Financially Motivated APT-style Actors Target Retail & Hospitality


A new wave of financially motivated, APT-style group, of cyber threat actors are targeting large restaurant chains with phishing emails containing malicious attachments. As early as April 2017, a new wave of the group's activity has been targeting the retail and hospitality sectors. The APT-style group has been active since 2015 and is known for their use of the Carbanak malware. The most recent campaigns leverage two new RTF droppers to deliver a variant of a known backdoor. Early campaigns were known for targeting financial institutions and banks; in 2015, targeting European banks through a banking application called the Internet Front End Banking System (iFOBS). This report describes TTPs leveraged in the recent campaigns. To Read the Full Report find out more about Red Sky Alliance Portal Intelligence, click here.

NotPetya: Ransomware Or Russian Wiper?

Creators of the NotPetya (also known as Petya, PetrWrap, Petya.A, Win32/Diskcoder.Petya.C, EternalPetya, Nyetya, and exPetr) continue to present NotPetya as “simple ransomware.” The developers have moved received bitcoins, sent payments to Pastebin and DeepPaste associated wallets, contacted the public, and apparently were able to decrypt one short NotPetya encrypted file. At the same time, NotPetya creators did not use the original Petya ransomware source code, and likely left no remedy for most users to recover their encrypted data, despite showing them the ransom note. These observations, together with targeting and comparative TTP data for XData and BlackEnergy3 Killdisk, allow Wapack analysts to attribute NotPetya as likely belonging to Russian APT. The Petya/NotPetya operation is likely another Russian APT targeted disruption of Ukrainian IT infrastructure and possibly an intelligence operation - yet masked as a ransomware case. At the same time, it is probable that Petya and NotPetya actors may have a master key to decrypt user files; in case the targeted disk was not destroyed and system information is available.

Petya/NotPetya and Really Not Petya - Loki Bot Credential Stealing Malware

In late June 2017, Wapack Labs identified a malicious email targeting Ukrainian Financial Institutions (FI) to deliver a credential stealing malware called Loki Bot. This incident happened at the same time as the Petya/NotPetya Ransomware outbreak, which also targeted Ukrainian banking infrastructure. Possibly due to the confusion generated during the initial Petya/NotPetya outbreak, Loki Bot samples and C2s were reported as being Petya/NotPetya ransomware. Further confusion resulted when Anti-virus (AV) detections began identifying Loki Bot as Petya/NotPetya. Loki Bot is sold in underground Tor marketplaces and can steal passwords from browsers, File Transfer Protocol (FTP) applications, email accounts, and crypto-coin wallets. This report discusses the misattribution of Loki Bot, along with technical details of analyzed Loki Bot samples.

OpIcarus2017, a Limited Risk

In June 2017, Wapack Labs Analysts observed a faction of the Anonymous collective attempting to launch OpSacred, which is the fifth phase of OpIcarus2017; a multiphase operation aimed to target central banks and other financial institutions (i.e.: International Monetary Fund and the World Bank). The campaign attracted hundreds of participants, yet failed to attract AnonOps support, create a dedicated IRC channel, attract experienced organizers, or followup after their initial start day - producing limited effects. While the operation has been badly organized, it may become a training ground for future hacker collaborations, especially since the Anonymous collective has been observed using GitHub to collect and share tools.

IBNS Malicious Infrastructure Targets Financial Institutions

In late May 2017, Wapack Labs identified a large, malicious email delivery infrastructure targeting multiple industries including finance and transportation. Wapack Labs has dubbed this network “IBNS” for future tracking. The infrastructure consists of a single name server and over 17k typo-squatted domains. The size of this recently discovered IBNS network is unprecedented. As a result, Wapack Labs believes that IBNS is a malicious provider that uses web automation and reseller services to facilitate their criminal activity. The known actors use services provided by resellers, which are popular among hackers. By using reseller services the actors create a level of separation which obscures attribution. Indicators and tactics associated with the IBNS network are consistent with Tactics Techniques and Procedures (TTPs) attributed to a known hacking group. Their activity is characterized by fraud-related malware attacks leveraging open sourced tools with a suspected nexus of Nigeria. This report provides details and trending on the IBNS network.

