SenseCy 2015 Annual Cyber Threat Intelligence Report

Written and prepared by SenseCy’s Cyber Intelligence analysts.

SenseCy’s 2015 Annual CTI Report spans the main trends and activities monitored by us in the different cyber arenas including the world of Arab hacktivism, the Russian underground, the English-speaking underground, the Darknet and the Iranian underground. In addition, we have listed the major cyber incidents that occurred in 2015, and the most prominent attacks against Israeli organizations.

The following is an excerpt from the report. To receive a copy, please send a request to: info@sensecy.com

Executive Summary

2015 was a prolific year for cyber threats, so before elaborating on our main insights from the different arenas covered here at SenseCy, we would like to first summarize three of the main trends we observed in 2015.

Firstly, when reviewing 2015, we recommend paying special attention to the evolving world of ransomware and new applications of this type of malware, such as Ransomware-as-a-Service (RaaS), and ransomware targeting cloud services, as opposed to local networks and more.

Secondly, throughout 2015, we witnessed cyber-attacks against high-profile targets attributed to ISIS-affiliated hackers and groups. One such incident was the January 2015 allegedly attack against the YouTube channel and Twitter account of the U.S. Central Command (CENTCOM).

Thirdly, 2015 revealed a continuing interest in the field of critical infrastructure among hackers. Throughout the year, we witnessed multiple incidents of critical infrastructure firms allegedly targeted by hackers, prompting periodic analyses addressing the potential vulnerabilities of critical sectors such as energy, water, and more. Taking into consideration the advanced capabilities and high-level of understanding of such systems required to execute such attacks, many security firms and experts are confident that these attacks are supported by nation-state actors.

Insights

The following are several of our insights regarding activities in different cyber arenas this past year:

Islamic Hacktivism

During 2015, we detected several indications of anti-Israel cybercrime activity on closed platforms frequented by Arabic-speaking hackers. It will be interesting to see if these anti-Israel hacktivists that usually call to deface Israeli websites or carry out DDoS attacks will attempt to incorporate phishing attacks, spamming methods and tools into their arsenals. Notwithstanding, Islamic hacktivism activity continues unabated, but without any significant success.

Trade on Russian Underground Forums

The prominent products currently traded during 2015 on Russian underground forums are ransomware programs and exploits targeting Microsoft Office. With regard to banking Trojans, we did not notice any major developments or the appearance of new Trojans for sale. The PoS malware field has not yielded any new threats either, in contrast to the impression given by its intensive media coverage.

Mobile malware for Android devices is on the rise as well, with the majority of tools offered being Trojans, but we have also detected ransomware and loaders.

Prices on the Russian Underground have remained unchanged during the past two years, due to the vigorous competition between sellers on these platforms.

Different kinds of services, such as digital signing for malicious files, injections development for MitM attacks and crypting malware to avoid detection were also extremely popular on Russian forums.

Exploits and exploit kits on the Russian underground

Exploits and exploit kits on the Russian underground

The English-Language Underground

Our analysis of password-protected forums revealed that exploits were the best-selling products of 2015. This comes as no surprise, since exploits are a vital part of almost every attack.

The Darknet made the headlines on multiple occasions this year, mostly owing to databases that were leaked on it and media reports recounting FBI activities against Darknet users. Furthermore, this year saw increased activity by the hacking community on the Darknet, manifested in dedicated markets for the sale of 0-day exploits and the establishment of several new hacking forums.

Sales of hacking tools in the English-language underground

Sales of hacking tools in the English-language underground

The Iranian Underground

With regard to Iranian threat actors, 2015 was a highly prolific year, with attack groups making headlines around the world. Delving deeper into the Iranian underground, we uncovered several interesting trends, some more clear than others.

One main development in 2015 was the persistent interest in critical infrastructure, with underground forum members sharing and requesting information related to industrial control systems and other related components. With Iranian actors becoming increasingly drawn to this field, we assess that this trend will remain relevant in 2016 as well.

Another growing phenomenon is the stunted life cycles of Iranian cyber groups, many with a life-span of just several months. This trend makes it difficult to monitor the different entities active in the Iranian cyber arena and their activities. To understand the constant changes in this realm, this short life cycle trend must be taken into consideration and the Iranian cyber arena continuously monitored.

