By John Scott-Railton,* Bahr Abdulrazzak,* Adam Hulcoop,* Matt Brooks,* & Katie Kleemola**
*The Citizen Lab at the Munk School of Global Affairs, University of Toronto; **Lookout Inc.
Read the Associated Press exclusive.
Read the op-ed by Citizen Lab Director Ron Deibert.
Media coverage: BoingBoing.
Executive Summary
This report describes an elaborately staged malware operation with targets in the Syrian opposition. The operators have used use a range of techniques to target Windows computers and Android phones with the apparent goal of penetrating the computers of well-connected individuals in the Syrian opposition.
We first discovered the operation in late 2015 when a member of the Syrian opposition spotted a suspicious e-mail containing a PowerPoint slideshow. From this initial message, we uncovered a watering hole website with malicious programs, malicious PowerPoint files, and Android malware, all apparently designed to appeal to members of the opposition.
Elements of the Syrian opposition have been targeted by malware campaigns since the early days of the conflict: regime-linked malware groups, the Syrian Electronic Army, ISIS, and a group linked to Lebanon reported by FireEye in 2015 have all attempted to penetrate opposition computers and communications. Some of these operations are still active as of the time of writing. This report adds one more threat actor to the list: Group5, which we name to reflect the four other known malware groups.
Group5 stands out from the operations that have already been reported on: some of the tactics and tools used have not been observed in this conflict; the operators seem comfortable with Iranian Persian dialect tools and Iranian hosting companies; and they appear to have run elements of the operation from Iranian IP space.
Like a chameleon, Group5 borrows opposition text and slogans for e-mail messages and watering holes, showing evidence of good social engineering and targeting. However, Group5’s technical quality is low, and their operational security uneven. This is a common feature of many operations in the Syrian context: since the baseline security of many of the targets is very low, many successful threat actors seem to conserve (and in some cases not possess) more sophisticated techniques. We believe we identified Group5 early in its lifecycle, before all of the malware that had been staged and prepared could be deployed in a full campaign.
Our analysis indicates that Group5 is likely a new entrant in Syria, and we outline the circumstantial evidence pointing to an Iranian nexus. We do not conclusively attribute Group5 to a sponsor, although we suspect the interests of a state are present, in some form. Group5 is just the latest addition to an expanding cast of actors targeting Syrian opposition groups, and its entry into the conflict shows the continuing information security risks that they face.
Background: The Perpetual Targeting of the Syrian Opposition
Syrians have experienced monitoring and blocking of their electronic communications for many years. As a result, many more technically literate Syrians have familiarized themselves with VPNs and other tools to circumvent simple blocking, and achieve a degree of privacy. After the 2011 Uprising began, the regime disconnected telecommunications services in many areas controlled by opposition groups. This led, in these areas, to the widespread adoption of satellite internet connectivity, mostly via VSAT (Very Small Aperture Terminal) services like Tooway and iDirect, and to a lesser extent the use of BGAN (Broadband Global Area Network) terminals.
At the same time, the Syrian opposition’s activities outside the country, both in neighboring countries like Turkey, as well as in the diaspora, dramatically increased. Much of this activity takes place over social networks, free e-mail accounts like Gmail (and Google Apps for Work), and via tools like Skype’s VoIP services.
These shifts in connectivity limited the effectiveness of the passive monitoring and blocking used by the Al Assad Regime, and frustrated its abilities to monitor the opposition.
However, the shift towards social networks and other online tools has created new opportunities for the regime to target the opposition. Opposition members constantly share information, files, tools and programs, via social media. This highly-connected environment enables them to be highly aware of changing events, and quickly mobilize resources. In addition, a number of online services, such as the Google Play Store, are blocked or restricted for Syria. As a result, a culture of sharing Android APK files has also developed.
The heavy reliance on popular online platforms, and regular sharing of tools, presents many opportunities to seed malicious files. For the regime, a successful operation means a chance to regain visibility into the activities of groups within the geographic borders of Syria, while extending their reach outside into the diaspora. For other groups, such as ISIS, the digital vulnerability of the opposition presents an opportunity to develop a capability against opposition communications. The following section outlines several of these known threat actors.
