# Blog ## eration Molerats: Middle East Cyber Atta ust 23, 2013 | By Nart Villeneuve, Ned Moran and Thoufique H t be too hasty to link every Poison Ivy-­based cyber attack to C **ch we recently detailed on this blog, is being used in a broad** , too. , some background: ctober 2012, malware attacks against Israeli government targe off Internet access for its entire police force and banned the us equently linked these attacks to a broader, yearlong campaign [2] — and as discovered later, even the U.S. and UK governm een these attacks and members of the so-­called “Gaza Hacke erats.” at actors in specific geographic regions may prefer one RAT to used by a variety of threat actors, including those involved in m 012, the Molerats attacks appeared to rely heavily on the Xtrem ckers based in the Middle East. [5] But the group has also use ciated with threat actors in China [6] — so much so that PIVY **ALL POSTS** **FIREEYE HOME** **View more videos »** ### F b k attacks linked to China. blog post analyzes several recent Molerats attacks that deplo e U.S. We also examine additional PIVY attacks that leverage s in Egypt and the wider Middle East to lure targets into openin ----- The malware sample we analyzed was unusual for two reasons: It referenced an article that was published last year The compile time for the dropped binary was also dated from last year, seemingly consistent with the referenced article. But this malware was signed, and — in contrast to the compile time, which can be faked — the signing time on its certificate was much more recent: Monday, July 08, 2013 1:45:10 A.M. Here are the file details: Hamas shoot down Israeli F-16 fighter jet by modern weapon in Gaza sea.doc- – - – – - – - – - -.scr MD5: 7084f3a2d63a16a191b7fcb2b19f0e0d This malware was signed with a forged Microsoft certificate similar to previous XtremeRat samples. But the serial number (which is often reused by attackers, enabling FireEye researchers to link individual attacks, including those by the Molerats) is different this time. The malware dropped an instance of PIVY with the following configuration: ----- DNS/Port: Direct: toornt.servegame.com:443, Proxy DNS/Port: Proxy Hijack: No ActiveX Startup Key: HKLM Startup Entry: File Name: Install Path: C:\Documents and Settings\Admin\Local Settings\Temp\morse.exe Keylog Path: C:\Documents and Settings\Admin\Local Settings\Temp\morse Inject: No Process Mutex: gdfgdfgdg Key Logger Mutex: ActiveX Startup: No HKLM Startup: No Copy To: No Melt: No Persistence: No Keylogger: No Password: !@#GooD#@! We collected additional PIVY samples that had the same password or linked to CnC infrastructure at a common IP address (or both). We observed three PIVY passwords (another potential identifier) used in the attacks: “!@#GooD#@!”, “!@#Goood#@!” and “admin100”. **Additional Samples with Middle Eastern Themes** We also found a PIVY sample used by this group that leveraged what are known as key files instead of passwords. The PIVY builder allows operators to load .pik files containing a key to secure communications between the compromised computer and the attacker’s machine. By default, PIVY secures these communications with the ascii text password of “admin” — when the same non-­default password appears in multiple attacks, researchers can conclude that the attacks are related. The PIVY sample in question had an MD5 hash of 9dff139bbbe476770294fb86f4e156ac and communicated with a CnC server at toornt.servegame.com over port 443. The key file used to secure communications contained the following ascii string ‘Password (256 bits):\x0d\x0aA9612889F6’ (where \x0d\x0a represents a line break). The 9dff139bbbe476770294fb86f4e156ac sample dropped a decoy document in Arabic that included a transcript of an interview with Salam Fayyad, the former Prime Minister of the Palestinian National Authority. ----- The sample a8714aac274a18f1724d9702d40030bf dropped a decoy document in Arabic that contained a biography of General Adbel Fattah el-­Sisi – the Commander-­in-­Chief of the Egyptian Armed Forces. ----- A