Russia is Considering Ethereum's Blockchain Technology

Russian president, Vladimir Putin, recently met with Ethereum Cryptocurrency founder, Vitalik Buterin. Russia, in the past, has effectively banned Bitcoin use by its companies and is now likely switching to "use and control" emerging Blockchain technologies. Bitcoin is the original blockchain-based cryptocurrency and has become very popular in black markets, including online drug sales and cybercrime. Ether (token for Ethereum), is one of the alternatives growing fast in general popularity. Besides the currency function, Ethereum provides much more functionality: it is an open-source, public, blockchain-based distributed computing platform that features smart contact (scripting) functionality, which facilitates online contractual agreements. This makes Ethereum technologies of interest for major financial institutions and IT companies. Blockchain technologies are not bad per se, and many Western financial institutions are attracted to its use, but Russia's history of protecting black-hat hackers and controlling some online black markets make this development worrisome.

NK Lazarus Threat to the Financial Sector Remains High

Newly discovered Command & Control (C2) Internet Protocols (IPs) confirm the geolocation of North Korean threat actors, Lazarus Group; despite their deliberate attempts at misdirection. They are known for their custom-tailoring and reuse of code between malware families and campaigns. Since 2009, Lazarus Group has targeted Asian-based financial institutions, European and South American financial institutions, and media companies, such as Sony Pictures. Recent financial and trading sanctions, levied on North Korea, will increase the likelihood of attacks on financial sectors; similar to the documented attacks, leveraging the Society for Worldwide Interbank Financial Telecommunications (SWIFT), to compromise central banks.

Darknet Marketplace Exposes Financial Items on Global Scale

Wapack Labs Analysts are researching a Tor-based darknet marketplace that sells stolen financial items; credit cards, gift cards, and occasionally provides free dumps that exposed Personally Identifiable Information (PII) of individuals. New accounts are available every week and the marketplace's administrators claim they are 100% verified - how-to manuals are provided with transactions. The marketplace is operating on a global basis, their stolen products are from the US, EU, Oceania, and Russia. Further research is being conducted to identity the source of the stolen credit cards.

Targeting Online Video Gaming Virtual Currency

Wapack Labs is researching a cybercriminal group who is targeting online gamers and the video gaming industry. The group commonly uses digital certificates, stolen from online game developers, to sign their malware, thereby decreasing the risk of Anti-Virus (AV) detection. Americans alone spend an estimated $25 billion dollars a year on online video games. Many online games are MMORPGs (Massive Multiplayer Online Role-Playing Games), which run on virtual currency that is bought and sold with real money. Additionally, the group aims to steal source code from games under development in order to aid in virtual currency mining. We assess with high confidence that the cybercriminal group will continue to evolve and take advantage of the increasing online gaming industry.

Cyber Espionage Targets Managed Service Providers (MSPs)

Wapack Labs Analysts assess with high confidence a growing cyber espionage campaign, with a Chinese nexus, that has been targeting Managed Service Providers (MSPs) in order to compromise multiple organizations. This campaign is responsible for intrusions in the United States, Europe, and Japan. Typical targets include construction, engineering, aerospace, telecom, and government institutions. The actors involved leverage a wide variety of tools and custom malware, allowing flexibility when it comes to the methods used for intrusion.

The LinkedIn, Dropbox, and Formspring Hacker: Yevgeniy Nikulin

Yevgeniy Nikulin is a potent Russian hacker responsible for major breaches including Linkedin, Dropbox and Formspring, as well as less known funds theft from a Bitcoin hedge fund and from individuals. After his arrest in Prague, Russia filed its own extradition request to fight the one from the US. There are unconfirmed allegations that Nikulin may have some insights on the 2016 Presidential Elections related hacking. Nikulin is a high-skilled dangerous hacker. While the true nature of his connections to the Russian government is unproven, it is possible that it prompted the legal help that he is getting.

Tor-base Site Operates Illegal Sales Under AES 256-bit Encryption

Wapack Labs discovered a Tor-based website conducting illegal financial sector activities; ranging from carding and counterfeit money to electronics and narcotics. The site, which requires no registration, claims that the forum is totally anonymous and highly secure; largely in part to encrypting all data with AES 256-bit encryption. The site provides a multi-signature escrow for all transactions; allowing safe Bitcoin (BTC) transactions between both parties.

