### Under the SEA:

###### A Look at the Syrian Electronic Army’s Mobile Tooling

 BlackHat Europe 2018

 London, England


-----

### Who are we?

###### Discover, track, disrupt, and understand the context around targeted Surveillanceware

 Pegasus, ViperRAT, DarkCaracal, StealthMango, and many many more

 Michael Flossman Kristin Del Rosso Head of Threat Intelligence Security Intelligence Analyst
 @Lookout @Lookout


-----

#### Agenda

###### • Who is the SEA?

 • SilverHawk

 • Attack Vectors

 • Personas & Attribution


-----

## Upgrading Traditional Warfare

###### 4


-----

## Upgrading Traditional Warfare

###### 5


-----

# Enemies of the Internet 2014

###### 6


-----

-----

-----

#### SilverHawk


-----

#### SilverHawk

1
0


-----

-----

### SilverHawk

###### Where on the phone did the malware touch you?

 App Capabilities

 • Record Audio • Attempt to execute attacker specified commands or binary

 • Stream environment audio over raw socket when instructed
 as root

 • Take photos with device camera

 • Retrieve contacts and related data:

 • Survival counter - failed server connections and it stops • Call logs

 • Contacts

 • Retrieve files from external storage

 • Text Messages

 • Top directory
 • Downloads , Pictures, DCIM directories • Location, direction, and acceleration of the device
 • WhatsApp, Telegram, Viber, ShareIt content

 • Remotely updateable C2 IP and port

 • Files sent over Bluetooth*

 • Hide Icon

 • File utility to copy, move, rename, and delete files

 • Device information

 • Download attacker specified files

 • Retrieve battery levels, WiFi and GPS status, storage and cellular

 • Enumerate installed apps incl. date & time installed carrier info


-----

|<HmzaPacket> <Command></Command> <XMLData></XMLData> <MSG></MSG> <Success></Success> </HmzaPacket></HAMZA_DELIMITER_STOP>|Col2|
|---|---|


### SilverHawk

###### Custom Communication Protocol

 <HmzaPacket>

 <Command></Command>

 <XMLData></XMLData>

 <MSG></MSG>

 <Success></Success>

 </HmzaPacket></HAMZA_DELIMITER_STOP>


-----

### SilverHawk

###### Capabilities and Evolution


-----

|Col1|Col2|Col3|
|---|---|---|
|SilverHawk|SilverHawk||

|Col1|Col2|Col3|
|---|---|---|
|AndroRAT|AndroRAT||


### SilverHawk

###### The AndroRAT Connection

 SilverHawk

 AndroRAT


-----

-----

#### Attack Vectors


-----

-----

19


-----

-----

21


-----

###### • Exchange of Prisoners
 • Google Earth coordinates of the Lat Party in Calmoun and Weber
 • Brigadier General Manaf Tlass heads the General Staff

 • Leaks deal system and the Corps of Rahman
 • Orient channel - radar program - a military analysis - strategic
 - Hisham Khreisat
 • Homs Talbisse mortar bombardment



###### • Exchange of Prisoners
 Google Earth coordinates of the Lat Party in Calmoun and Weber
 Brigadier General Manaf Tlass heads the General Staff

 Leaks deal system and the Corps of Rahman
 Orient channel - radar program - a military analysis - strategic
 - Hisham Khreisat
 • Homs Talbisse mortar bombardment

 NjRAT H-Worm Plus Custom .NET Downloader DarkComet


22


-----

23


-----

#### Tying It All Together


-----

#### Personas

###### Piecing together the players involved

 File paths for debugging symbols
 Metadata in word files in .NET binaries

 Open directories on
 Logging statements in Android
 infrastructure & some C2
 samples
 domains


-----

#### Connected Personas

###### Domains and PDB file paths

 basharalassad1sea.noip.me

 c:\Users\Allosh Hacker\Desktop\Application\obj\Debug\Clean Application.pdb
 C:\Users\THE3pro\Desktop\fadi+medo\fadi+medo\obj\Debug\medo.pdb
 C:\Users\Th3ProSyria\Desktop\cleanPROs\cleanPROs\obj\Debug\NJ.pdb
 C:\Users\User\Desktop\THE PRO\SERVER PRO WEB\SERVER PRO WEB\obj\x86\Release\SERVER PRO WEB.pdb
 c:\Users\Abo Ala\Desktop\blow\blofish\blofish\obj\Debug\blofish.pdb
 c:\users\abo moaaz\documents\visual studio 2012\Projects\System\System\obj\Debug\System.pdb
 c:\Users\Abo Ala\Desktop\newhas\new\new\obj\Debug\@new.pdb

 Khattap Abo Omar Medo CoDeR


-----

#### Connected Personas

###### Charged and indicted with criminal conspiracy relating to:

 • engaging in a hoax regarding a terrorist attack

 • attempting to cause mutiny of the U.S. armed forces

 • illicit possession of authentication features

 • access device fraud

 • unauthorized access to, and damage of, computers

 • unlawful access to stored communications


-----

-----

#### Connected Personas

###### Metadata and Logging Statements


-----

###### Allosh Hacker Ahmed Al Agha Anonymous.1.sy
 - Known to use the same - “Th3Pro” / “The3Pro” - Handle leaked from desktop and mobile tools - SEA Special Operations Division earlier infrastructure
 - Infra has been same /24 - FBI wanted list - Leak included SEA
 - EFF & CL report tied to affiliation SEA

 Zeko
 Medo CoDeR Raddex Khattap

 - Author on watering

 - Referenced in .NET - Handle in APK logging Abo Ala
 hole site
 binaries, Word Doc lures, statements

 - Same handle present Abo Moaaz
 and on pastebin - Previously listed as
 on hacker forum with
 submissions author on watering hole Fadi Medo


-----

### Research Shout Outs

###### 360 Threat Intelligence

 • https://ti.360.net/blog/articles/analysis-of-apt-c-27/
 • https://blog.360totalsecurity.com/en/the-sample-analysis-of-apt-c-27s-recent-attack/

 Kaspersky Labs

 • https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08074802/KL_report_syrian_malware.pdf
 • https://securelist.com/the-syrian-malware-house-of-cards/66051/

 FireEye

 • https://www.fireeye.com/blog/threat-research/2014/08/connecting-the-dots-syrian-malware-team-uses-blackworm-for-attacks.html

 EFF

 • https://www.eff.org/document/quantum-surveillance-familiar-actors-and-possible-false-flags-syrian-malware-campaigns

 Citizen Lab

 • https://citizenlab.ca/2014/12/malware-attack-targeting-syrian-isis-critics/
 • https://issuu.com/citizenlab/docs/maliciously_repackaged_psiphon

3


-----

### Key Takeaways

###### • SEA connected to long running campaign using SilverHawk & AndroRAT

 • Group still active and using multiplatform tools in their attacks

 • New personas associated to the SEA

 • Low barrier to entry for offensive mobile tooling

3


-----

##### Contact Us

###### Michael Flossman Kristin Del Rosso @terminalrift @kristindelrosso

 Email: threatintel@lookout.com


-----

### Thank you!

###### Questions?

 Note: All security research conducted by Lookout employees is performed according to the Computer Fraud and Abuse Act (CFAA) of 1986. As such, analysis of adversary infrastructure and the retrieval of any exposed data is limited to only that which is publicly accessible. Any sensitive information obtained during this process, such as usernames or passwords, is never used in any authentication-based situations where its use would grant access to services or systems.


-----