That said, we must not overlook one of the most prominent characteristics of Iranian attack groups – confidentiality. With attacks attributed to Iranian actors becoming more sophisticated and high-profile, we believe that the divide between medium-level practices of malicious activity and alleged state-sponsored activity by attack groups will remain pronounced.

Screenshot from the IDC-Team forum showing, among other things, the list of “Hottest Threads” and “Most Viewed Threads” on the forum

Screenshot from the IDC-Team forum showing, among other things, the list of “Hottest Threads” and “Most Viewed Threads” on the forum

ISIS – Cyber-Jihad

On the other side of the Arab-speaking cyber world, we can find ISIS and its evolving cyber activities. There is disagreement between intelligence firms and cyber experts about the cyber offensive capabilities of the Islamic State. In addition, there is a high motivation among hackers that identify with the group’s fundamentalist agenda to carry out cyber-attacks against Western targets, especially against those countries actively involved in the war against the group in Iraq and Syria.

Is There A New njRAT Out There?

The answer to this question is Yes and No (or Probably Not).

Recently, we noticed a heated debate among Arabic-speaking hackers regarding rumors about a new njRAT version, dubbed v0.8d. Some doubted the credibility of the report, cautioning that the new version was probably a fake that would infect everyone who tried to use it. They also claimed that the original njRAT programmer, njq8, had stopped updating it.

Notwithstanding, there is a tutorial with a download link that shows the features of the new version. The video was published on several YouTube accounts and some of them linked the new version to an unknown hacker called Naseer2012 (whose name is similar to njq8‘s real name). In addition, this new njRAT version has aroused interest among Portuguese-speaking hackers, raising assumptions that the njRAT v0.8d developer is actually “Ajnabi” (foreign in Arabic).

The allegedly new njRAT version piqued our curiosity, so we downloaded it from the tutorial. First, the GUI of the new version closely resembles njRAT v0.7d. In addition, our technical analysis revealed that it belongs to the njRAT malware family, based on its Imphash (hash based on portable executable imports that are the functions of the specific malware) and its network signature.

However, it does not have any unique capabilities that distinguish it from the old 0.7d version. Its capabilities, according to our technical analysis, are keylogging, remote shell, remote desktop, password recovery, registry manager, file manager, remote webcam, microphone control, download & execute and DDoS. Unlike njRAT v0.7d, this malware does not have any security features, other than change icon. It can be spread by USB.

njrat

njRAT v0.8d user interface

Notably, the fact that Naseer2012 thanks njq8 suggests it this not an official upgraded version of the njRAT malware developed by the original programmer.

njrat2

Naseer2012 thanks njq8

Since the source code of the worm version of the famous njRAT malware (Njw0rm) was leaked in May 2013, many hackers have developed new malware under different names with numerous capabilities, security features and propagation protocols. However, they all have a common behavior pattern, since they are based on the same source code. In addition, our technical analysis of different RAT malware samples that we detected during 2015 revealed that almost a dozen of them belong to the njRAT family.

So we can all relax as there is no new official njRAT version, but rather a new GUI and new technical indicators of another njRAT-based malware sample.

The following is a YARA rule based on our technical analysis:

rule njrat_08d
{
meta:
author = “SenseCy”
date = “23-12-2015”
description = “Njrat v0.8d”
sample_filetype = “exe”

strings:
$string0 = “U0VFX01BU0tfTk9aT05FQ0hFQ0tT” wide
$string1 = “netsh firewall delete allowedprogram” wide
$string2 = “netsh firewall add allowedprogram” wide
$string3 = “cmd.exe /k ping 0 & del” wide
$string4 = “&explorer /root,\”%CD%” wide
$string5 = “WScript.Shell” wide
$string6 = “Microsoft.VisualBasic.CompilerServices”
$string7 = “_CorExeMain”
$string8 = { 6d 73 63 6f 72 65 65 2e 64 6c 6c }

condition:
all of them
}

The following are technical indicators of njRAT v0.8d stub files that we created in our technical lab:

MD5: 2c7ab4b9bf505e9aa7205530d3241319
SHA1: 31112340c4f36c7153bef274f217726c75779eaf
MD5: 620c8dc42dcad7d8e72dd17ac2fa06a1
SHA1: d88907822d7d7f14347059ba0b85d9f7d50a6d7a

2015 Activity Timeline: Allegedly ISIS-Affiliated Cyber-Attacks

What are the real ISIS capabilities in the cyber domain?

