Warhorse Botnet and Attack Framework

In August 2017, Wapack Labs uncovered a new botnet leveraging a recently released attack framework dubbed "Warhorse". The bots were observed delivering the GlobeImposter malware to numerous targets including those in the government, military, telecommunications, and energy sectors. Javascript downloaders such as Warhorse have become a popular delivery mechanism for multiple malware campaigns. The speed by which Warhorse was adopted by cyber criminals is notable with the campaign described in this report taking place only a few days after the project appeared on Github. While Warhorse currently has an above average detection ratio on VirusTotal, it is still undetected by several major anti-virus vendors. Furthermore, since it is likely that the delivery infrastructure is part of a larger botnet then there is a high probability the bots are being leveraged in other attacks. This report provides an early warning on this new botnet and details on the Warhorse attack framework.

Wapack Labs has cataloged and reported extensively on botnets and malware in the past. An archive of related reporting can be found in the Red Sky Alliance portal.


Profile: Arrested Chinese Cyber Actor Yu Pingan


On 22 August 2017, a Chinese national named Yu Pingan was arrested and charged with cyber intrusions into four U.S. corporations between 2011 and 2014 that included the use of Sakula malware, known for its use in the major breaches of Anthem patient records and the Office of Personnel Management (OPM). Yu Pingan operates under the principle persona “Goldsun.” Analysts believe (high confidence) that he is in fact the Goldsun that was active at the Chinese hacker website Xfocus.net from 2004 to 2009. He is credited with and likely authored several pieces of malware that he posted during this period. His real identity remained unknown, but email addresses in some of his posts correspond to other accounts identified in the charges that led to his arrest. The charges against Yu Pingan do not identify any organization he was working for nor any connection to the Chinese government. Wapack Labs believes with medium confidence that Yu is affiliated with the Chinese civilian hacker group Wekby. The Chinese Government has not issued any statements and there has been no coverage of his arrest in official media.

Wapack Labs has cataloged and reported extensively on China, Wekby, APT, and cyber intrusions in the past. An archive of related reporting can be found in the Red Sky Alliance portal.


This TLP AMBER report is available only to Red Sky Alliance members.

Adopting Maritime Cryptocurrency Requires Due Diligence and Caution

The New “maritime cryptocurrency” – the TEU (the maritime Twenty-foot Equivalent Unit) tokens on Ethereum, were recently announced. The promotors, ETH Smart Contract Tech Limited, started a fundraising token sale on 16 August 2017. It is issued by 300cubits; a startup out of Hong Kong, China. Blockchain is being tested in different fields, from financing to transportation. But this new technology poses many risks, to include: programming mistakes on many levels; backup requirements; built-in irreversibility and so-called 51% attacks that may reverse transactions; intentional fraudulent token fundraising and poorly designed business models; price volatility; legal complications and changes to laws; and hacking incidents. The TEU tokens specifically share many of these risks, some of which are mentioned in the TEU terms, and some which are not. Nevertheless, the TEU partial adoption cannot be completely ruled out as of this writing.

Wapack Labs has cataloged and reported extensively on cryptocurrency and maritime security issues in the past. An archive of related reporting can be found in the Red Sky Alliance portal.


Ursnif Campaign Targets Logistics and Finance


Wapack Labs recently identified a large scale Ursnif campaign, affecting multiple companies in the logistics, finance, and IT sectors. The campaign, which began in May 2017, consists of spear-phishing emails with a malicious document attached that, when opened, delivers malware identified as Ursnif. Active since 2012, Ursnif malware has undergone several variations. The current variant implements data exfiltration and sends encrypted victim data to a C2 server. By using compromised accounts and exploiting existing trust relationships, the actors are likely able to achieve a high open-rate. While additional user-interaction is required to enable the malicious macro, it probably resulted in a few installations because the delivery email was not unsolicited. Additionally, the clever social engineering exhibits a moderate to advanced level of tradecraft by the actor. Tactics, Techniques, and Procedures (TTPs) and shared infrastructure in this campaign suggest a single actor or group with Chinese attribution executed this campaign.

Wapack Labs has cataloged and reported extensively on spear-fishing, Ursnif, and China in the past. An archive of related reporting can be found in the Red Sky Alliance portal.


