Source Code of Ratopak/Pegasus Spyware Targeting the Financial Sector Recently Leaked

On July 6, 2018, a post claiming to contain the source code of Carbanak group malware was published on a Russian-speaking underground forum. Soon after the sharing of the code on the Russian underground, it was uploaded by an unknown actor to the text-sharing platform Pastebin, making it accessible to all. At the same time, malware researchers analyzing the shared code discovered the malware is not one used by the Carbanak group, but rather, it is the Ratopak/Pegasus spyware, used in attacks against Russian banks in 2016.

The Leaked Spyware

The leaked code of Ratopak/Pegasus is a tool set used to generate fraudulent payment requests containing features such as remote access Trojan (RAT) used for credential harvesting, server message block (SMB) pipe communication, KBR (a Russian payment system) data exchanges interception module, and a modified version of the post-exploitation tool, Mimikatz.

The leaked malware was eventually attributed to the Buhtrap group when researchers reviewed a code-signing certificate appearing in the binary code found in the data leak. The certificate was found to have been formerly used in an attack against Russian bank employees by the Buhtrap group in 2016.

The certificate found in the leaked files
The certificate found in the leaked files

Later, additional similarities between the leaked source code and the Buhtrap group were discovered. When compared, the leaked code, dubbed Pegasus, has identical sections to Buhtrap’s Ratopak Trojan, along with domains used as part of the different campaigns.

Findings confirming the Pegasus malware connection to the Buhtrap group
Findings confirming the Pegasus malware connection to the Buhtrap group

Although the malware was ostensibly developed by the Buhtrap group, since the group members were arrested in Russia in 2016, it is likely the malware was sold to a different cyber-criminal group after the key members of the group were apprehended. Thus, since the malware supposedly switched hands, it is unclear if the leaked data originated from a Buhtrap group member, or a cybercriminal group/individual threat actor, who purchased the malware.

Analysis of the Leaked Data

The leaked data was stored in a password-protected archive called “group_ib_smart_boys.” The name suggests the threat actors are aware of the Group-IB security company’s success at detecting cyber-attacks against Russian banks, and demonstrates their attempt to challenge that achievement. The leaked archive consisted of a variety of files containing code written in programing languages ranging from Assembly to C++, comprising documentation of tools and instructions collected as part of former operations. The data was organized within four folders – bck_check, cvs_check, gen_payments_script and Pegasus. While bck_check contained parsing logs and gen_payments_script contained a PHP credible fake metadata generating script, the most interesting content was found in the additional two folders.

The four folders comprising the leak
The four folders comprising the leak

The cvs_banks folder contained intelligence and meticulous instructions for numerous attacks against a range of banks in Russia. The information included the personal information of thousands of key bank employees (email addresses, phone numbers and positions within the bank), directory dumps from previous breaches of banks’ internal systems, a guide for anti-fraud security products evasion, bank fraud detection systems operation instructions and fraudulent payment tutorials.

An example of the bank personnel information found in the leak
An example of the bank personnel information found in the leak

The Pegasus folder contained the source code of a Trojan malware. The Trojan abuses the ‘MapViewOfSection’ API through process hollowing to achieve code injection to the svchost.exe process for self-installation. Upon installation, the Trojan scans the victim’s device for Russian accounting software. If found, the malware attempts to run executed files and inject code into them by a different technique, utilizing the ‘WriteProcessMemory’ process. Aside from the self-installation and accounting software scanning, the malware also contains an updated customized version of the credentials-harvesting Mimikatz tool, and a spreading module for lateral movement in the victim’s network. The spreading module uses numerous techniques, such as WSH Remote, PowerShell, RDP Scripts, SCM, etc. Of note, the custom version of Mimikatz that appears in the leak only affects older versions of Windows – before Windows 8.1. Of note, it was also revealed that the group’s malware is left open to changes, suggesting each operation includes different malware features, based on the targeted individuals and organization.

Among their malware resources, the group uses two relatively old Microsoft Windows server privilege escalation vulnerabilities (CVE-2015-0057 and CVE-2015-1701). Judging from a “To Do List” found in the leak, the threat actors were planning to implement scans into their malware, to avoid machines patched against the Microsoft Windows server vulnerabilities.

The Threat Actor Who Published the Leak

According to the media, the leak was published on an English-speaking forum on July 7, 2018, by an actor named FR3D. However, using our sources, we managed to detect an earlier publication of the leak in the Russian-speaking underground.

A threat actor named Bobby.Axelrod was the first to publish the leaked data on two different Russian-speaking underground forums on July 6, 2018. He appears to be the original source of the leak, as he registered on both forums on the same day of the publication and he only posted twice – once, the links for downloading the materials, and another post, titled “PIR Bank Lost 58 million Rubles in a Cyber-Attack,” referring to an attack in early July 2018, attributed to the MoneyTaker group that operates against banks in the US, the UK, and Russia. The content of this post contains information regarding the AWS CBR (Automated Work Station Client of the Russian Central Bank). Based on these two posts, we assume this threat actor links between the leak and the attack, claiming the leaked malware was used in this recent attack and attributing it to the MoneyTaker attack group.

The publication received numerous replies by the forum members, mostly writing about the sensitivity of the materials, and speculating they were most likely provided by insiders familiar with the Russian banking system. Since attacks against Russian banks are not welcomed on Russian underground forums, we witnessed very restrained replies on the publication. However, we believe that numerous threat actors will use the malware in future attacks, after modifying and upgrading it.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s