Regime-Linked Groups
The most well-known threat actor to target the Syrian Revolution is the Syrian Electronic Army (SEA). However, many of the targets of the SEA have been Western organizations, although the SEA continues to conduct lower-profile operations that include malware against the opposition. Less notorious, although still the subject of reporting, are malware groups linked to the regime. These malware groups have been active since 2011, and have used a wide range of Commercial-Off-The-Shelf (COTS) Remote Access Trojans (RATs) to target the opposition. Typically, these groups bundle RATs with a wide range of documents and programs designed to appeal to the opposition. Over the years, these campaigns have included everything from “revolution plans,” lists of “wanted suspects,” to fake security and encryption tools. These campaigns have been extensively characterized by reports from the Citizen Lab, The Electronic Frontier Foundation, and private companies like TrendMicro and Kaspersky. A range of reports have documented these regime-linked campaigns over the years.
Pro-Regime Groups Outside Syria
There is also evidence of pro-Assad groups outside Syria participating in malware campaigns against opposition. Notably, a group reported on in 2015 by FireEye (in collaboration with one of the authors of this report) used female avatars to send trojaned documents to high profile figures in opposition politics, aid, and armed groups. The operation yielded over 31,000 conversations, and a trove of sensitive information about a variety of groups’ plans and activities. This group also made use of fake matchmaking websites and social media accounts to backstop their deception.
ISIS-Linked Groups
On a different side of conflict, the Citizen Lab documented a malware operation linked to ISIS against the group ‘Raqqa is Being Slaughtered Silently’ (RBSS) in 2015. The operators, masquerading as a group of RBSS sympathizers based in Canada, targeted victims with a file that claimed to contain locations of ISIS forces and US Airstrikes within Syria. The file actually contained custom malware that collected and transmitted information about the infected computer. The report concluded that there was strong circumstantial evidence linking the malware to members of ISIS.
Many Groups, Similar Tactics
Each of these groups has distinct Tactics, Techniques and Procedures (TTPs). However, one common thread among the many publicly-reported groups is that they rarely use exploits in their campaigns, instead relying heavily on social engineering and trickery to convince targets to execute malicious files, disguised as innocuous documents.
This may reflect some of these groups’ lack of technical sophistication. For example, many regime-linked groups seem to have very limited skills and technical resources, and rely almost entirely on RATs coupled with well-informed social engineering. These techniques have evolved, but not improved radically since 2011. In other cases, such as the Lebanon-linked group reported on by FireEye, operators may have access to more sophisticated techniques, but see little reason to use them against their targets, given the limited technical capabilities of the opposition.
Part 1: Discovering Group5
This section describes the e-mails that first alerted us to an operation targeting the Syrian political opposition in October 2015.
On October 3rd 2015, Noura Al-Ameer, a well-connected Syrian opposition political figure, negotiator, and former Vice President of the opposition Syrian National Council (SNC), received a suspicious e-mail.1 The e-mail purported to come from a human rights documentation organization she had never heard of: “Assad Crimes.” The sender, using the e-mail address office@assadcrimes[.]info claimed to be sharing information about Iranian “crimes,” a theme familiar to many in the opposition.
Fig. 1: Noura Al-Ameer, former SNC Vice President and a target of the operation. An activist from Homs, Syria, Al-Ameer was detained and tortured in the security branches, later moved to the infamous Adra prison in Damascus, prior to fleeing the country several years ago. Today, she is a delegate to the SNC’s political council and works to document war crimes committed during the conflict. Her identity was falsely used to register the assadcrimes website.
Interestingly, Al-Ameer’s own name was used in the assadcrimes[.]info domain registration, along with other false information (we speculate on the reason for using her name in Part 6: Analysis of Competing Hypotheses).
Along with a brief pretext in the Subject and Body, the e-mail also contains an attached Microsoft PowerPoint Slideshow (PPSX) document that, when clicked, directly opens and runs a PowerPoint slideshow.
E-mail 1: The Initial Message (Dropper Doc 1)
On October 3rd 2015, Al-Ameer received the initial e-mail message, containing the first malicious file:
Translation:
From: office@assadcrimes[.]info
To:
Subject: Iran is killing the Pilgrims in Mina
Body: Iran’s Crimes in the Kingdom of Saudi Arabia
Examination of the header of the message indicates that the message was sent via 88.198.222[.]163, the same IP address as the Command & Control (C2) for the malware dropped by the file (See Part 3: Windows Malware).
Assadcrimes.ppsx
MD5 : 76F8142B4E52C671871B3DF87F10C30C
Communication with the Operator
Al-Ameer, who is no stranger to digital threats, recognized that the e-mail was suspicious, and on our instruction made contact with the operator, hoping to elicit further malware.