This TLP AMBER report is available only to Red Sky Alliance members.

China’s Position in the U.S. & North Korean Conflict

China is attempting to play a moderating role in the current conflict between the United States and North Korea over North Korea’s development of intercontinental nuclear missiles. China has argued for restraint on all sides, and signed the United Nations sanctions measure against North Korea on 5 August 2017. A review of Chinese statements in their own media on 14-16 August 2017 indicate China is standing by its sanctions pledge and sees some hope for easing of the crisis:

  • On 14 August China reaffirmed that it was imposing an import ban on coal, iron, iron ore, lead, lead ore and seafood from North Korea as a tool to bring Pyongyang back to negotiations.
  • Some Chinese coverage argued that North Korean threats were just a stratagem to entice the U.S. to cancel its joint military exercises with South Korea.
  • The enthusiasm for joining with the United States in pressuring North Korea may have been blunted somewhat by the White House order to start an investigation into Chinese trade practices.
  • As of 16 August, China appeared to see signs that the crisis was starting to ease, based on North Korean media coverage of Kim Jong-Un’s visit to its Strategic Force Command and the “delay” in any attack decision. 

In general, China has indeed taken upon itself a relatively neutral stance in this conflict. If they stand by their pledge to block key imports from North Korea, this could over time put real economic pressure on North Korea. Whether that would be enough pain to cause North Korea to curtail their weapons programs is still in doubt. China’s statement that it would not support a preemptive strike by North Korea on the U.S. may also help keep this crisis from escalating.

Wapack Labs has cataloged and reported extensively on China, North Korea, and sanctions in the past. An archive of related reporting can be found in the Red Sky Alliance portal.


Ukrainian Independence Day, Potential NotPetya-Like Attack?

Wapack Labs has received information suggesting a possible NotPetya-like attack that may be targeting Ukrainian Banking and critical infrastructure, today, to coincide with the Ukrainian Independence Day. On 11 August 2017, The National Bank of Ukraine (NBU, the Central Bank of Ukraine) notified Ukrainian banks about an up-coming NotPetya-like attack. Journalists reported it on 16 August 2017. Several English and Russian speaking news sites reported on the issue, but most if not all were resulting from circular reporting from the original sources:

  • NotPetya-like attack
  • Hitting corporate networks of the Ukrainian businesses
  • On or around the Ukrainian Independence Day (24 August 2017)
  • Via a malicious MS Word attachment
  • Not known to anti-viruses at the moment of the NBU warning
  • NBU cooperates with CERT-UA to stop similar attacks...READ MORE

Wapack Labs has cataloged and reported extensively on Ukraine and NotPetya in the past. An archive of related reporting can be found in the Red Sky Alliance portal.


Russia May Have Tried Maritime GPS Spoofing

In a 22 June 2017 report, twenty (20) ships near the Russian Black Sea coast indicated their GPS location to be inland at Gelendzhyk Airport. Similar GPS position malfunctioning was noticed in automobiles driving near the Kremlin in Moscow, Russia. These GPS anomalies indicate the likelihood that Russia is testing security measures by utilizing GPS spoofing to test their capability in the event of a military conflict; both on land and at sea.

Wapack Labs has cataloged and reported extensively on Russia and GPS spoofing in the past. An archive of related reporting can be found in the Red Sky Alliance portal.


Compromised Brazilian Government Account Advertising Hacker Shops

Wapack Labs' “Operation 8-ball” identified a hacker forum being advertised through a compromised government email account located in Para, Brazil. One of the advertised hacker shop domains was also tweeted by a novice, Canadian carder. Originating IPs were located in Kosovo. Kosovo is listed in the hacker forum's WHOIS data. The exact attribution for the Brazilian government compromise is absent.

Wapack Labs has cataloged and reported extensively on compromised accounts and hacker forums in the past. An archive of related reporting can be found in the Red Sky Alliance portal.


Indian Physical Security Company Compromise


On 15 July 2017, Wapack Labs identified, with high confidence, four keylogged email accounts identified as compromised, including username and password, belonging to an Indian physical security company. These email accounts were used to harvest information from multiple internal systems and external portals. Both the sales and customer relationship management systems may have been compromised. Since many of the keylogger infections have spread through automation, there is a potential for compromise within customer, partner, and supply chain relationships.

