###### January, 2022 ## The link between Kwampirs (Orangeworm) and Shamoon APTs ----- ###### 2 ###### EXECUTIVE SUMMARY The linkage between Kwampirs and Shamoon ##### 1. Executive summary ###### Cylera Labs researchers discovered, documented, and publicly presented our findings on the code similarities between the threat actor group “Orangeworm’’ and their ”Kwampirs’’ malware as compared to “Shamoon”, at the XIII STIC conference held in Madrid in December, 2019. Pablo Rincon Crespo, Cylera’s Vice President of Cybersecurity, and a researcher himself, led the presentation. Cylera was the first to present this linkage with code artifacts. Following the conference, during the first three months of 2020, the FBI released three Private Industry Notifications (PINs) in three consecutive months: January 6, February 5, and March 30, 2020. These PINs coincided with the escalation of tension between the United States and Iran, described heightened Kwampirs activity and also noted similarities with Shamoon. These PINs added that Kwampirs was being used against industrial control systems (ICS), aligning with the latest targets of Iranian APTs. In previous incidents, Shamoon was used against petrochemical companies like Saudi Aramco (August 2012), Rasgas (November 2012), and later Saudi Arabia Energy Sector, GACA and Central Bank (November 2016), Saipem (December 2018). US officials and security experts believe that Shamoon was first operated by an Iranian group known as the “Cutting Sword of Justice.” Shamoon is believed to be inspired by a malware that was first deployed against the Iranian oil industry (April 2012) and dubbed “Wiper” by its own authors. Orangeworm’s activity using Kwampirs malware is believed to have started as early as January 2015, and it had already infected hospitals and supply chains in 2018, as first reported by Symantec. The scope of the targeted attacks spanned healthcare and supply chains in more than 25 countries, across Asia, Europe, and the United States. With the FBI PINs information, Kwampirs also has been demonstrated against ICS in industries vital to everyday life. INDEX ----- ###### 3 ###### EXECUTIVE SUMMARY ###### The linkage between Kwampirs and Shamoon ###### The actors also used Kwampirs malware against medical equipment manufacturers and IT solution providers, as well as other supply chains globally. Symantec attributed the attacks to industrial espionage and did not find any indicator pointing to government-sponsored operators financing the attacks. However, after two further years of research, Cylera Labs assess with medium-high confidence that the threat actors developing Kwampirs are the same as Shamoon, suspected to be Iranian state-backed. This is a critical association for healthcare organizations and other industries around the world to understand. The initial findings presented in 2019 made it unavoidable to consider the strong relation between Shamoon threat actors and the Orangeworm APT behind the healthcare attacks. However, our researchers endeavored to find additional evidence to help determine whether the similarities were due to the campaigns being the work of a single group or if the similarities were due to code reuse between separate groups, as a result of stolen, reverse engineered, shared, or repurposed source code. INDEX ###### The technical research focused first on comparing Kwampirs code with multiple malware families, looking for shared code or coding similarities. During this initial investigation, the relationship to Shamoon was first identified and explored. Subsequently, we performed a comparative binary analysis of the malware artifacts of both families over time, which uncovered: The initial similarities between the two families Parallel updates between the two families and apparent bidirectional exchange between their creators A shared template-based system not previously recognized in either family Focus was also put on analysis of campaign infrastructure, which included extracting C2 servers from all the samples collected, and also mapping active C2 servers through mass scanning and DGA brute forcing. This mapping enabled the examination of C2 server contents, exploiting open directory listing vulnerabilities, and sinkholing multiple campaigns to learn more about victim distribution. Using infected system information gathered by sinkholing Kwampirs C2 domains, and Cylera’s knowledgebase of IoT & medical device characteristics, the researchers determined that infected machines likely included, among others, medical imaging machines from at least two prominent medical device manufacturers including CT, MRI, X-ray, and ultrasound machines, medication dispensing stations, clinical information kiosks, and laboratory information systems. The analysis has led Cylera researchers to conclude with high confidence that there is a connection between the Shamoon and Kwampirs actors, and also conclude with medium- high confidence that there was a single group responsible for both families and campaigns. Given the commonly accepted attribution of the Shamoon attacks to state-backed Iranian APT groups, the latter conclusion would imply that they were also responsible for Kwampirs. If true, this would be the first publicly known case of a state-backed actor targeting healthcare supply chains and delivery organizations, a worrying extension of state actors’ traditional targeting of critical infrastructure of foreign adversaries. The full research report aims to detail Cylera’s initial findings, the relation between Kwampirs and Shamoon, and more importantly it discloses all the additional findings discovered since the initial presentation of December 2019. Attribution is a really complex task, but Cylera Labs concludes with high confidence that Kwampirs is linked to the Shamoon malware family and most likely, with medium-high confidence, to the same threat actors as the Shamoon 2 and 3 campaigns, which appear to be no different from Shamoon 1. ###### cylera com ----- ###### 1. Executive summary. 