Any ISIS activities become a hot topic after destructive events organized by the Islamic State (IS) during 2015. The whole world is concerned about ISIS plans and afraid of another bloody attacks.

One of the most discussed topic is the Islamic State offensive capabilities in the cyber space. In 2015 various organizations were hit by a number of cyber-attacks allegedly launched by IS hackers. Nevertheless, some cyber security experts presume that a sophisticated group of Russian hackers stands behind the attacks against a French TV station in April 2015 and the hijacking of the CENTCOM Twitter account in January 2015. Anyway, let’s have a look at the timeline of cyber-attacks that are related to ISIS in 2015. Investigate the Infographic. We will appreciate your opinion regarding ISIS cyber capabilities.

Infographic_ISIS

During January 2016 we will publish our annual Cyber Threat Intelligence report, in which you could find fascinating information regarding ISIS cyber activities, recent developments in the Russian underground, technical analysis of self-developed malicious tools that we identified this year, new trends in Darknet platforms, and more.

Does the Islamic State have Offensive Cyber Capabilities?

The short answer to this question is another question – does it really matter? What is more important is their ever-growing desire and motivation to obtain and develop offensive capabilities in cyber-space.

There has been debate among security experts on this matter since the Islamic State (IS) started operating in the cyber domain. On the one hand, some argue that IS hackers have already proven their ability to launch successful cyber-attacks and now they are attempting to carry out meaningful attacks against critical infrastructures (with no success thus far).

On the other hand, an emerging theory suggests that attacks previously associated with IS were actually perpetrated by a sophisticated group of Russian hackers. In other words, the alleged attacks against a French TV station in April 2015, the hijacking of the CENTCOM Twitter account in January 2015 and others were the work of a Russian APT group, and not the IS-affiliated “Cyber Caliphate.”

But again – does it really matter? We can say with a high degree of certainty that IS as a terror organization is trying to develop cyber capabilities. We received a strong indication of this trend in late August 2015, when a US drone strike killed a British IS cyber expert.

Even before that, in early 2014, we had heard of so-called cyber operations conducted by the Al-Qaeda Electronic Army (AQEA, or AQECA – the Al-Qaeda Electronic Cyber Army) against US government websites.

We assess that at the moment IS hacking entities (such as “Cyber Caliphate” or the Islamic Cyber Army – ICA) do not have high technical capabilities. That said, we should not underestimate the Islamic State’s attempts to develop an offensive cyber capability. An analysis of IS publications reveals a clear increase in the motivation of IS-inspired hackers to wage attacks against high-profile Western targets.

A concerning development in this aspect would be indications of the purchasing of attack tools and malware from highly sophisticated cyber criminals. Taking into consideration the clear intentions expressed by IS in relation to executing cyber-attacks against the West, such tools could be directed at critical infrastructures, sensitive organizations, government agencies and more.

Ashley Madison Hack – Review and Implications

On July 12, 2015, the IT-systems of Ashley Madison (owned by Avid Life Media), a Canada-based online dating service for married people, were hacked. The attackers, who call themselves Impact Team, released a message claiming they had taken control over all of the company’s systems and extracted databases containing client details, source codes, email correspondence and more.According to the message, the attack occurred in response to Ashley Madison‘s exposure of its clients – although the company offered and charged clients for a full profile deletion, this, in fact, was never carried out. Impact Team demanded that Ashley Madison and another website owned by Avid Life Media (ALM) cease their activity and shut down in 30 days, otherwise all stolen data would be published.

One month later, on August 16, 2015, Impact Team realized its threats – a link for downloading the data was posted on a password-protected hacking forum on the Darknet. The leaked data contained details of 37 million Ashley Madison users. Additionally, the attackers released data, containing mostly internal company information, in two additional stages.