Al-Ameer’s E-mail:
Translation:
From: [Redacted]
To: office@assadcrimes[.]info
Body:
Hello
The file didn’t work …. Please send a correct version
E-mail 2: The Operator Replies (Dropper Doc 2)
Shortly after the target’s message, the operator replied with an updated file, sent via a webmail client (RoundCube):
Translation:
From: office@assadcrimes[.]info
To:[Redacted]
Body:
inf* download
We are unsure why the second e-mail does not contain additional social engineering text. It is possible this was an oversight, or that the Group5 operator at the time was not comfortable writing in Arabic.
Assadcrimes1.ppsx
MD5: F1F84EA3229DCA0CCACB7381A2F49F99
Bait Content: Syria and Iran-Themed PowerPoint Slideshows
The PPSX documents (assadcrimes.ppsx & assadcrimes1.ppsx) contain a series of images and Arabic text, including cartoons and photographs describing politically sensitive events, such as aggressions launched by Iran against Saudi Arabia, and the politics surrounding the current Syrian conflict. The documents also provide a historical overview of Iranian-linked “attacks” and other events in the Kingdom of Saudi Arabia.
Figure 2: Screenshot from a slide referred to an Iranian attack in 1984 against petrochemical facilities in Saudi Arabia.
Translation:
On 1404 A.H – 1984 A.D Iranian warship attacked Saudi Arabia
On 1404 A.H, two Iranian war planes headed to Jubail industrial city, to bomb and hit critical factories (Petrochemical factory) and by god’s well, the Saudi’s air forces was able to hit one plane, while the other managed to escape.
When opened, both files download malware onto the victim’s machine. Malware from these files is analyzed in Part 3: Windows Malware.
Part 2: The Assadcrimes Website
Group5 operated a website, assadcrimes[.] info that served as a watering hole for Android and Windows malware. This section outlines the various files hosted on the site.
After the initial e-mails, we began to monitor a website linked to the e-mails: assadcrimes[.]info. At the time of these e-mails (Oct. 3, 2015), the site was not fully functional. However, within a few days (Oct. 11, 2015) the main page displayed “Posts Tagged Bashar Assad Crimes” with content apparently critical of Bashar Assad. The content appears to have been scraped from an opposition blog, as well as from other opposition sites. This blog was created in the name of Tal al-Mallohi, known as Syria’s youngest prisoner of conscience. The original blog creation predates the current unrest in Syria.
Figure 3 : Screenshot of the website taken in April 2016 (assadcrimes[.]info).
Shortly before this publication of Group5, the website was listed as “expired” and parked, indicating that the owner chose not to renew the domain.
Group5 Staging and Targeting
Malware Seeding on the Website (Dropper Doc 3)
While monitoring the website, we identified several directories that auto-download a further malicious file (assadcrimes.info.ppsx). These links seem designed for other forms of social engineering, perhaps using similar bait to the messages targeting Al-Ameer. The Assadcrimes.info.ppsx file concerns the Syrian conflict, with characters and cartoons culled from social media and online sites.
Figure 4 : A slide from the file Assadcrimes.info.ppsx
Translation:
A new Play in Syria
Russian-American plan to divide the Syrian cake.
When viewed, the victim’s computer is silently infected with malware (See Part 3: Windows Malware).
Assadcrimes.info.ppsx
MD5: 30BB678DB3AD0140FC33ACD9803385C3
Martyred Children (Decoy Dropper 4)
Elsewhere on the site we found several HTML pages that, when visited, triggered the downloading of a malicious executable named “martyred children” (alshohadaa alatfal.exe). When executed, the program pulls images hosted on assadcrimes[.]info of the Ghouta Chemical Attacks, while simultaneously infecting the target machine with malware.
Figure 5 : showing screenshot of ‘alshohadaa alatfal.exe’ running. Images blurred by the authors.
Malware from the website is described in Part 3: Windows Malware
alshohadaa alatfal.exe
MD5: 2FC276E1C06C3C78C6D7B66A141213BE
Android Malware
While examining the assadcrimes[.]info website, we identified Android malware, seeded via a fake Adobe Flash Player update notification. We describe this Android malware in detail in: Part 4: Android Malware.
adobe_flash_player.apk
MD5: 8EBEB3F91CDA8E985A9C61BEB8CDDE9D
Part 3: Windows Malware
Group5 used (or was staging) a range of malware in this operation, ranging from malicious PowerPoint slideshows using exploits to executable files that directly drop malware. A comprehensive analysis of their malware is found in Appendix A: Windows Malware Analysis.