recent sample (d9a7c4a100cfefef995785f707be895c) used protests in Egypt to entice recipients to open a malicious file. ----- Another sample (b0a9abc76a2b4335074a13939c59bfc9) contained a decoy with a grim picture of Fadel Al Radfani, who was the adviser to the defense minister of Yemen before he was assassinated. Although we are seeing Egyptian-­ and Middle Eastern-­themed attacks using decoy content in Arabic, we cannot determine the intended targets of all of these attacks. **Delivery Vector** We believe that the Molerats attacker uses spear phishing to deliver weaponized RAR files containing their malicious payloads to their victims in at least two different ways. The Molerats actor will in some cases attach the weaponized RAR file directly to their spear-­ phishing-­emails. We also believe that this actor sends spear-­phishing emails that include links to RAR files hosted on third-­party platforms such as Dropbox. In one such example we found the following link was used to host Ramadan.rar (fc554a0ad7cf9d4f47ec4f297dbde375): hxxps://dl[.]dropboxusercontent[.]com/s/uiod7orcpykx2g8/Ramadan.rar?token_hash=AAHAVuiXpTkOKwar9e0WH-­ EfrK7PEB9O7t7WC6Tgtn315w&dl=1 **CnC Infrastructure** We have found 15 PIVY samples that can be linked through common passwords, common CnC domain names, and common IP addresses to which the CnC domains resolve. The CnC servers for this cluster of activity are: toornt.servegame.com updateo.servegame.com egypttv.sytes.net skype.servemp3.com natco2.no-­ip.net Two of the domain names (natco2.no-­ip.net and skype.servemp3.com) that were used as CnCs for PIVY were both documented as XtremeRat CnCs that were used in previous attacks. [8] ----- We focused on these domains and their IP addresses — which they had in common with toornt.servegame.com. In addition, we added the well-­known CnCs good.zapto.org and hint.zapto.org used in previously documented attacks. By observing changes in DNS resolution that occurred within the same timeframe, we were able to ensure that the passive DNS data we collected was the same. Interestingly, we also found that the domains often shifted to a new IP address over time. CnC Date IP toornt.servegame.comnatco2.no-­ip.netskype.servemp3.comgood.zapto.orghint.zapto.org 2013-­07-­10 209.200.39.48 22:06:562013-­ 07-­10 22:05:312013-­ 07-­10 23:45:462013-­ 07-­10 23:48:412013-­ 07-­10 23:48:41 toornt.servegame.comnatco2.no-­ip.netskype.servemp3.comgood.zapto.orghint.zapto.org 2013-­07-­16 209.200.39.88 09:14:302013-­ 07-­16 11:33:212013-­ 07-­16 12:47:592013-­ 07-­16 12:50:512013-­ 07-­16 12:50:51 toornt.servegame.comnatco2.no-­ip.nethint.zapto.org 2013-­07-­21 173.225.126.166 15:00:382013-­ 07-­21 15:28:432013-­ 07-­21 16:31:07 toornt.servegame.comnatco2.no-­ip.net 2013-­07-­21 173.225.126.103 22:06:192013-­ 07-­21 22:04:49 toornt.servegame.comnatco2.no-­ip.netskype.servemp3.comgood.zapto.orghint.zapto.org 2013-­07-­29­ 209.200.39.220 |CnC|Date|IP| |---|---|---| |toornt.servegame.comnatco2.no-i­p.netskype.servemp3.comgood.zapto.orghint.zapto.org|2013-0­7-1­0 22:06:562013-­ 07-1­0 22:05:312013-­ 07-1­0 23:45:462013-­ 07-1­0 23:48:412013-­ 07-1­0 23:48:41|209.200.39.48| |toornt.servegame.comnatco2.no-i­p.netskype.servemp3.comgood.zapto.orghint.zapto.org|2013-0­7-1­6 09:14:302013-­ 07-1­6 11:33:212013-­ 07-1­6 12:47:592013-­ 07-1­6 12:50:512013-­ 07-1­6 12:50:51|209.200.39.88| |toornt.servegame.comnatco2.no-i­p.nethint.zapto.org|2013-0­7-2­1 15:00:382013-­ 07-2­1 15:28:432013-­ 07-2­1 16:31:07|173.225.126.166| |toornt.servegame.comnatco2.no-i­p.net|2013-0­7-2­1 22:06:192013-­ 07-2­1 22:04:49|173.225.126.103| ----- |Col1|16:46:352013-­ 07-­29 16:49:272013-­ 07-­29 16:49:27|Col3| |---|---|---| |natco2.no-­ ip.netgood.zapto.orghint.zapto.orgtoornt.servegame.comomagle.serveblog.netskype.servemp3.com|2013-0­7-1­0 22:05:312013-­ 07-1­0 22:06:352013-­ 07-1­0 22:06:372013-­ 07-1­0 22:06:562013-­ 07-1­0 22:19:032013-­ 07-1­0 22:19:31|209.200.39.48| |egypttv.sytes.nettoornt.servegame.com|2013-0­8-1­0 14:07:382013-­ 08-1­0 14:08:43|173.225.126.179| One interesting discovery concerns