Wapack Labs has cataloged and reported extensively on keyloggers in the past. An archive of related reporting can be found in the Red Sky Alliance portal.


This TLP AMBER report is available only to Red Sky Alliance members.

DiamondFox in the Wild


DiamondFox is a credential stealing multi purpose botnet that is available on the black market as MaaS (Malware as a Service). Also known as Gorynych, DiamondFox is still actively leveraged in the wild with its recent version Crystal available in online marketplaces. This dangerous malware can steal information from PoS (Point of Sale) systems with campaigns targeting multi-state healthcare providers, dental clinics, manufacturers, and technology companies. To get a picture of the current state of DiamondFox botnets, Wapack Labs has collected recent samples and extracted the command and control (C2) information from their configuration files. This report provides technical details on DiamondFox, the Russian botnet infrastructure, and details regarding the domains.

Wapack Labs has cataloged and reported extensively on malware and botnets in the past. An archive of related reporting can be found in the Red Sky Alliance portal.


This TLP AMBER report is available only to Red Sky Alliance members.

Life After AlphaBay: TradeRoute


On 04 August 2017, Wapack Labs discovered TradeRoute, a Russian and English Tor-based marketplace and forum on the dark net that focuses on the sale of illegal drugs. However, vendors also sell electronics, digital goods, forgeries, hacking services, lab equipment for narcotics, fashion counterfeits, and fraud services. With the recent takedowns by law enforcement of Hansa Market and AlphaBay (past reporting by Wapack Labs), actors are migrating to TradeRoute quickly making it a leading dark net marketplace.

Wapack Labs has cataloged and reported extensively on Tor marketplaces and forums in the past. An archive of related reporting can be found in the Red Sky Alliance portal.


This TLP AMBER report is available only to Red Sky Alliance members.

Shadowbrokers and the Scylla Hacking Store


The ShadowBrokers (SB) have recently started a new Tor based market called Scylla Hacking Store. SB is selling several APT stolen exploits (US, Russian and Chinese exploits), crimewave exploit kits, and other crimewave hacking tools: bots, hash cracking, and Microsoft Office exploits. Analysts believe, with medium confidence, the recent Petya activity may be related to SB sales of all the payload source code for the FuzzBunch framework, which included, EternalBlue.

To Read the Full Report find out more about Red Sky Alliance Portal Intelligence, click here.

Microsoft Office Hoax Phishing Site

On 27 July 2017, Wapack Labs, using our Cyber Threat Analysis Center (CTAC), discovered a phishing site disguised as a Microsoft Office Sign-in page. The phishing site is designed to trick users into entering their Microsoft related email and passwords. When a user enters their credentials into the malicious site, they are then redirected to the real Microsoft Sign-in page. The differences in the webpages can be seen in the attached report.

Financially Motivated APT-style Actors Target Retail & Hospitality


A new wave of financially motivated, APT-style group, of cyber threat actors are targeting large restaurant chains with phishing emails containing malicious attachments. As early as April 2017, a new wave of the group's activity has been targeting the retail and hospitality sectors. The APT-style group has been active since 2015 and is known for their use of the Carbanak malware. The most recent campaigns leverage two new RTF droppers to deliver a variant of a known backdoor. Early campaigns were known for targeting financial institutions and banks; in 2015, targeting European banks through a banking application called the Internet Front End Banking System (iFOBS). This report describes TTPs leveraged in the recent campaigns. To Read the Full Report find out more about Red Sky Alliance Portal Intelligence, click here.

NotPetya: Ransomware Or Russian Wiper?

Creators of the NotPetya (also known as Petya, PetrWrap, Petya.A, Win32/Diskcoder.Petya.C, EternalPetya, Nyetya, and exPetr) continue to present NotPetya as “simple ransomware.” The developers have moved received bitcoins, sent payments to Pastebin and DeepPaste associated wallets, contacted the public, and apparently were able to decrypt one short NotPetya encrypted file. At the same time, NotPetya creators did not use the original Petya ransomware source code, and likely left no remedy for most users to recover their encrypted data, despite showing them the ransom note. These observations, together with targeting and comparative TTP data for XData and BlackEnergy3 Killdisk, allow Wapack analysts to attribute NotPetya as likely belonging to Russian APT. The Petya/NotPetya operation is likely another Russian APT targeted disruption of Ukrainian IT infrastructure and possibly an intelligence operation - yet masked as a ransomware case. At the same time, it is probable that Petya and NotPetya actors may have a master key to decrypt user files; in case the targeted disk was not destroyed and system information is available.