Malicious PowerPoint
The initial Group5 targeting that we observed in the e-mails to Al-Ameer included PPSX documents as a vehicle for malware using two different techniques: (1) executing OLE objects using animation actions within a PowerPoint slideshow and; (2) using CVE-2014-4114 to drop and execute malicious code.
In assadcrimes.ppsx the operators embed an OLE Package object within a PowerPoint slideshow. When displayed as an animation, the object is executed while the slideshow is viewed, a technique that has been previously described (for more detail, see Appendix A: Dropper Doc 1 & Appendix A: Dropper Doc 3). In this case the user is presented with a prompt asking whether they wish to run the object.
Figure 6: The malicious executable within the PowerPoint slideshow, when viewed in edit mode. A victim double clicking on the slideshow would not be shown the object.
In the assadcrimes1.ppsx, the operator has created a PowerPoint file that leverages CVE-2014-4114, a vulnerability in the OLE packager component of the Windows operating system (See Appendix A: Dropper Doc 2).
Decoy Applications
The operators have also created a decoy application, hosted on assadcrimes[.]info, that displays images of child victims of the 2013 Ghouta Chemical Attacks. When executed, the application silently decrypts and drops the malware (See Appendix A: Decoy Dropper 4).
The RATs
The operators use these techniques to deliver two commonly available Remote Access Trojans (RATs): njRat and NanoCore RAT. In both cases, Group5 disguised the malicious binaries with several layers of obfuscation, including crypting and packing to reduce the possibility of detection by antivirus software.
Both RATs provide a wide range of functionality on the target machine, ranging from collecting files, watching the screen, to capturing passwords and keystrokes. The RATs also enable the operator to remotely delete files, and spy on the computer user via the microphone or webcam.
Figure 7 : Screenshot of njRAT working, and accessing the victim’s files.
Antivirus Detection
On July 26, 2016 we conducted a VirusTotal search for the MD5 hashes of each of the files encountered during this operation. The results, provided in Appendix D: File Hashes, were consistent with a highly focused or targeted operation in that only two of the 16 (12.5%) unique MD5s were found.
Part 4: The Android Malware
While examining assadcrimes[.]info, we determined that the site was also hosting a decoy Flash Player update page. This page, located on a subdomain, included a download link to a malicious Android APK. For a full analysis of this malware see Appendix B: Android Malware.
While examining the website we found that the operators had prepared Android malware masquerading as an Adobe Flash Player update notification. Clicking on the “Update” link (See Figure 8) downloads a malicious file, masquerading as a software update.
Figure 8: Screenshot from the subdomain that was used to host the fake Flash Player update page.
The APK is an instance of DroidJack. According to Symantec, this malware evolved from an older codebase known as SandroRAT. The RAT provides a wide range of functionality, enabling the operator to capture messages, contacts, photos and other materials from the device. In addition, DroidJack can also remotely activate the phone camera and microphone, without notifying the victim. Figure 9 shows some of the functionality available.
Figure 9: DroidJack server list of commands.
A more extensive analysis of the DroidJack malware, can be found in Appendix B: Android Malware. Interestingly, DroidJack has also emerged recently, bundled with versions of Pokémon Go.
This approach to mobile malware seeding, while cumbersome, might be assumed to have greater success in the target group of Syrians than other populations. It is common for Syrians to share Android APK files outside the Google Play Store, as Google Play Services are not available within Syria. This practice carries over to the Syrian diaspora in other countries, despite the availability of Google Play. As a result, we suspect that most devices are set to accept APK files from unknown developers.
Part 5: Attribution
Group5 left a number of clues as to their origin and identity, including the tools they used, where they hosted their website and C2, and how they accessed the website. Notably, Group5 may have also been using a customized version of an Iranian obfuscation tool.
This section provides an overview of the clues left by Group5 on the website, and in the malware. First, we analyze logs that the operator mistakenly left publicly visible on the assadcrimes[.]info website. These logs include not only the visitors to the site, but also the IP addresses and user agent strings that belong to the operator as she or he logged into the site during the development phase. These artifacts provide interesting clues as to the operator’s identity and operational security practices, such as using a VPN, and suggest a strong Iranian nexus.
Second, we note the use of Persian-language tools in Group5, from the mailer to the packer.
Finally, we analyze a recurrent theme in the binaries: “Mr. Tekide” – a name that appears regularly in the implants. We link this name to the Iranian developer of a series of malware tools, several of which were used in this operation. Additionally, we examine the circumstantial evidence connecting this developer to Group5’s activities.
