|Col1|POSTED BY: Bryan Lee and Rob Downs on February 12, 2016 3:00 PM| |---|---| ||| |36 LLiikkee|FILED IN: Malware, Threat Prevention, Unit 42 TAGGED: Fysbis, Linux, Sofacy The Sofacy group, also known as APT28 and Sednit, is a fairly well known cyber espionage group believed to have ties to Russia. Their targets have spanned all across the world, with a focus on government, defense organizations and various Eastern European governments.| |Tweet|| |24|| ### 36 **[There have been numerous reports on their activities, to the extent that a Wikipedia entry has](https://en.wikipedia.org/wiki/Sofacy_Group)** **even been created for them.** **From these reports, we know that the group uses an abundance of tools and tactics, ranging** **across zero-day exploits targeting common applications such as Java or Microsoft Office, heavy** **use of spear-phishing attacks, compromising legitimate websites to stage watering-hole attacks,** **and targeting over a variety of operating systems – Windows, OSX, Linux, even mobile iOS.** **The Linux malware Fysbis is a preferred tool of Sofacy, and though it is not particularly** **sophisticated, Linux security in general is still a maturing area, especially in regards to malware.** **In short, it is entirely plausible that this tool has contributed to the success of associated attacks** **by this group. This blog post focuses specifically on this Linux tool preferred by Sofacy and** **describes considerations and implications when it comes to Linux malware.** **Fysbis is a modular Linux trojan / backdoor that implements plug-in and controller modules as** **distinct classes. For reference, some vendors categorize this malware under the Sednit attacker** **group naming designation. This malware includes both 32-bit and 64-bit versions of Executable** **and Linking Format (ELF) binaries. Additionally, Fysbis can install itself to a victim system with or** **without root privileges. This increases the options available to an adversary when it comes to** **selecting accounts for installation.** **Summary information for the three binaries we analyzed follows:** **MD5** **364ff454dcf00420cff13a57bcb78467** **SHA-256** **8bca0031f3b691421cb15f9c6e71ce19335** **5d2d8cf2b190438b6962761d0c6bb** **ssdeep** **3072:n+1R4tREtGN4qyGCXdHPYK9l0H786** **O26BmMAwyWMn/qwwiHNl:n+1R43QcIL** **XdF0w6IBmMAwwCwwi** **Size** **141.2 KB (144560 bytes)** **Type** **ELF 64-bit (stripped)** **Install as root** **/bin/rsyncd** **Root install desc** **synchronize and backup service** **Install as non-root** **~/.config/dbus-notifier/dbus-inotifier** **Get Updates** **Sign up to receive the latest news, cyber** **threat intelligence and research from Unit** **42.** **Business Email** **Submit** **LikeLike** **Non-root install** **desc** **Select a Category** **Select a Month** **[MORE →](http://researchcenter.paloaltonetworks.com/archives/)** ## 24 **system service d-bus notifier** **C2** **azureon-line[.]com (TCP/80)** **Usage Timeframe** **Late 2014** **Table 1: Sample 1 – Late 2014 Sofacy 64-bit Fysbis** **MD5** **075b6695ab63f36af65f7ffd45cccd39** **SHA-256** **02c7cf55fd5c5809ce2dce56085ba43795f2** **480423a4256537bfdfda0df85592** **ssdeep** **3072:9ZAxHANuat3WWFY9nqjwbuZf454U** **NqRpROIDLHaSeWb3LGmPTrIW33HxIajF:** **9ZAxHANJAvbuZf454UN+rv eQLZPTrV3Z** **Size** **175.9 KB (180148 bytes)** **Type** **ELF 32-bit (stripped)** **Install as root** **/bin/ksysdefd** **Root install desc** **system kernel service defender** ## Palo Alto Networks News of the Week – February 13 **[posted by Anna Lough on February 13, 2016](http://researchcenter.paloaltonetworks.com/author/anna-lough/)** ## A Look Into Fysbis: Sofacy’s Linux Backdoor **[posted by Bryan Lee on February 12, 2016](http://researchcenter.paloaltonetworks.com/author/bryan-lee/)** ## The Cybersecurity Canon: Dragnet Nation **[posted by Palo Alto Networks on February 12, 2016](http://researchcenter.paloaltonetworks.com/author/palo-alto-networks-staff/)** ## Channel Scoop – February 12, 2016 **[posted by Lang Tibbils on February 12, 2016](http://researchcenter.paloaltonetworks.com/author/lang-tibbils/)** ## The Cybersecurity Canon: Cyberdeterrence and Cyberwar **[posted by Palo Alto Networks on February 11, 2016](http://researchcenter.paloaltonetworks.com/author/palo-alto-networks-staff/)** **[MORE →](http://researchcenter.paloaltonetworks.com/archives/)** ----- **C2** **198.105.125[.]74 (TCP/80)** **Usage Timeframe** **Early 2015** **Table 2: Sample 2 – Early 2015 Sofacy 32-bit Fysbis** **MD5** **e107c5c84ded6cd9391aede7f04d64c8** **SHA-256** **fd8b2ea9a2e8a67e4cb3904b49c789d57ed** **9b1ce5bebfe54fe3d98214d6a0f61** **ssdeep** **6144:W/D5tpLWtr91gmaVy+mdckn6BCUd** **c4mLc2B9:4D5Lqgkcj+** **Size** **314.4 KB (321902 bytes)** **Type** **ELF 64-bit (not stripped)** **Install as root** **/bin/ksysdefd** **Root install desc** **system kernel service defender** **Install as non-root** **~/.config/ksysdef/ksysdefd** **Non-root install** **desc** **system kernel service defender** **C2** **mozilla-plugins[.]com (TCP/80)** **Usage Timeframe** **Late 2015** **Table 3: Sample 3 – Late 2015 Sofacy 64-bit Fysbis** **Overall, these binaries are assessed as low sophistication, but effective. They epitomize the** **grudging reality that Advanced Persistent Threat (APT) actors often don’t require advanced** **means to affect their objectives. Rather, these actors more often than not hold their advanced** **malware and zero day exploits in reserve and employ just enough resources to meet their goals.