Cyber-news from the dark side – ver. SAS-2019.

Hi folks!

Herewith, the next in my series of occasional iNews, aka cyber-news from the dark side updates – this one based on some of the presentations I saw at our annual Security Analyst Summit in Singapore last month.

One of the main features of every SAS is the presentations given by experts. Unlike other geopolitically-correct conferences, here the analysts up on stage share what they’ve discovered regarding any cyberthreat, no matter where it may come from, and they do this based on principle. After all, malware is malware and users need to be protected from all of it, regardless of the declared virtue of the intentions of those behind it. Just remember the boomerang effect.

And if certain media outlets blatantly lie about us in response to this principled position, so be it. And it’s not just our principles they attack – for we practice what we preach: we’re way ahead of the competition when it comes to the numbers of solved cyberespionage operations. And we’re not planning on changing our position in any way to the detriment of our users.

So here are a few synopses of the coolest investigations talked about at SAS by the experts behind them. The most interesting, most shocking, most scary, most OMG…

1. TajMahal

Last year, we uncovered an attack on a diplomatic organization from Central Asia. Of course, that an organization like that is interesting to cybercriminals should come as no surprise. The information systems of embassies, consulates and diplomatic missions have always been of interest to other states and their spy agencies or generally any bad guys with sufficient technical ability and financial wherewithal. Yes, we’ve all read spy novels. But here was something new: here a true ‘TajMahal’ was built for the attacks – an APT platform with a vast number of plugins used (we’ve never seen so many used on one APT platform – by far) for all sorts of attack scenarios using various tools.

The platform consists of two parts: Tokyo and Yokohama. The former is the main backdoor, which also fulfils the function of delivery of the latter malicious program. The latter has very broad functionality: stealing cookies, intercepting documents from the printer queue, recording VoIP calls (including WhatsApp and FaceTime), taking screenshots, and much more. The TajMahal operation has been active now for at least five years. And its complexity would suggest that it’s been built with more than one target in mind; the rest remain for us to find…

Details of this APT-behemoth you can find here.

2. Gaza cybergang

We first wrote about the Gaza cybergang back in 2015, while this politically motivated Arabic cybercriminal group has been in action since as far back as 2012. It mainly operates in the Middle East and Central Asia. Most of its attacks have been on Palestine, but there’ve also been plenty of infection attempts in Jordan, Israel and Lebanon. The Gaza cybergang is clearly mostly interested in snooping on politicians, diplomats, journalists and political activists.

The group can be described as ‘compound’, being made up of at least three subgroups. Each of these groups has a different style of tradecraft; therefore, we weren’t able to work out at first that they do in fact act together. Two of the groups – with the more serious technical ability – we’ve reported on already – here and here. The third subgroup – MoleRATs was first announced at SAS-2019. It’s been known to have had a hand in the SneakyPastes operation (named so for its active use of

Their multi-stage attacks start with some super-sly phishing: an email concerning a current political topic, which appears to contain some kind of protocols of negotiations or correspondence from a seemingly genuine respected organization. An untrained office worker will just steam in and open such attachments. Once he/she does, the seemingly benign file, which actually contains malware, launches a string of infections. Once they’re inside the system, the cyber-crims hide the malware’s presence from antivirus software, and gradually progress onto further stages of the attack.

Ultimately a RAT is installed on the target device that has all sorts of tricks up its sleeve: it can easily download and upload files, launch applications, search for documents and encrypt data. It finds all .pdf, .doc, .docx, .xlsx files on the system, saves them in folders for temporary files, classifies them, archives them, encrypts them, and then sends them via a string of domains to the command & control server. And that, ladies and gents, is how espionage looks in 2019!

Need more words on this? Spy here.

3. Financial fraud and digital clones

If you think that all our investigations concern only attacks that seem to come straight out of a detective/spy/sci-fi fusion novel – think again. The third investigation I want to tell you about affects a massive number of people. A simple cybercrime that has become so commonplace that the media simply doesn’t report on it any more. But they should! I’m talking here financial fraud. According to a reliable source, in 2018 losses from credit card fraud made up some 24 billion dollars. Yes – that’s a ‘b’ there! Just to compare… the yearly budget of NASA is 21.5 billion dollars; the Tokyo Olympics cost 25 billion!

A new term has been thought up to cover modern-day credit card fraud: carding. It’s really prevalent, and it’s growing every year. And though banks and payment systems pay special attention to security, the fraudsters keep on developing new tools for stealing money via bank cards.

Sergey Lozhkin at SAS-2019 told us about another branch of financial crime; he discovered a whole market called Genesis on the darknet, where stolen ‘digital fingerprints’ are bought and sold. These are basically packets of data about the behavior of a user on the net and his digital fingerprint – history of visited sites, information about his operating system, browser and so on. What’s all that needed for? Well, it’s data like this that’s used by various online systems protecting against fraud for checking users. So if a digital fingerprint matches the earlier-used one, then the security solution ‘recognizes’ the individual and approves the transaction – for example, a purchase at an internet store or a money transfer via an online bank. The price of such a digital fingerprint varies between five and US$200, depending on the volume of data.

How are such fingerprints collected? With the use of various malicious programs. For example, malware can lodge itself on your computer, and without being noticed, little by little, collect all the data it can reach. And you don’t notice a thing.

The fraudsters have come up with another method to get round protection: to appear to the system to be an absolutely new user. This can be done with the help of a special service called Sphere. It resets a digital ID and all its parameters. Thus, the criminal is ‘clean’ in the eyes of the protection.

So what can we do about this? Well, banks need to be aware of all of the very latest cyber-fraud schemes and use two-factor authentication. I think that soon they’ll need to add biometric data, fingerprinting, iris scanning, etc. too. In the meantime, for the zillionth time – be real careful with your data (passwords, bank card numbers, use of computers in public places, and connections to public Wi-Fi). And of course – use a good security solution that can recognize all maliciousness that may target your digital identity.

4. The secret power of YARA

Toward the end of SAS this year, Vitaly Kamluk gave us a PechaKucha presentation (20 slides shown for 20 seconds each) on the abilities of YARA (it’s like a search engine that searches for attributes in executable files, which helps in malware analysis no end).

In his presentation, titled ‘The Secret Power of YARA’ he applied his special Jedi powers to this tool and made it come up with… a real-time video in ASCII art! The audience couldn’t believe its eyes. But there was more – he applied further magic and… in the same ASCII regime started to play the first DOOM! The audience became spellbound, stunned, mesmerized…

5. What if…

In the final presentation the director of our GReAT, Costin Raiu, left the audience with plenty to think about on the subject of theoretically possible methods of penetration of malware deep into a system, at the hardware level, and also the potential methods of their concealment at the deepest hardware level. What are we going to do if these hypotheses become reality? How can the cybersecurity industry answer that? That’s what Costin’s presentation was all about – kind of a user guide for start-ups in this field.

All right, that’s all for the SAS-2019 greatest hits. Here’s looking forward to SAS-2020’s even greater hits…

PS: At SAS-2019 around 70 presentations were given, and those were only the ‘finalists’, which made it through the selection stages. I couldn’t tell you about them all in this blog, but do expect the full conference video soon on our YouTube channel shortly…


Leave a note