Unprotected Logs
Several key directories on the assadcrimes[.]info site were left as public, including a folder containing the website logs, a feature Group5 seems to have enabled early in the operation. These logs date to the early development and operation of the website, and reveal interesting clues about operator origin and operational security.
After processing the logs to remove crawlers belonging to Google, Bing, Yandex and others, we scrutinized the logs of the site for evidence of victims, but were unable to locate any victim IPs with high confidence.
Identifying the Operator from Website Logs
While the logs provided few clues as to victims, they proved to be exceptionally useful for identifying the IP addresses used by Group5 as they developed the site. Looking at the earliest logs in the set, from October 11, 2015, we find the operator accessing the site hourly from an Iranian IP block as the development continues.
Figure 10: Screenshot of 11th October 2015 log, showing list of IP’s and referrer from hostnegar[.]com
The first logged visits to the site come from the IP address 37.137.131[.]70, which belongs to a block registered to ‘Rightel Communication’, an Iranian mobile phone network operator.
inetnum: 37.137.128[.]0 – 37.137.255[.]255
netname: RighTel
descr: “Rightel Communication Service Company PJS”
country: IR
admin-c: RP12366-RIPE
tech-c: RP12366-RIPE
status: ASSIGNED PA
mnt-by: TA59784-MNT
created: 2013-08-20T11:13:17Z
last-modified: 2014-05-17T05:28:10Z
source: RIPEperson: RighTel PJS
address: 9th floor, Chooka Building, No 8 , west Armaghan Street, Vali-e-Asr Street
(After Niayesh Highway), Tehran, Iran
phone: + 982127654530
nic-hdl: RP12366-RIPE
mnt-by: TA59784-MNT
created: 2014-05-17T05:23:47Z
last-modified: 2014-05-17T05:23:47Z
source: RIPE
Further confirming the link is that the operator’s traffic includes a referrer from the Iranian hosting company (hostnegar[.]com) for the site.
Figure 11: Hostnegar’s login page
Tracing the operator through an initial UserAgent string (a version of Windows NT 6.3)2 and IP address, we found them accessing the site from an iPhone, other Iranian IP addresses, as well as VPNs.
Figure 12: User agents for the site owner, accessing the website from Iranian IPs and VPN.
Additionally, the operator accessed the site directly from the malware’s C2 server (88.198.222[.]163).
Figure 13 : User agents for the site owner, accessing the website from the C2, and using VPNs.
These links provide evidence for an Iranian nexus, and suggest that the operator may have been taking steps to conceal their true origin IP. However, these steps were not well executed, which enabled us to track Group5 as they continued to access the site.
Interestingly, after the flurry of activity in October 2015, by November-December the operator accessed the site only 7 times, and between January-February 2016 only twice (it is possible we have missed some access attempts that appear to be innocuous traffic). We concluded from this that Group5 may have stepped back from the site at some point after the New Year.
A Persian-language Mailer
Before the assadcrimes[.]info page was fully populated with decoy content, we found that the site was hosting a Persian-language mailer (See Figure 14 below). We were not able to determine how the mailer was being used by Group5, as it was not observed sending any of the e-mails we were able to analyze.
Figure 14: A screenshot for the mailer as it was on October 4, 2015.
Links to Known Threat Actors
Group5 appears to have used only a single shared web hosting provider and a single command and control IP address for this operation. We are unsure whether this strategy was the product of limited resources, an effort to compartmentalise the operation from other activities, or simply a highly targeted operation with a specific focus.
The narrow infrastructure and small number of observed targets limited our search base for potential infrastructure overlap with known groups. In a holistic evaluation of the campaign, we failed to identify links with the TTPs of previously documented threat actors or groups active in Syria. We also failed to find a link in searches of malware databases and open source searching.
On the level of TTPs, superficially there is similarity between this group and other active groups originating in Iran. The group multiply documented by Palo Alto Networks, which they call “Infy,” is also known to use PowerPoint files in their targeting, although we found no overlap in infrastructure. Furthermore, their targeting (according to what Palo Alto Networks has said publicly) is slightly different, and involved PowerPoint 97-2003 documents (not PPSX files) during the same period in which Group5 was using a different tactic.
We cannot not rule out the possibility that a known group is behind this operation, and that we missed or lacked access to a key piece of evidence that would link such a group to Group5’s infrastructure or tools. One interesting direction for further investigation came from analysis of the tool used to obfuscate the RATs, which yielded a number of interesting connections to known threat actors and tools. Notably, the PAC Crypt tool, and Mr. Tekide, the alias of an Iranian malware developer.