Free Online Payment System Credentials: Contact Señor

Wapack Labs analysts exposed a threat to the financial sector, one who is actively posting in several clear web and underground forums. Within these forums, the actor creates threads of free, downloadable log-in credentials, for an online payment system. Analysts assess that it is likely that the actor is brute-forcing the accounts to obtain the passwords. A brute force attack is a trial and error method used by application programs to decode encrypted data such as passwords - highly effective if the account uses simple passwords. The language, emails, and passwords indicate that the actor is a Spanish or Portuguese speaker, likely operating in South America.

Nature is Bullet Proof: Dark Cloud

Wapack Labs is researching key components of the Dark Cloud network - including all associated malware to date.  “Dark Cloud” is an infrastructure that encompasses thousands of fast-flux proxy botnets in a ‘bullet proof’ hosting environment, renting thousands of botnets for use in criminal activity to underground users. Roughly 20% of the observed bots were actively leveraged by Dark Cloud. Sality file infector malware was by far the most commonly observed activity and represents a likely propagation mechanism for the botnet.

Keylogging Campaign Affecting Japanese Law Firms

Wapack Labs, Team Jaeger (TJ) analysts identified four Japanese law firms that were victimized by keylogging malware during research using the Cyber Threat Analysis Center (CTAC). All of the affected firms specialize in patent law. While the malware utilized by the threat actor is unsophisticated, their fraudulent activity is persistent, effective, and has the potential to negatively impact clients of the affected organizations.

Assessing the Multiple Personalities of an APT Actor

Wapack Labs assesses with medium confidence that an identified Advanced Persistent Threat (APT) "group" is actually a lone, nefarious actor using numerous personas. The "group's" forum was rumored to be operated by a foreign military unit and used as a place to re-sell data no longer needed to conduct operations. During the months of March and April 2017, Wapack Analysts observed the lone actor's activities across multiple underground forums and were able to tie said activities to aliases used by other group members.

Uptick in the Wild: CVE2017-0911

As early as January 2017, cyber threat actors began using a then zero-day MS Office remote code execution exploit for CVE-2017-0199 in targeted attacks. Large scale Dridex campaigns occurred shortly following the vulnerability disclosure in April. Like many other Office vulnerabilities, CVE-2017-0199 has been exploited by multiple actors including cyber criminals and nation-state actors alike. Recent activity indicates the continued exploitation of this vulnerability.

Shamoon2 Overwrites and Attacks Saudi Targets

Wapack Labs's research has uncovered Iranian actors using Shamoon2 against Saudi infrastructure and industry targets. Shamoon2 renders infected systems inoperable by overwriting the Master Boot Records (MBR). The actors responsible are using commercially available kernel drivers, which may indicate a lack of experience with Windows kernel development. Though, there is evidence indicating the malware was designed by reverse engineering malware attributed to a nation-state, suggesting that their skills are improving. Further attacks against Saudi-related targets using the Shamoon-family of malware are highly likely.

FTC Subpoena-Themed Reconnaissance Campaign

Wapack Lab's analysts, using the Cyber Threat Analysis Center (CTAC), discovered a reconnaissance campaign that we assess with moderate confidence was conducted in preparation for a more malicious campaign. The logs contained email addresses, filenames, and IP addresses. It is believed these logs are from a phishing campaign that leveraged “FTC subpoena” (Federal Trade Commission) lures to entice targets to click a link in the email.

APT's Code Used Against Global Government Financial Websites

The code, tactics, techniques, and procedures (TTP) used against government financial regulatory websites in Poland, Mexico, and Uruguay are all too similar to be coincidental. These attacks are almost certainly being carried out by a known APT Group. Security researchers in Poland are uncovering artifacts from a recent breach where attackers used that country’s financial regulatory organization’s website to spread malware. Indicators of Compromise (IOCs) that led to the discovery included abnormal network traffic and unknown encrypted executables resident on victim machines. This APT Group has targeted Asian based financial institutions and manufacturing companies since at least 2009; in addition to stealing $81M from global financial institutions. They were also attributed with cyber espionage campaigns. Technical details of the attack in Poland, and mitigations are provided herein.