Petya/NotPetya and Really Not Petya - Loki Bot Credential Stealing Malware

In late June 2017, Wapack Labs identified a malicious email targeting Ukrainian Financial Institutions (FI) to deliver a credential stealing malware called Loki Bot. This incident happened at the same time as the Petya/NotPetya Ransomware outbreak, which also targeted Ukrainian banking infrastructure. Possibly due to the confusion generated during the initial Petya/NotPetya outbreak, Loki Bot samples and C2s were reported as being Petya/NotPetya ransomware. Further confusion resulted when Anti-virus (AV) detections began identifying Loki Bot as Petya/NotPetya. Loki Bot is sold in underground Tor marketplaces and can steal passwords from browsers, File Transfer Protocol (FTP) applications, email accounts, and crypto-coin wallets. This report discusses the misattribution of Loki Bot, along with technical details of analyzed Loki Bot samples.

OpIcarus2017, a Limited Risk

In June 2017, Wapack Labs Analysts observed a faction of the Anonymous collective attempting to launch OpSacred, which is the fifth phase of OpIcarus2017; a multiphase operation aimed to target central banks and other financial institutions (i.e.: International Monetary Fund and the World Bank). The campaign attracted hundreds of participants, yet failed to attract AnonOps support, create a dedicated IRC channel, attract experienced organizers, or followup after their initial start day - producing limited effects. While the operation has been badly organized, it may become a training ground for future hacker collaborations, especially since the Anonymous collective has been observed using GitHub to collect and share tools.

IBNS Malicious Infrastructure Targets Financial Institutions

In late May 2017, Wapack Labs identified a large, malicious email delivery infrastructure targeting multiple industries including finance and transportation. Wapack Labs has dubbed this network “IBNS” for future tracking. The infrastructure consists of a single name server and over 17k typo-squatted domains. The size of this recently discovered IBNS network is unprecedented. As a result, Wapack Labs believes that IBNS is a malicious provider that uses web automation and reseller services to facilitate their criminal activity. The known actors use services provided by resellers, which are popular among hackers. By using reseller services the actors create a level of separation which obscures attribution. Indicators and tactics associated with the IBNS network are consistent with Tactics Techniques and Procedures (TTPs) attributed to a known hacking group. Their activity is characterized by fraud-related malware attacks leveraging open sourced tools with a suspected nexus of Nigeria. This report provides details and trending on the IBNS network.

Russia is Considering Ethereum's Blockchain Technology

Russian president, Vladimir Putin, recently met with Ethereum Cryptocurrency founder, Vitalik Buterin. Russia, in the past, has effectively banned Bitcoin use by its companies and is now likely switching to "use and control" emerging Blockchain technologies. Bitcoin is the original blockchain-based cryptocurrency and has become very popular in black markets, including online drug sales and cybercrime. Ether (token for Ethereum), is one of the alternatives growing fast in general popularity. Besides the currency function, Ethereum provides much more functionality: it is an open-source, public, blockchain-based distributed computing platform that features smart contact (scripting) functionality, which facilitates online contractual agreements. This makes Ethereum technologies of interest for major financial institutions and IT companies. Blockchain technologies are not bad per se, and many Western financial institutions are attracted to its use, but Russia's history of protecting black-hat hackers and controlling some online black markets make this development worrisome.

NK Lazarus Threat to the Financial Sector Remains High

Newly discovered Command & Control (C2) Internet Protocols (IPs) confirm the geolocation of North Korean threat actors, Lazarus Group; despite their deliberate attempts at misdirection. They are known for their custom-tailoring and reuse of code between malware families and campaigns. Since 2009, Lazarus Group has targeted Asian-based financial institutions, European and South American financial institutions, and media companies, such as Sony Pictures. Recent financial and trading sanctions, levied on North Korea, will increase the likelihood of attacks on financial sectors; similar to the documented attacks, leveraging the Society for Worldwide Interbank Financial Telecommunications (SWIFT), to compromise central banks.