The message containing the link for downloading the data stolen in the Ashley Madison hack

The message containing the link for downloading the data stolen in the Ashley Madison hack

The Attack

The infiltration vector used by the attackers is not known. According to ex-Ashley Madison CEO, the attack was performed by a provider or a former employee who possessed legitimate login credentials. Apparently, as in an APT attack, Impact Team had access to the company systems for a long period of time. They stated that they had collected information for years and that the attack started long before the data was exposed.

In an email interview with members of Impact Team, they said “they worked hard to make a fully undetectable attack, then got in and found nothing to bypass – Nobody was watching. No security. The only thing was a segmented network. You could use Pass1234 from the internet to VPN to root on all servers.

The Leaked Data

Despite the fact that Ashley Madison maintained a low security level on its systems, the clients data was stored with many more precautions – full credit card data was not stored, but instead only the last four digits, in accordance with the company’s declared policy. Nevertheless, information about payments that contained names and addresses of the clients were stored and later used by cybercriminals.

The passwords of Ashley Madison‘s clients were encrypted using a bcrypt algorithm, which is considered to be extremely strong. Another security measure taken by the company was the separation of databases for email addresses and passwords. However, an error in one of the exposed source codes enabled the decryption of 11 million passwords in only 10 days. A security researcher decrypted another 4,000 “strongly encrypted” passwords, due to the fact that they were widely used passwords.

The ten most common Ashley Madison cracked passwords encrypted in a bcrypt algorithm

The ten most common Ashley Madison cracked passwords encrypted in a bcrypt algorithm

Moreover, Ashley Madison saved IP addresses of its users for as long as five years. Thus, almost every user behind each profile can be identified.

The Consequences

The release of the data led to numerous discussions on hacking forums regarding ways to exploit the data. Some hackers focused on extortion schemes, while others offered to initiate spear-phishing attacks based on the leaked data.

Darknet forum member explains how to look for users by their corporate email address

Darknet forum member explains how to look for users by their corporate email address

In other attack reported by TrendMicro, hackers distributed email messages allegedly from Impact Team or law firms. They asked for money in exchange for removing the recipient’s name from the leak or for initiating a class action lawsuit against Ashley Madison.

A fraud email message allegedly sent by Impact Team

A fraud email message allegedly sent by Impact Team

Besides financial damage, according to press publications, three people committed suicide after the leaked data was released.

Moreover, not only its clients, but the company itself suffered damage because of the exposure of confidential information. Exposure of internal correspondence of Ashley Madison‘s executives revealed the company’s improper business activity, such as hacking into its competitors systems, creating fake profiles on its website and more. Finally, Ashley Madison’s financial losses are estimated at more than 200 million dollars, since the company was about to launch an initial public offering later this year.

Conclusions

Analysis of the leaked email correspondence of Ashley Madison‘s executives demonstrates that they were fully aware of the importance of cyber security measures. In the beginning of 2012, following the cyber-attack on the Grinder mobile application, the company’s then-CTO expressed his concerns regarding passwords that were stored fully unencrypted. Later in 2012, an encryption for passwords was initiated. On another occasion, after the email correspondence leak of General Petraeus, an employee suggested implementing an encrypted email service for Ashley Madison users. Despite the severity of the hack, several measures taken by the company, such as the encryption of the users’ passwords, reduced the damage caused by the leak. Nevertheless, the encryption, even a strong one such as bcrypt, is not enough and a password complexity policy should be implemented in the organization. Using strong passwords, maintaining different and complex passwords for the high-privileged accounts of the IT systems and restricting the access to these accounts will limit the attackers’ ability to move laterally in the organization’s network and take control of it.

ORX-Locker – A Darknet Ransomware That Even Your Grandmother Can Use

Written by Ran L. and Mickael S.

The bar for becoming a cyber-criminal has never been so low. Whether buying off-the-shelf malware or writing your own, with a small investment, anyone can make a profit. Now it seems that the bar has been lowered even further with the creation of a new Darknet site that offers Ransomware-as-a-Service (RaaS), titled ORX-Locker.