PAC Crypt
Commonly used in malware campaigns, crypters are programs which are designed to disguise the underlying malicious binary by hiding it within a layer of obfuscation which is then deobfuscated at the time of execution. In this way, crypting a malicious binary provides a level of protection against signature-based endpoint security tools such as antivirus. In Appendix A we describe the discovery of a series of strings which suggest that both the njRAT and NanoCore RAT payloads were built, and then subsequently obfuscated using a crypter tool named ‘PAC Crypt’.
Careful inspection revealed that the crypter in this case had been compiled in debug mode, thus preserving PDB reference data. PDB file references are common in .Net applications when compiled in ‘debug’ mode, and they frequently reveal the original file path of the application source code on the developer’s computer.
Below are the PDB strings discovered when examining the ‘crypted’ njRAT and NanoCore files:
Reference: Doc Dropper 1 Crypter
MD5: a4f1f4921bb11ff9d22fad89b19b155d
Compile Time: 9/30/2015 00:02:51
c:\users\mr.tekide\documents\visual studio 2013\projects\paccryptnano core dehgani -vds\windowsapplication2\obj\debug\launch manager.pdb
Reference: Doc Dropper 3 Crypter
MD5:6161083021b695814434450c1882f9f3
Compile Time: 10/6/2015 02:13:45
C:\Users\mr.tekide\Documents\Visual Studio 2013\Projects\paccrypt11njratmalii\paccryptalipnahzade\obj\Debug\LManager.pdb
These PDB strings reveal two facts relevant to the discussion of attribution. The first is that the username of the individual who compiled the .Net application in both cases was ‘mr.tekide’. The second is that in both PDB strings we find not only a reference to the malware crypter used (a tool called ‘PAC Crypt’), but also an explicit reference to the crypted malware payloads – ‘nano core’ and ‘njrat’.
These two facts together suggest that an individual having the username ‘mr.tekide’ compiled a copy of PAC Crypt for specific projects involving njRAT and NanoCore RAT.
A common usage scenario for a malware crypter involves an operator purchasing a copy of the crypter in a compiled form (or using a cracked version), then using the crypter to obfuscate the malware executable which is to be distributed. In this scenario the developer of the crypter has no knowledge of what specific malware the threat actor will eventually choose to encrypt with the purchased copy of the crypter.
The fact that the ‘PAC Crypt’ PDB strings discovered in this case contained the ‘njrat’ and ‘nano core’ references is therefore noteworthy because it indicates the possibility of prior knowledge of the precise malware payload which was to be crypted.
Research into the PAC Crypt tool revealed that this program is developed and sold by an Iranian malware developer known as ‘Mr. Tekide’.
Mr. Tekide
Mr. Tekide is the online alias of an Iranian malware developer who is also the administrator of the website http://crypter[.]ir, an Iranian hacking forum and online shop. Notably, this storefront offers various hacking tools and services, including the aforementioned ‘PAC Crypt’ (see figure 15 below).
Figure 15: Crypter[.]ir main page (left), and contact page (right)
In addition to the crypter[.]ir forum and shop, Mr. Tekide appears to be in the midst of creating a new online storefront for selling his various malware tools and services. The content shown in Figure 16 below, obtained from http://crypting[.]org, shows a ‘rat service’ being offered to visitors. The store also touts a Windows Rootkit (“coming soon”) and various ‘exploits.’
Figure 16: Crypting[.]org main page (left), list of hacking services offered (right)
Mr. Tekide also maintains an active presence as a moderator on the Ashiyane forums,3 an Iranian security discussion board run by the Ashiyane Digital Security Team (ADST). The ADST is a well-known Iranian security and hacking group which has earned notoriety for its prolific website defacement activities. These defacements invariably contain a list of ADST ‘defacers’ alongside the phrase ‘We Love Iran’.
Web site defacements conducted by ADST have explicitly named Mr. Tekide as a member, as shown in Figure 17 below.
Figure 17: an Ashiyane Digital Security Team defacement page, naming Mr. Tekide
In addition to its defacement activities, ADST has been recently linked to the indictment by the US Department of Justice of seven Iranian nationals for cyber attacks against the US financial sector. In its indictment, the Department of Justice alleges that members of two Iranian security companies, ITSecTeam and Mersad Company, were responsible for Distributed-denial-of- Service (DDoS) attacks against numerous US bank websites between September 2012 and May 2013. The DoJ indictment also describes that Mersad was founded by members of the ADST, and furthermore that ADST had made prior public claims regarding its activities on behalf of the Iranian Government.
