# CYBER ADVISORY ## SNAKEMACKEREL: Threat Campaign Likely Targeting NATO Members, Defense and Military Outlets ----- Main Topic from Title Page ### SUMMARY This report details iDefense's analysis of a macro-enabled Microsoft Corp. Word document found in the wild that is likely associated with the SNAKEMACKEREL threat group. iDefense assesses with moderate confidence that the actors may be targeting attendees and sponsors of the upcoming Underwater Defence & Security 2019 event occurring March 5-7, 2019, in Southampton, United Kingdom.[1] This event draws attendees from government, military and private sector entities across the globe, allowing this global event to represent a unique opportunity for SNAKEMACKEREL actors to conduct targeted intrusion operations against a wide array of organizations falling under its collection requirements. ### OVERALL ANALYSIS #### Intended Audience This Intelligence Alert (IA) is intended to better inform decision makers operating in targeted regions and verticals; such decisionmakers include security operations center (SOC) and intelligence analysts, security engineers and senior leadership. #### How to Use This Intelligence This Intelligence Alert (IA) is intended to provide technical information about SNAKEMACKEREL threat activity to help cybersecurity professionals better understand its threat behavior and help identify indicators of compromise (IoCs). SOC and intelligence analysts may use the information provided in this report for hunting activities, such as infrastructure enumeration and malware analysis. Additionally, security engineers may use this information to create or add to existing capabilities to detect suspicious network activity that may indicate initial compromise by and lateral movement of the adversary. Finally, management and executive leadership may use this information to assess the risk associated with the threat described herein to make operational and policy decisions. The information and suggested actions in this IA, however, are general in nature and do not take into account the specific needs of your IT ecosystem and network, which may vary and require unique action. #### How This Intelligence Helps Address Existing or Potential Threats Understanding SNAKEMACKEREL tactics, techniques and procedures (TTPs) may help to detect initial compromise and could prevent the spread of malware, ransomware or other threats throughout a company's internal network. #### Key Assessment and Findings - Defense analysts recently discovered a macro-enabled Microsoft Word document that appears to reference the Underwater Defence & Security 2019 event, which is scheduled to occur March 5-7, 2019, in Southampton, United Kingdom. The specific venue for the event is the Ageas Hilton hotel. 1 [http://www.underwater-defence-security.com/.](http://www.underwater-defence-security.com/) ----- Main Topic from Title Page - According to the event website, this is a three-day global event focused on how NATO members and affiliated nation states can respond to sea-based threats, including what role manned, unmanned and autonomous systems can be effectively used to conduct dangerous mission operations.[2] - The document is used to drop a DLL file that is believed to be a version of SedUploader, a first-stage reconnaissance tool thought to be developed and used by SNAKEMACKEREL actors. - At this time, based on analysis of available malware samples, in addition to the observed TTPs used by the actors behind this Word document, iDefense has high confidence that this activity is associated with the SNAKEMACKEREL threat group. - This report is intended to provide early indication and warning (I&W) notice to public and private sector organizations sponsoring or attending this event, as it represents a unique opportunity for this adversary to conduct targeted attacks against entities aligned with what appears to be its collection requirements. ### MALWARE ANALYSIS Exhibits 1 and 2 show images of the content within the macro-enabled Microsoft Word document, which has a filename of “UDS 2019 Current Agenda.doc.”[3] **_Exhibit 1: Image within "UDS 2019 Current Agenda.doc"_** 2 [http://www.underwater-defence-security.com/.](http://www.underwater-defence-security.com/) 3 Rights to trademarks referenced herein, other than Accenture trademarks, belong to their respective owners. Accenture disclaims any proprietary interest in the marks and names of third-party companies. ----- Main Topic from Title Page **_Exhibit 2: Image within "UDS 2019 Current Agenda.doc"_** The following are the properties of this Word file: - **MD5: f8a778d21003098075c9aef8ed58c6c3** - **Filename: UDS 2019 Current Agenda.doc** - **File Type: MS Word Document** - **Creation Date Stamp: 2018-12-11 14:17:00 (December 11, 2018, 2:17 p.m.)** - **Last Saved Date Stamp: 2018-12-12 20:30:00 (December 12, 2018, 8:30 p.m.)** Based upon iDefense analysis, it appears that SNAKEMACKEREL actors stole content for the lure document directly from the following link, which hosts the official conference agenda for 2019: - [http://www.underwater-defence-security.com/files/agenda13.pdf?version=1.0](http://www.underwater-defence-security.com/files/agenda13.pdf?version=1.0) The document writes two files, which are identical, shown in Exhibit 3. ----- Main Topic from Title Page **_Exhibit 3: Macro Code That Drops SedUploader and Illustrates Document's Two Identical Files_** This DLL file has the following properties: - **MD5: ebdc6098c733b23e99daa60e55cf858b** - **Filename: adobe.dll or clnb.dat** - **Compiler/Packer: Borland Delphi 3.0** - **Compilation Date Stamp: 2018-12-07 20:49:45 (December 7, 2018, 8:49:45 p.m.)