On January 17 2015, Spiegel.de published an extensive article based on documents obtained from Edward Snowden. At the same time, they provided a copy of a malicious program codenamed "QWERTY" (http://www.spiegel.de/media/media-35668.pdf), supposedly used by several governments in their CNE operations.
We've obtained a copy of the malicious files published by Der Spiegel and when we analyzed them, they immediately reminded us of Regin. Looking at the code closely, we conclude that the "QWERTY" malware is identical in functionality to the Regin 50251 plugin.Analysis
The Qwerty module pack consists of three binaries and accompanying configuration files. One file from the package– 20123.sys – is particularly interesting.
The "20123.sys" is a kernel mode part of the keylogger. As it turns out, it was built from source code that can also be found one Regin module, the "50251" plugin.
Using a binary diff it is easy to spot a significant part of code that is shared between both files:
Most of the shared code belongs to the function that accesses the system keyboard driver:
Most of the "Qwerty" components call plugins from the same pack (with plugin numbers 20121 – 20123), however there is also one piece code that references plugins from the Regin platform. One particular part of code is used in both the "Qwerty" 20123 module and the Regin's 50251 counterpart, and it addresses the plugin 50225 that can be found in the virtual filesystems of Regin. The Regin's plugin 50225 is reponsible for kernel-mode hooking.
This is a solid proof that the Qwerty plugin can only operate as part of the Regin platform, leveraging the kernel hooking functions from plugin 50225.
As an additional proof that both modules use the same software platform, we can take a look at functions exported by ordinal 1 of both modules. They contain the startup code that can be found in any other plugin of Regin, and include the actual plugin number that is registered within the platform to allow further addressing of the module. This only makes sense if the modules are used with the Regin platform orchestrator.
The reason why the two modules have different plugin IDs is unknown. This is perhaps because they are leveraged by different actors, each one with its own allocated plugin ID ranges.Conclusions
Our analysis of the QWERTY malware published by Der Spiegel indicates it is a plugin designed to work part of the Regin platform. The QWERTY keylogger doesn't function as a stand-alone module, it relies on kernel hooking functions which are provided by the Regin module 50225. Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its sourcecodes, we conclude the QWERTY malware developers and the Regin developers are the same or working together.
Another important observation is that Regin plugins are stored inside an encrypted and compressed VFS, meaning they don't exist directly on the victim's machine in "native" format. The platform dispatcher loads and executes there plugins at startup. The only way to catch the keylogger is by scanning the system memory or decoding the VFSes.
Appendix (MD5 hashes):
Regin 50251 plugins:
Kaspersky Lab would like to alert users in the Middle East for new malware attacks being delivered through Syrian news and social networking forums. Malware writers are using multiple techniques to deliver their files and entice the victims to run them, creating an effective infection vector. Mainly depending on social engineering, the attackers exploit Victims' trust in social networking forums, curiosity in following news related to the conflict in Syria, their standing in Syria, in addition to their lack of Cyber Security awareness. Once criminals infect the victim's computer, attackers have full access and control over victim's devices.
In the first report on Syrian malware, Kaspersky Lab detailed many attacks being used in Syria to spy on users, the report included attacks from different teams and many sources.
This post will follow up on one of the domains, seemingly the most active in the last period: thejoe.publicvm.com
The malware files were found on activist sites and social networking forums, some others were reported by regional organisations like CyberArabs.
Reports that mention "the Joe"
All the files hide under the hood a full-featured variant of a RAT, Remote Administration Trojan (Bitfrose/NjRAT/Shadowtech/Darkcomet...), capable of getting full control over victim machines and devices, monitoring any movements and accessing all files. The thejoe.publicvm.com domain is related to many samples, here we will focus on the most important and luring, that most probably collected the highest number of targeted victims, estimated in thousands.
There are many factors and entities at play in this event, we will only focus on the malware and the facts that have been found during the analysis, presenting only relevant information, in the hope of setting a clear context for this research.
What is the information we had on theJoe?
What has the Joe been doing in the last period?
Who is the Joe?
The Joe is one of the most active cyber criminals in Syria and the Middle East, targeting all types of users, following is the information collected on the Joe and his activities.Domain information "thejoe.publicvm.com"
The Joe is using a dynamic domain to be able to change his IP address and maintain anonymity:
The domain thejoe.publicvm.com has been seen using the following IP addresses located in Syria and Russia:
TCP ports used in the attacks: 1234, 1177, 5522.Malware information
From the malware samples collected, we were able to find strings in the code, from the Windows device used by the Joe.