Additional open source information about Mr. Tekide is included in Appendix C: Mr. Tekide.
A Consistent Iranian Nexus
We cannot conclude with certainty that Group5 is Iran-based, although the confluence of information outlined above provides a circumstantial case. The IP addresses observed during early stages of development of the Assadcrimes website, as well as the Iranian hosting provider and the Persian language mailer, all speak to a level of Iranian presence. The additional apparent involvement of an Iranian malware developer with ties to a known Iranian cyber actor, whether his involvement was unwitting or intentional, only strengthens the Iranian connection.
Part 6: Analysis of Competing Hypotheses
This section evaluates several competing hypotheses for explaining the identity of the operator. While we cannot conclusively support one of these hypotheses, we think the most plausible is that this operation is the work of an Iranian group newly active in Syria.
We believe we found Group5 fairly early in the process of preparing a larger malware campaign, thanks to Noura Al-Ameer’s vigilance. This gave us unique visibility into some of their staging, but we had only a limited view of other possible targeting. Group5’s reliance on a narrow infrastructure limited our ability to connect the operation to other known groups, as discussed above.
With these caveats and limitations in mind, we outline the known elements of the operation, and evaluate several hypotheses: (Hypothesis 1) an Iranian group newly active in Syria; (Hypothesis 2) that the operation is from known regime-linked groups, like the Syrian malware groups; and (Hypothesis 3) that it is from some other unknown group. After addressing the fit of each hypothesis with available evidence, we provide an overall evaluation of the three, and conclude that Hypothesis 1 provides the best explanation for what we have observed.
Hypothesis 1: Iranian Group Newly Active in Syria
A group previously unreported in Syria with uneven skills but displaying thought and care in selecting the target, and preparing the operation, with an Iranian nexus and a possible government connection.
Previously Unseen in Syria: We have been unable to find a high-confidence overlap in infrastructure or malware to previously-reported groups active around Syria. We also had difficulty connecting the operation to other known groups in the global threat actor space. Furthermore, the use of exploits, as well as DroidJack and other tools, is inconsistent with the TTPs of known groups targeting the Syrian opposition, especially the regime-linked groups. Notably, these groups have shown little ability or appetite for: (a) standing up multifaceted seeding websites; (b) targeting Android users; (c) using exploits in PowerPoint files.
Previously reported groups, especially regime-linked groups, have had a tendency to re-use infrastructure, and repurpose similar tools and approaches. It would be surprising for them to suddenly abandon tactics that still “work,” and cease using a C2 infrastructure that cannot be taken down (because it is inside Syria).
While Group5’s tactics have more in common with the group reported in this FireEye report, such as the use of a fake website, COTS .Net malware, and Android malware, there is no direct infrastructure or tool overlap, and only limited evidence of social engineering sophistication (e.g. the use of avatars).
Furthermore, the lack of technical sophistication, combined with low operational security, suggest that, had this group been previously active for any length of time, it would have run the risk of discovery, perhaps especially given all of the existing reporting about pro-Regime malware groups in Syria.
Uneven Technical Sophistication: The operators showed familiarity with a range of cybercrime tools, yet also committed a range of operational security oversights, such as leaving their logs open and public-facing, connecting via their C2 server, and leaving debugging strings in compiled files. These characteristics would be inconsistent with the work of an in-house government capability.
Iranian Connection: Analysis of the malware and seeding yields a consistent Iranian presence. The binary contains Iranian and Iranian-Persian traces, as do the tools used for obfuscation, which are popular in Iranian cybercrime forums. Similarly, the mailer discovered on the assadcrimes[.]info website is in Persian. There is also the intriguing, but ultimately unproven speculation that the crypter may have been sold to Group5 by a known Iranian malware developer. Furthermore, logs of access to the assadcrimes[.]info site suggest that the operators are working from within Iranian IP space. In addition, the bait content also contains substantial Iranian themes. Finally, the hosting provider (Hostnegar) is Iranian. A final piece of highly circumstantial evidence is that PowerPoint documents containing exploits, albeit often with quite different (and sometimes custom) malware, is a commonly reported feature of many recently-reported Iranian campaigns.
