIFEST.MF
MANIFEST.MF
ID
plugins/Server.class
Main.class
Estrictamente Secreto y Confidencial.pdf
“Main.class” is obfuscated using Allatori, a Russian-origin JVM obfuscator used by AlienSpy.
This reads part of an RC4 key from the file “ID.” To this it appends a constant string, then uses the full RC4 key to decrypt the contents of MANIFEST.MF, which yields the actual Adwind implant JAR file. Others have written about the operation and deobfuscation of Allatori, including how to deobfuscate it, here, here, and here.
AlienSpy in MS Office Documents
In 2015, Packrat started sending AlienSpy implants embedded in .docx files. The method used to obfuscate these files is more complex, but ultimately similar to previous techniques. Uncompressing an infected MS Word document reveals a file named “oleObject1.bin” under the directories word/embeddings. Opening this file, which is a jar, reveals:
a
abcdefghijka.class
abcdefghijkf.class
abcdefghijkj.class
abcdefghijks.class
abcdefghijku.class
abcdefghijkz.class
a.txt
b.txt
c.dat
kjmhs
Main.class
META-INF
Similar to the obfuscation described above in Packrat’s earlier uses of AlienSpy, half the decryption key is in a.txt. The other half is a string which is decrypted iteratively by the abcdefghijk[a,f,j,s,u,z].class files with the method and class names from the caller.
Persistence is achieved by adding the following registry value:
“reg.exe” (Access type: “SETVAL”, Path: “\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN”, Key: “JAVASE”, Value: “”C:\Users\PSPUBWS\Cas436FlashJava\RoUndCuBe\bin\javaw.exe” -jar “C:\Users\PSPUBWS\Cas436FlashJava\Cas436FlashJava\Cas934FlashJava.
3.2.2 Adzok makes an appearance
Between 2014-2015, Packrat also used Adzok – Invisible Remote Administrator. Similar to AlienSpy in functionality, the java-based Adzok is apparently from Bolivia. The premium version costs $990, but it appears that Packrat is using the “free” version. This version of Adzok does not use obfuscation, which makes it possible to simply uncompress the jar files within the docx and read the clear-text configuration file. Given the obfuscated nature of the other RATs that Packrat has used, their use of Adzok is surprising. It is possible that they were having stability, compatibility, or detection problems with other RATs and that Adzok served a specific requirement.
4. Packrat’s Persistent Phishing Campaigns
Packrat is active in phishing, often against the same groups and individuals whom they target with malware. For example, when examining one target of malware attacks, we found this individual had been targeted by dozens of phishing attempts by Packrat during the same period. The same domains and fake identities that Packrat uses to seed malware are also used to serve phishing, although Packrat also maintains dedicated phishing sites and servers. While phishing e-mails appeared to be regularly sent, we also observed particular cases of the phishing apparently sent to targets in response to contacts they made during our investigation.
We have been able to achieve the most systematic visibility of Packrat’s campaign against Ecuadorian targets, but have found evidence of targeting in neighboring countries including Venezuela. Packrat uses both e-mails and social media messages, as well as SMSes to send phishing messages.
This section describes these phishing campaigns, and describes both Politically-Themed and Non-Politically Themed phishing attacks.
Category
Example Domain
Note
Politics & News
lavozamericana.info
Fake news website
Governmental – Ecuador
asambleanacional-gob-ec.cu9.co
Lookalike to the Ecuadorian National Assembly’s e-mail login
Political Movement – Ecuador
movimientoanticorreista.com
Fake political movement
Free E-mail
mgoogle.us
Fake Google login
4.1 Non-Politically Themed Phishing Content
One of the most common phishing techniques is lookalike communications from popular webmail and social media sites containing requests for password verification, notifications of unauthorized logins, and so on. Packrat uses a wide range of templates for the major email providers, including Gmail, Yahoo and Hotmail. A majority of the e-mails are in Spanish. The messages are typically personalized to the targets, including both their names and e-mail addresses.
Image 18: Example phishing email
Translated Message
From: Gmail Team no.response.delivery.es@gmail.com
Subject: [Victim Name], you have a pending warning !
To: [victim email]
[Victim email],
[Victim Name]for security reasons we request that you verify your account below.
To ensure proper use of your account, we request that you verify it.
Click here to verify your account.
Depending on the attack, the phishing either contains a direct link to the phishing URL, or uses a shortener.
4.1.1 Most Recent Non-Political Phishing
Recently, the attackers appear to have slightly varied their technique. We have observed them making extensive use of tinyurl as a shortener, as well as moving their phishing pages to the free host cu9.co. The attackers may have concluded that using a free provider reduced costs and increased flexibility.
Example recent phishing URL and shortener:
tinyurl.com/nww83ov Yields: main-latam-soporte-widget-local.cu9[dot]co
4.1.2 Example Non-Political Phishing SMSes
A number of Packrat’s targets also received phishing SMSes. The SMSes often use similar language to the phishing e-mails, and in some cases use the same shortened URL. In other cases, the attackers push harder, warning the targeted user that their accounts will be terminated if they fail to follow the link. In at least one case we observed that the messages contained improperly formatted e-mail addresses.
Image 19: Example of non political phishing
4.2 Politically Themed Phishing
We observed a wide range of e-mails and messages that contained content with political overtones. Packrat takes two basic approaches in the attacks we have examined. First approach: create fake political and media organizations. Second approach: impersonate well-known groups and high-profile individuals. Attacks typically took the form of messages and e-mails containing information either in ‘solidarity,’ upsetting information, or other relevant news. A majority of what we observed seemed to be crafted to appeal to opposition elements.
While much of the phishing seems to mimic common free webmail and social media sites, in specific cases, Packrat mimicked e-mail services of high-profile targets, like the Ecuadorian National Assembly.
4.2.1 Targeting Ecuadorian Parliamentarians
A group we believe to be Packrat has operated a phishing campaign that mimics the Ecuadorian national assembly’s webmail portal. This malicious site prompts the target(s) to enter their email credentials, which are captured via formmail, a technique seen repeatedly in the phishing pages we identified (see below).
asambleanacional-gob-ec.cu9.co
The legitimate domain is:
http://mail.asambleanacional.gob.ec/
4.2.2 A Typical Credential Harvesting Page
Whatever the bait, the links on the messages typically lead victims (often via a shortener) to a lookalike domain for a free email provider. During the summer of 2015, a frequently observed domain was a lookalike for Google, although there have been many others:
mgoogle.us
While the attacks were active, mgoogle.us hosted a Spanish-language lookalike Google login.
Image 20: mgoogle.us hosted a Spanish-language lookalike Google login
Once a victim’s credentials are entered, they are shown a Spanish language note “confirming” that their gmail has been “unblocked” and thanking the victim for “choosing us.”
Image 21: A Spanish language note “confirming” that their Gmail has been “unblocked”
In other cases, Packrat sends “confirmation” emails to the original victim, congratulating them on “successfully” verifying their account after credentials are entered.