Folder paths recovered from the malware files:
The Joe is also using a fake youtube channel where he posts social engineering videos with links to download malware.
The Channel is distributing malware files under the name "Lions of the revolution" or other...What has the Joe been doing in the last period?
The Joe was busy in the last period; In the below we display some of the most graphical and luring samples collected by the Kaspersky Intelligence services and the Kaspersky Security Network (KSN cloud), detailing their functionalities and how The Joe is able to use the situation in Syria to have the users automatically open the files even if they suspect infected. The most targeted countries are Syria, Turkey, Lebanon and Saudi Arabia. The number of victims is estimated around 2000.
6 new stories:
- Let us fix your SSL vulnerability
- Now Let us clean your Skype!
- Did you update to the latest VPN version?
- Let's Check if your phone number is among the monitored numbers
- The Facebook account encryption application
- What's your favourite security product?
MD5 Hash: dc6166005db7487c9a8b32d938fec846
Filename: TheSSL.exe, SSL Cleaner.rar
Following up on the vulnerabilities in the OPENSSL, and the amount of news it reached, the cyber criminals are trying to benefit of the user perception of such news but lack of awareness on how the vulnerabilities could be fixed.
Demonstration video on the Heartbleed vulnerability + Link to download the "Fix" with infection
MD5 Hash: d6ab8ca6406fefe29e91c0604c812ff9
File Name: Skype.exe
Another social engineering trick used to lure criminals to download and execute a malicious file, the skype cleaner to "protect and encrypt your skype communications".
MD5 Hash: 2e07e8622b4e997f6543fc0497452dad
File Name: VPN.exe
Psiphon, a legitimate application used around the world for anonymity protection, is particularly effective and used in Syria for users to protect their traffic from snooping or interception, the application here is bound with malware and delivered to the users as an updated version.
MD5 Hash: ad9a18e1db0b43cb38da786eb3bf7c00
File Name: Syriatel.exe
Another one of the popular malware files, is used to fake a tool that is used to check the mobile phone numbers under surveillance and sorted by location, delivered as a "leaked program" to the victims.
MD5 Hash: efdaa73e0ac1b045d5f2214cadd77f09
File Name: Rooms.exe
One of the latest files used to infect users is quite different: a binding of a Kaspersky Lab tool with malware. Developed by Kaspersky Lab, TDSSKiller is a powerful free tool that can detect and remove a specific list of rootkit malware families.
Bound with malware, the Joe is using the Kaspersky name to deliver the malware in an attempt to lure victims to open and trust the files he is sending.
Hundreds of samples were analyzed relating to the Syrian malware, one of the samples, extracts to multiple documents, in one of which, we were able to find a metadata slip which extracted to some interesting information.
The metadata slip by the guy using "Joe" as his nickname, revealed his personal email, which using further research leads to his other emails, full identity, social pages...
Card.exe Sept 2013 012f25d09fd53aeeddc11c23902770a7
89e6ae33b170ee712b47449bbbd84784 قائمة الأرهاب .zip ("list of terrorism") file extracts to .JPG and malicious .SCR files Jan 2014 dc6166005db7487c9a8b32d938fec846
62023eb959a79bbdecd5aa167b51541f TheSSL.exe (to "remove SSL weaknesses")
SSL Cleaner.rar April 2014 cc694b1f8f0cd901f65856e419233044 Desktop.exe
Host.exe Mar 2014 d6ab8ca6406fefe29e91c0604c812ff9 Skype.exe
Skypecleaner.exe July 2014 2e07e8622b4e997f6543fc0497452dad VPN.exe Sept 2014 efdaa73e0ac1b045d5f2214cadd77f09 Rooms.exe (to "encrypt your Facebook") Nov 2014 39d0d7e6880652e58b2d4d6e50ca084c Photo.exe Nov 2014 abf3cfecd2e194961fc97dac34f57b24 Ram.exe
Setup.exe Nov 2014 a238f8ab946516b6153816c5fb4307be tdskiler.exe (to "remove malware") Jan 2015 6379afd35285e16df4cb81803fde382c Locker.exe (to "encrypt/decrypt" files) Jan 2015
Kaspersky Lab detects all malicious files used in the attacks.
All files are actively being used by the cybercriminals at the time of this report.
Syrian malware has a strong reliance on social engineering and the active development of malicious variants. Nevertheless, most of them quickly reveal their true nature when inspected carefully; and this is one of the main reasons for urging Syrian users to be extra vigilant about what they download and to implement a layered defense approach. We expect these attacks to evolve both in quality and quantity.
For more details, please contact: firstname.lastname@example.org