Targeting Sophistication: Group5 not only targeted a well-connected individual within the Syrian opposition, but also masqueraded as her to register the assadcrimes[.]info site. Both the site and the bait content also indicate a degree of familiarity with the opposition’s concerns and activities, and their targeting indicates they were targeting a key person in opposition politics and multilateral negotiations, yet not highly visible outside of informed circles. Speculatively, the choice of target is indicative of the interests and resources of a state-level actor, or a group receiving direction or providing information to such an actor. A number of governments and non-state actors in the region have an interest in the workings of the opposition, and several are providing direct or indirect support to the Assad Regime. We discuss this possibility in greater detail below in Evaluating Hypotheses.
Hypothesis 2: Known Regime-Linked Group
A known Regime-linked group has modified its tactics to operate against familiar targets
Familiar Targets: The most widely documented threat against the Syrian opposition comes from regime-linked groups, notably malware groups and the Syrian Electronic Army (to a lesser degree). These groups benefit from known links to the regime of Bashar al-Assad, which has a direct and strong interest in monitoring members of the Syrian Opposition, including the groups apparently targeted in this operation. We are familiar with previous operations by regime-linked groups targeting the same organizations.
Modified Tactics: We cannot rule out the possibility that existing groups have added a range of new TTPs to their existing set as the conflict continues.
Regime-linked groups certainly have the motivation to conduct this operation. Do known groups have the skills to conduct such an operation? There are a range of features of this operation that suggest Group5 may not be a regime-linked group. First, known regime-linked Syrian groups have tended to use a limited set of C2 servers, almost always with at least one server (or a fallback) located within a narrow set of servers within Syria. Group5 does not have a fallback C2 in Syria. Similarly, the servers that Group5 does use are not from companies previously associated with Syrian regime groups, nor is there any prior evidence of regime-linked groups making use of Persian-language tools, or Iranian IP space. Further, known Syrian groups have been active for almost 5 years without evidence of familiarity with PPSX exploits. It is unclear why they would deploy so many new tactics all at once, even they continue to gently iterate on techniques familiar to them.
Other Syria-Focused Groups? In the introduction we mentioned two other groups that have previously targeted the Syrian opposition: a Lebanon-linked group uncovered in 2014, and an ISIS-linked operation in 2015. The first group, described in a 2015 FireEye Report, coauthored by one of the authors of this report, conducted an extensive campaign against the Syrian opposition. The campaign relied heavily on Arabic-speaking female avatars to flirt with opposition figures and trick them into downloading malware for Windows or Android. That campaign, however, differed in malware tools, infrastructure, and social engineering style from Group5. In addition, it lacked any Persian-language elements, or connection to Iranian IP space.
In late 2014 a Citizen Lab report coauthored by one of the authors of this report, identified a malware operation linked to ISIS that targeted Raqqa is Being Slaughtered Silently, a documentation and media group working to uncover human rights abuses in Raqqa and other ISIS-controlled territories. That malware was apparently custom-made but very unsophisticated. Lacking the functionality of a RAT, and exfiltrating via e-mail, the operation was substantially less sophisticated than Group5’s activities. We think it unlikely that the operator behind that malware has (a) grown much more sophisticated, or (b) begun to rely on Iranian tools and hosting providers.
Hypothesis 3: Other Unknown Group
An unknown group, not located in Iran and not linked to prior groups
It is possible that the operation is the work of some other unknown group. One possibility that we consider is that the operation is a false flag from another state sponsor, deliberately crafted to appear to be an Iranian group. In another, we also consider the other common motivations for such operations, including financial crime.
A False Flag: Certainly, many other governments are actively interested in information about the Syrian opposition. Given the extensive circumstantial evidence strewn throughout the operation that points to a group based in Iran, one possibility we consider is that the operators are deliberately masquerading as an Iranian group, while acting on behalf of another sponsor.
In such a scenario, each of the pieces of circumstantial evidence we have assembled is a string of deliberately planted artifacts, intended to deflect from the threat actor’s true identity. This hypothesis is an intriguing possibility that cannot be conclusively ruled out. However, it is worth asking why, given the noisiness of existing groups targeting the Syrian opposition, a false flag operation would not simply be populated with the many publicly reported strings and other tools associated with pro-regime groups. Similarly, we wonder why a threat actor sophisticated enough to mount such an operation would not also have used more sophisticated malware or seeding techniques.
Financial / Commercial Hacking: We find no evidence to suggest that financial crime or commercial espionage played a part in this operation. For a narrowly focused operation, the targeting, for example, does not appear to be geared tow