Ransomware-as-a-Service enables a user with no knowledge or cash to create his own stubs and use them to infect systems. If the victim decides to pay, the ransom goes to the service provider, who takes a percent of the payment and forwards the rest to the user. For cyber-criminals, this is a win-win situation. The user who cannot afford to buy the ransomware or does not have the requisite knowledge can acquire it for free, and the creator gets his ransomware spread without any effort from his side.

This is not the first time we have seen this kind of service. McAfee previously (May, 2015) reported on Tox. While Tox was the first ransomware-as-a-service, it seems that ORX has taken the idea one step further, with AV evasion methods and complex communication techniques, and apparently also using universities and other platforms as its infrastructure.

In the “August 2015 IBM Security IBM X-Force Threat Intelligence Quarterly, 3Q 2015,” published on Monday (August 24, 2015), IBM mentioned TOX while predicting: “This simplicity may spread rapidly to more sophisticated but less common ransomware attack paradigms and lead to off-the-shelf offerings in the cloud.” Just one day later, a post was published on a closed Darknet forum regarding the new ORX-Locker service.

ORX – First Appearance

On August 25, 2015, a user dubbed orxteam published a post regarding the new ransomware service. The message, which was part of his introduction post – a mandatory post every new user has to make to be accepted to the forum – described the new ORX-Locker ransomware as a service platform. In the introduction, the user presented himself as Team ORX, a group that provides private locker software (their name for ransomware) and also ransomware-as-a-service platform.

ORX team introduction post in a closed Darknet hacking forum.

ORX Team introduction post in a closed Darknet hacking forum.

ORX Locker Online Platform

Team ORX has built a Darknet website dedicated to the new public service. To enter the site, new users just need to register. No email or other identification details are required. Upon registration, users have the option to enter a referral username, which will earn them three percent from every payment made to the new user. After logging in, the user can move between five sections:

Home – the welcome screen where you users can see statistics on how much system has been locked by their ransom, how many victims decided to pay, how much they earned and their current balance.

Build EXE – Team ORX has made the process of creating a stub so simple that the only thing a user needs to do is to enter an ID number for his stub (5 digits max) and the ransom price (ORX put a minimum of $75). After that, the user clicks on the Build EXE button and the stub is created and presented in a table with all other stubs previously created by the user.

ORX-Locker Darknet platform, which enables every registered user to build his own ransomware stub.

ORX-Locker Darknet platform, which enables every registered user to build his own ransomware stub.

Stats – This section presents the user with information on systems infected with his stub, including the system OS, how many files have been encrypted, time and date of infection, how much profit has been generated by each system, etc.

Wallet – following a successful infection, the user can withdraw his earnings and transfer them to a Bitcoin address of his choosing.

Support – This section provides general information on the service, including more information on how to build the stub and a mail address (orxsupport@safe-mail[.]net) that users can contact if they require support.

Ransomware

When a user downloads the created stub, he gets a zip file containing the stub, in the form of an “.exe” file. Both the zip and the stub names consist of a random string, 20-characters long. Each file has a different name.

Once executed, the ransomware starts communicating with various IP addresses. The following is a sample from our analysis:

  1. 130[.]75[.]81[.]251 – Leibniz University of Hanover
  2. 130[.]149[.]200[.]12 – Technical University of Berlin
  3. 171[.]25[.]193[.]9 – DFRI (Swedish non-profit and non-party organization working for digital rights)
  4. 199[.]254[.]238[.]52 – Riseup (Riseup provides online communication tools for people and groups working on liberatory social change)

As you can see, some of the addresses are related to universities and others to organizations with various agendas.

Upon activation, the ransomware connects to the official TOR project website and downloads the TOR client. The malware then transmits data over this channel. Using hidden services for communication is a trend that has been adopted by most known ransomware tools in the last year, as was the case of Cryptowall 3.0. In our analysis, the communication was over the standard 9050 port and over 49201.

The final piece would be the encryption of files on the victim’s machine. Unlike other, more “target oriented” ransomware, this particular one locks all files, changing the file ending to .LOCKED and deletes the originals.

When the ransomware finishes encrypting the files, a message will popup announcing that all the files were encrypted, and a payment instruction file will be created on the desktop.