** **It is only fair that defenders use any shortcuts or tricks at their disposal to shorten the amount of** **time it takes to assess threats. In other words, defenders should always look for ways to work** **smarter before they have to work harder.** **Binary strings alone revealed a good amount about these files, increasing the efficacy of** **[activities such as static analysis categorization (e.g., Yara). One example of this is Fysbis](https://plusvic.github.io/yara/)** **installation and platform targeting information for the samples in Table 1 and Table 2.** **Figure 1: Sofacy Fysbis installation and platform targeting found in strings** **In this case, we can see the binary installation path and local reconnaissance to determine** **which flavor of Linux the malware is running. This is followed by a number of Linux shell** **command style commands related to the malware establishing persistence.** **Another example of easily obtained information from these samples is capability based.** ----- **Figure 2: Sofacy Fysbis capability related leakage through strings** **Figure 2 shows interactive status / feedback strings that can give a defender an initial profile of** **capabilities. In addition to contributing to static analysis detections, this can be useful as a** **starting point for further incident response prioritization and qualification of the threat.** **Interestingly, the most recent ELF 64-bit binary we analyzed (Table 3) was not stripped prior to** **delivery, which offered additional context in the form of symbolic information. Defenders more** **[familiar with Windows Portable Executable (PE) binaries can equate this with compilation of a](https://msdn.microsoft.com/en-us/library/ms809762.aspx)** **Debug version versus a Release version. For comparison, if we were to inspect Fysbis** **“RemoteShell” associated strings in one of the stripped variants, we would only see the** **following:** **Figure 3: Sofacy Fysbis stripped binary string references to RemoteShell capability** **Compare this with what is available from the non-stripped variant:** **Figure 4: Sofacy Fysbis non-stripped binary strings referenes to RemoteShell capability** **Little static analysis gifts like these can help to speed defender enumeration of capabilities and –** **more importantly – further contribute to correlation and detection across related samples.** **Additionally, this latest sample demonstrated minor evolution of the threat, most notably in terms** **of obfuscation. Specifically, both samples in Table 1 and Table 2 leaked installation information** **in the clear within binary strings. This was not the case with the sample in Table 3. Taking a** **closer look at this non-stripped binary using a disassembler, the following corresponds to** **decoding malware installation information for a root-privilege account.** ----- **In this case, the symbolic information hints at the method used for decoding, with references to** **mask, path, name, and info byte arrays.** **Figure 6: Assembly view of Sample 3 root installation related byte arrays** **As it turns out, the referenced byte mask is applied to the other byte arrays using a rolling** **double-XOR algorithm to construct malware installation paths, filenames, and descriptions for a** **Linux root account. Corresponding INSTALLUSER byte arrays exist, which facilitate the non-** **root installation for the trojan. The same masking method is also used by the binary to decode** **malware configuration C2 information, further showcasing how a little symbolic information can** **go a long way towards completeness and higher confidence in assessment of a malware** **sample.** **If you would like to learn more about how Fysbis works, the samples analyzed remain fairly** **[consistent with the sample analysis found here.](http://vms.drweb.com/virus/?i=4276269)** **As Unit 42 has discussed in depth in other blog articles, we have observed that adversaries in** **general are seemingly hesitant in changing their infrastructure. This may be due to not wanting** **to commit additional resources, or simply a matter of retaining familiarity for the sake of** **timeliness. In either case, we see the same type of behavior here with the Fysbis samples in** **use by Sofacy.** **The oldest sample (Table 1), was found to beacon to the domain azureon-line[.]com, which had** **already been widely publicized as a known command and control domain for the Sofacy group.** **Using passive DNS, we can see that two of the original IPs this domain resolved to,** **193.169.244[.]190 and 111.90.148[.]148 also mapped to a number of other domains that had** **been in use by the Sofacy group during that time period.