a sample (5b740b4623b2d1049c0036a6aae684b0) that was first seen by VirusTotal on September 14, 2012. This date is within the timeframe of the original XtremeRat attacks, but the payload in this case was PIVY. This indicates that the attackers have been using PIVY in addition to XtremeRat for longer than we had originally believed. **Conclusion** We do not know whether using PIVY is an attempt by those behind the Molerats campaign to frame China-­based threat actors for their attacks or simply evidence that they have added another effective, publicly-­available RAT to its arsenal. But this development should raise a warning flag for anyone tempted to automatically attribute all PIVY attacks to threat actors based in China. The ubiquity of off-­the-­shelf RATs makes determining those responsible an increasing challenge. The ongoing attacks are also heavily leveraging content in Arabic that uses conflicts in Egypt and the wider Middle East to lure targets into opening malicious files. But we have no further information about the exact targets of these Arabic lures. As events on the ground in the Middle East — and in Egypt in particular — receive international attention, we expect the Molerat operators to continue leveraging these headlines to catalyze their operations. **Notes** 1. http://www.timesofisrael.com/how-­israel-­police-­computers-­were-­hacked-­the-­inside-­story/ http://www.haaretz.com/blogs/diplomania/israel-­s-­foreign-­ministry-­targeted-­by-­computer-­virus-­bearing-­idf-­chief-­s-­ name.premium-­1.472278 2. http://download01.norman.no/whitepapers/Cyberattack_against_Israeli_and_Palestinian_targets.pdf 3. http://blog.trendmicro.com/trendlabs-­security-­intelligence/new-­xtreme-­rat-­attacks-­on-­usisrael-­and-­other-­foreign-­ governments/ 4. http://blog.trendmicro.com/trendlabs-­security-­intelligence/new-­xtreme-­rat-­attacks-­on-­usisrael-­and-­other-­foreign-­ governments/ 5. http://blog.trendmicro.com/trendlabs-­security-­intelligence/new-­xtreme-­rat-­attacks-­on-­usisrael-­and-­other-­foreign-­ governments/ 6. http://www.fireeye.com/resources/pdfs/fireeye-­poison-­ivy-­report.pdf 7. The Molerats group also uses addition RATs such as XtremeRat, Cerberus, Cybergate, but we have focused on their used of PIVY in this blog. 8. http://download01.norman.no/whitepapers/Cyberattack_against_Israeli_and_Palestinian_targets.pdf **Yara Signature** This Yara signature can be used to locate signed samples that have the new certificate serial numbers used by Molerats. ----- author = “FireEye Labs” description = “this rule detections code signed with certificates used by the Molerats actor” strings: $cert1 = {06 50 11 A5 BC BF 83 C0 93 28 16 5E 7E 85 27 75} $cert2 = {03 e1 e1 aa a5 bc a1 9f ba 8c 42 05 8b 4a bf 28} $cert3 = {0c c0 35 9c 9c 3c da 00 d7 e9 da 2d c6 ba 7b 6d} condition: 1 of ($cert*) } **Samples** 9dff139bbbe476770294fb86f4e156ac 6350d1039742b87b7917a5e26de2c25c b0a9abc76a2b4335074a13939c59bfc9 5b740b4623b2d1049c0036a6aae684b0 9dff139bbbe476770294fb86f4e156ac cf31aea415e7013e85d1687a1c0f5daa 973b5f2a5608d243e7305ee4f9249302 e85fc76362c2e9dc7329fddda8acc89e b05603938a888018d4dcdc551c4be8ac 7084f3a2d63a16a191b7fcb2b19f0e0d 16346b95e6deef9da7fe796c31b9dec4 a8714aac274a18f1724d9702d40030bf d9a7c4a100cfefef995785f707be895c 9ef9a631160b96322010a5238defc673 a60873e364a01870b2010518d05a62df This entry was posted in Threat Intelligence, Threat Research by Nart Villeneuve, Ned Moran and Thoufique Haq. Bookmark the permalink. **← Previous** **Next →** **OCULUS** Overview of Oculus Today's Advanced Cyber Threats Why Don't Traditional Defenses Work? Why FireEye? **THREAT PREVENTION PLATFORMS** NX Series EX Series FX Series Mobile Security AX Series Solutions for Government More Products and Solutions **INFO AND RESOURCES** Info Center Investor Relations Partners News and Events Support About FireEye **CONNECT** Blog Twitter Facebook LinkedIn **877.FIREEYE (877.347.3393)** **REQUEST INFO** Copyright © 2006-­2013 FireEye, Inc. All rights reserved. Privacy & Cookies Policy | Site Map | Site Credits -----