After the ransomware finishes encrypting the files, a message will popup announcing that all the files were encrypted

After the ransomware finishes encrypting the files, a message will popup announcing that all the files were encrypted

In the payment instruction file (.html), the victim receives a unique payment ID and a link to the payment website, located on the onion network (rkcgwcsfwhvuvgli[.]onion). After entering the site using the payment ID, the victim receives another set of instructions in order to complete the payment.

ORX-Locker payment platform which has a dedicated site located on the onion network.

ORX-Locker payment platform, which has a dedicated site located on the onion network.

Finally, although some basic persistence and anti-AV mechanisms are present, the malware still has room to “grow.” We are certain that as its popularity grows, more developments and enhancements will follow.

YARA rule:

rule ORXLocker
{
meta:
author = “SenseCy”
date = “30/08/15”
description = “ORXLocker_yara_rule”

strings:
$string0 = {43 61 6e 27 74 20 63 6f 6d 70 6c 65 74 65 20 53 4f 43 4b 53 34 20 63 6f 6e 6e 65 63 74 69 6f 6e 20 74 6f 20 25 64 2e 25 64 2e 25 64 2e 25 64 3a 25 64 2e 20 28 25 64 29 2c 20 72 65 71 75 65 73 74 20 72 65 6a 65 63 74 65 64 20 62 65 63 61 75 73 65 20 74 68 65 20 63 6c 69 65 6e 74 20 70 72 6f 67 72 61 6d 20 61 6e 64 20 69 64 65 6e 74 64 20 72 65 70 6f 72 74 20 64 69 66 66 65 72 65 6e 74 20 75 73 65 72 2d 69 64 73 2e}
$string1 = {43 61 6e 27 74 20 63 6f 6d 70 6c 65 74 65 20 53 4f 43 4b 53 35 20 63 6f 6e 6e 65 63 74 69 6f 6e 20 74 6f 20 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 64 2e 20 28 25 64 29}
$string2 = {53 4f 43 4b 53 35 3a 20 73 65 72 76 65 72 20 72 65 73 6f 6c 76 69 6e 67 20 64 69 73 61 62 6c 65 64 20 66 6f 72 20 68 6f 73 74 6e 61 6d 65 73 20 6f 66 20 6c 65 6e 67 74 68 20 3e 20 32 35 35 20 5b 61 63 74 75 61 6c 20 6c 65 6e 3d 25 7a 75 5d}
$string3 = {50 72 6f 78 79 20 43 4f 4e 4e 45 43 54 20 66 6f 6c 6c 6f 77 65 64 20 62 79 20 25 7a 64 20 62 79 74 65 73 20 6f 66 20 6f 70 61 71 75 65 20 64 61 74 61 2e 20 44 61 74 61 20 69 67 6e 6f 72 65 64 20 28 6b 6e 6f 77 6e 20 62 75 67 20 23 33 39 29}
$string4 = {3c 61 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 72 6b 63 67 77 63 73 66 77 68 76 75 76 67 6c 69 2e 74 6f 72 32 77 65 62 2e 6f 72 67 3e 68 74 74 70 73 3a 2f 2f 72 6b 63 67 77 63 73 66 77 68 76 75 76 67 6c 69 2e 74 6f 72 32 77 65 62 2e 6f 72 67 3c 2f 61 3e 3c 62 72 3e}
$string5 = {43 3a 5c 44 65 76 5c 46 69 6e 61 6c 5c 52 65 6c 65 61 73 65 5c 6d 61 69 6e 2e 70 64 62}
$string6 = {2e 3f 41 56 3f 24 62 61 73 69 63 5f 6f 66 73 74 72 65 61 6d 40 44 55 3f 24 63 68 61 72 5f 74 72 61 69 74 73 40 44 40 73 74 64 40 40 40 73 74 64 40 40}
$string7 = {2e 3f 41 56 3f 24 62 61 73 69 63 5f 69 6f 73 40 5f 57 55 3f 24 63 68 61 72 5f 74 72 61 69 74 73 40 5f 57 40 73 74 64 40 40 40 73 74 64 40 40}
$string8 = “ttp://4rhfxsrzmzilheyj.onion/get.php?a=” wide
$string9 = “\\Payment-Instructions.htm” wide

condition:
all of them
}