** ----- **Figure 7: Sample 1 C2 resolutions** **The first of the newer samples (Table 2), continues the trend and beacons to an IP also widely** **associated with the Sofacy group, 198.105.125[.]74. This IP has been mostly associated with** **[the tool specifically known as CHOPSTICK, which can be read about here.](https://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf)** **Figure 8: Sample 2 C2 resolutions** **The newest sample (Table 3), introduces a previously unknown command and control beacon to** **mozilla-plugins[.]com. This activity aligns with the previously observed Sofacy group tactic of** **integrating legitimate company references into their infrastructure naming convention. Neither** **this new domain nor the IP it resolves to have been observed in the past, indicating that the** **sample in Table 3 may be associated with a newer campaign. Comparing this sample’s binary** **with the other two however, shows there are significant similarities on the code level as well as** **in terms of shared behavior.** ----- **Linux is used across business and home environments and appears in a variety of form factors.** **It is a preferred platform within data centers and the cloud for businesses, as well as an ongoing** **favorite when it comes to a majority of Internet-facing web and application servers. Linux is also** **at the foundation of Android devices and a number of other embedded systems. The value** **proposition of Linux – especially when it comes to its use in the enterprise – can be broken out** **into three perceived benefits: lower total cost of ownership (TCO), security, and feature set.** **While numbers and comparison alone can contribute to measurement of TCO and feature set,** **security requires further qualification. Expertise in the Linux platform is highly sought after** **across all industries for multiple disciplines, from system administration to big data analytics to** **incident response.** **The majority of businesses still maintain Windows-heavy user environments where certain core** **infrastructure components also operate under Windows servers (e.g., Active Directory,** **SharePoint, etc.). This means, from a practical perspective, most of a business’s focus remains** **on supporting and protecting Windows assets. Linux remains a mystery to a number of** **enterprise IT specialists –most critically for network defenders. Identifying and qualifying** **potential incidents requires a familiarity with what constitutes normal operation in order to isolate** **anomalies. The same is true for any other asset in an environment, normal operation is entirely** **dependent on a given asset’s role / function in the enterprise.** **Lack of expertise and visibility into non-Windows platforms combine in some environments to** **present significant risks against an organization’s security posture. As a recent caution, the** **[Linux vulnerability described under CVE-2016-0728 further demonstrates the potential breadth](http://www.pcworld.com/article/3023870/security/linux-kernel-flaw-endangers-millions-of-pcs-servers-and-android-devices.html)** **of real-world risks to associated platforms. A natural extension of this exposure is increased** **targeting by both dedicated and opportunistic attackers across various malicious actor** **motivations. Despite the lingering belief (and false sense of security) that Linux inherently yields** **higher degrees of protection from malicious actors, Linux malware and vulnerabilities do exist** **and are in use by advanced adversaries. To mitigate associated risks requires tailored** **integration of the people, processes, and technology in support of prevention, monitoring, and** **detection within an environment.** **Linux malware detection and prevention is not prevalent at this time, but Palo Alto Networks** **customers are protected through our next-generation security platform:** **IPS signature 14917 deployed to identify and prevent command and control activity** **The C2 domains and files mentioned in this report are blocked in our Threat Prevention** **product.** **Type** **Value** **MD5** **364ff454dcf00420cff13a57bcb78467** **SHA256** **8bca0031f3b691421cb15f9c6e71ce193** **355d2d8cf2b190438b6962761d0c6bb** **ssdeep** **3072:n+1R4tREtGN4qyGCXdHPYK9l** **0H786O26BmMAwyWMn/qwwiHNl:n** **+1R43QcILXdF0w6IBmMAwwCwwi** **MD5** **075b6695ab63f36af65f7ffd45cccd39** **SHA-256** **02c7cf55fd5c5809ce2dce56085ba437** **95f2480423a4256537bfdfda0df85592** **ssdeep** **3072:9ZAxHANuat3WWFY9nqjwbuZf** **454UNqRpROIDLHaSeWb3LGmPTrI** **W33HxIajF:9ZAxHANJAvbuZf454UN** **+rv eQLZPTrV3Z** **MD5** **e107c5c84ded6cd9391aede7f04d64c8** **SHA-256** **fd8b2ea9a2e8a67e4cb3904b49c789d** **57ed9b1ce5bebfe54fe3d98214d6a0f61** **ssdeep** **6144:W/D5tpLWtr91gmaVy+mdckn6** **BCUdc4mLc2B9:4D5Lqgkcj+** **Path** **/bin/rsyncd** **Path Desc** **synchronize and backup service** **Path** **~/.config/dbus-notifier/dbus-inotifier** **Path Desc** **system service d-bus notifier** **Path** **/bin/ksysdefd** **Path** **~/.config/ksysdef/ksysdefd** **Path Desc** **system kernel service defender** **C2** **azureon-line[ ]com** ----- -----