** The macro-based document then executes the clnb.dat file (which is actually a DLL) using rundll32 and calling the first export. Last, it sets the registry key shown below for persistence; this key will start adobe.dll with the same export upon system reboot: - HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AdobeAcrobat Exhibit 4 shows an example of this macro code. **_Exhibit 4: Macro Code that Executes the Malware and Creates Registry Key_** ----- Main Topic from Title Page #### Adobe.dll This DLL file, which is identical to clnb.dat, is believed to be a variant of the SedUploader malware. It sends command-and-control (C2) communications to photopoststories[.]com, as shown in Exhibit 5. **_Exhibit 5: Example Connection to C2 Server (values redacted)_** **XOR Encryption** Throughout the execution of this DLL, a method is called that decodes XOR-encoded strings that are hardcoded into the malware. This code uses the following XOR key, as shown in Exhibits 6 and 7: - 0x5F31215E6C247774693A161E13030A0A0F ----- Main Topic from Title Page **_Exhibit 6: XOR Decoding Routine in Executable_** ----- Main Topic from Title Page **_Exhibit 7: XOR Key Hardcoded into Executable_** **Mutex** The mutex is one of the strings that is hardcoded into the malware and decrypted using the XOR encryption routine referenced previously, as shown in Exhibits 8-10. **_Exhibit 8: Example of Mutex after Decoding_** ----- Main Topic from Title Page **_Exhibit 9: Code within Executable That Sets Mutex_** ----- Main Topic from Title Page **_Exhibit 10: Mutex Hardcoded in Executable_** #### Infrastructure Enumeration Based upon available WhoIs data, SNAKEMACKEREL appears to have created the C2 server photopoststories[.]com on December 7, 2018. iDefense analysts also observed another domain (proposalprogram[.]com) hosted on the same IP address (185.86.150.193); this domain was listed as the aforementioned C2 server for which clients were advised to proactively monitor network activity, although iDefense did not observe any malicious content being hosted on this site as of December 21, 2018. The SLL certificate (e979d63a80f96ec06e7308541713d201813927a6) issued for the C2 server also appears to be new; it was first observed on December 7, 2018. Exhibit 11 shows more information for this SLL certificate. **_Exhibit 11: SLL Certificate Information_** ----- Main Topic from Title Page ### GEOPOLITICAL ANALYSIS The Word document was uploaded to a third-party anti-virus vendor on December 20, 2018, by an unknown entity likely based in Macedonia. This observation is notable, as Macedonia is currently pending admission to NATO as its thirtieth member; this admission is expected to become official sometime in 2020. This activity aligns with prior SNAKEMACKEREL threat activity, as the group allegedly targeted government officials in Montenegro back in 2017 prior to that country's accession to NATO. iDefense analysts note that this event draws attendees from government, military, and private sector entities across the globe, including those located in the US, Western and Eastern Europe, Middle East and Asia-Pacific regions. As such, this global event represents a unique opportunity for SNAKEMACKEREL actors to conduct targeted intrusion operations against a wide array of organizations falling under what appear to be its collection requirements. Exhibit 12 provides a brief synopsis of the conference agenda, which appears to emphasize the need for NATO members and affiliate nation states to improve naval capabilities (e.g. fleets and submarines) to address increasing global instability. **_Exhibit 12: Conference Agenda Synopsis[4]_** This agenda would likely be of high interest to Russian intelligence agencies for several reasons: It may provide them with detailed information on how NATO members and its allies plan to develop new underseas capabilities to counter Russia's continued focus on new, stealth classes of submarines. It may provide them with detailed information on new technologies that could be reverse engineered and implemented into their current and future classes of submarines, some of which have the capability to launch nuclear-powered ballistic missiles. ### CONCLUSION At this time, iDefense has high confidence that this activity is associated with the SNAKEMACKEREL threat group. iDefense analysts will continue to monitor for new activity related to this global event and will provide additional updates as necessary. 4 [http://www.underwater-defence-security.com/conference-agenda.php.](http://www.underwater-defence-security.com/conference-agenda.php) ----- Main Topic from Title Page #### Mitigation iDefense suggests monitoring for and blocking network traffic to the following domains: - photopoststories[.]com - mail.photopoststories[.]com - proposalprogram[.]com - smtp.proposalprogram[.]com Additionally, iDefense suggests monitoring for and blocking the following file hashes: - f8a778d21003098075c9aef8ed58c6c3 - ebdc6098c733b23e99daa60e55cf858b Finally, where the ability exists, iDefense suggests hunting for the following malicious artifacts that are likely associated with the SedUploader malware: - A file named clnb.dat located in Users\Administrator\AppData\Local\Temp - A file named adobe.dll located in C:\ProgramData - The registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AdobeAcrobat - The mutex vBQA5vjd0gKHLwQyJK86NhVS The information and suggested actions in this IA are general in nature and do not take into account the specific needs of your IT ecosystem and network, which may vary and require unique action. **_LEGAL NOTICE AND DISCLAIMER: This document is produced by consultants at Accenture as general_** _guidance. It is not intended to provide specific advice on your circumstances. If you require advice or further_ _details on any matters referred to, please contact your Accenture representative._ _Given the inherent nature of threat intelligence, the content contained in this alert is based on information_ _gathered and understood at the time of its creation. It is subject to change. The information in this report is_ _general in nature and does not take into account the specific needs of your IT ecosystem and network, which_ _may vary and require unique action. You should independently assess your specific needs in deciding to use any of_ _the tools mentioned._ _As such, all information and content set out is provided on an “as-is” basis without representation or warranty_ _and the reader is responsible for determining whether or not to follow any of the suggestions, recommendations_ _or potential mitigations set out in this report, entirely at their own discretion. Accenture accepts no liability for_ _any action or failure to act in response to the information contained or referenced in this alert._ ----- Main Topic from Title Page Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report. Copyright © 2019 Accenture All rights reserved. -----