2 2. Table of contents. 4 3. Background. 5 3.1 About Kwampirs. 5 3.2 About Shamoon. 5 3.3 About Cylera labs research. 5 4. Scope. 6 5. Analysis sections. 7 5.1 Components overview. 7 5.1.1 A walkthrough on the dropper differences. 8 5.1.2 Timestamp modifications. 10 5.1.3 Propagation implementation. 11 Address generation. 11 Infection function. 12 Minor similarities. 13 Minor differences. 13 5.1.4 C2 communication. 14 C2 selection. 14 Host information. 15 Shamoon 1. 15 Kwampirs and Shamoon 2 & 3. 16 C2 requests. 22 C2 responses. 23 Example: Kwampirs auxiliary module. 23 5.1.5 Artifact similarities. 25 File metadata. 25 Kwampirs dropper. 25 Shamoon dropper. 25 5.1.6 Rich headers. 27 5.2 Common template system exposed (Builder). 28 5.3 Kwampirs C2 infrastructure. 31 5.4.1 Web server contents. 31 5.4.2 Modification timestamps. 33 5.4.3 Exposed logs. 34 5.4.4 Sinkhole domains. 34 ###### 5.4 Indicators of co-evolution. 35 5.4.1 Ambiguous ancestry. 36 5.4.2 The missing link (886e7). 37 5.4.3 Differential analysis of the reporters. 40 Shamoon 1. 41 “886e7” (aka, the Kwampirs fork initial commit). 42 “886e7” reporter 1 (PKCS12). 42 “886e7” reporter 2 (PKCS7). 43 Campaign 0. 44 Lost sample between campaigns 0 and 1. 48 Campaign 1. 48 Campaigns E and F followed by the others 53 (A, B, C, D..). Shamoon 2. 55 5.5 Shamoon usage. 58 5.6 Regarding Shamoon open source projects. 59 5.7 From Kwampirs to Shamoon 2. 60 6. Attribution 64 6.1 Connecting the dots. 64 6.1.1 Kwampirs is based on Shamoon 1. 64 6.1.2 Shamoon 2 is based on Kwampirs. 64 6.1.3 Direct relationship between the 65 Kwampirs and Shamoon actors. 6.1.4 A single actor is responsible for 65 Kwampirs and Shamoon. 6.2 Other indicators and speculations. 66 6.2.1 OilRig/APT34/Helix kitten. 66 6.2.2 “Ansar group”. 69 6.2.3 A strange match. 70 7. Conclusion. 72 8. Acknowledgments. 73 9. About Cylera. 74 #### 2. Table of # contents ----- ###### 5 ###### BACKGROUND ###### The linkage between Kwampirs and Shamoon ##### 3. Background ###### 3.1 About Kwampirs Kwampirs is a modular malware family with reconnaissance-focused functionality created by a group dubbed Orangeworm. The malware and group were first discovered by Symantec researchers and publicly disclosed in their April 2018 report, which discussed technical details and victimology but did not find any strong evidence of the group’s motivation or identity. Orangeworm has affected the healthcare sector through direct attacks against healthcare providers and attacks targeting the global healthcare supply chain. Machines infected with Kwampirs malware included medical devices in active use by affected healthcare providers, such as CT/MRI acquisition stations, the systems of the manufacturers that produce such devices, and systems of logistics organizations that deliver healthcare products. The campaigns have affected hospitals and companies in more than 27 countries, including the United States, India, Saudi Arabia, Philippines, Germany, Hungary, the United Kingdom, and Hong Kong, among others. Telemetry gathered by sinkholes setup by Cylera researchers have shown a heavy weight towards Saudi victims in at least some campaigns. New campaigns have typically emerged each year from 2015 to 2020, containing new lists of C2 servers and often assorted updates to the malware. FBI alerts in 2020 described heightened recent activity that has maintained healthcare as a target while expanding into other industries, including components of national critical infrastructure such as the energy sector. Orangeworm activity was first observed in January 2015, almost three years after the first Shamoon attack. 3.2 About Shamoon Shamoon, also known as DistTrack, is a highly destructive malware family used in cyber warfare operations since 2012, often against targets in the Middle East, with a focus on Saudi Arabia. The main targets have been in the Energy sector, particularly oil and gas, but more recent campaigns using Shamoon variants have been observed against a broader range of industries. Shamoon’s first campaign targeted Saudi Aramco in August 2012 and was said to be “the biggest hack in history” at the time, wiping more than 30,000 workstations and 2,000 servers and forcing the company to interrupt oil production. It could sound exaggerated, but given that they had to stop oil production for more than a month, economically speaking it is still one of the biggest. This attack has been publicly attributed to APT33 (aka Elfin), a group that was linked to the Iranian government by FireEye researchers in 2018, with the help of Magic Hound. INDEX ###### cylera com ###### In February 2016, Frank J. Cilluffo, Director, McCrary Institute for Cyber & Critical Infrastructure Security, declared in the US House of Representatives that Iran and his proxy Cyber Hezbollah was linked to the Saudi Aramco and RasGas attacks. Leaked documents from US intelligence agencies from April 2013 also state that Iran was linked to the Shamoon 1 attacks. Updated versions of Shamoon have since emerged, Shamoon 2 in 2016 and Shamoon 3 in 2018. They have been observed in attacks against a variety of targets, including GACA and other Saudi Arabia organizations in late 2016 and Italian oil and gas contractor Saipem in December 2018, always with the same destructive end goal. Additional wiper malware families, such as Zerocleare and Dustman, that have since emerged are commonly believed to be related to Shamoon and created by the same actor. Multiple reports suggest that Shamoon 2 and 3 campaigns were executed by a set of Iranian APT groups. Reports about Shamoon 2 campaigns and Magic Hound/Shamoon, McAfee reports and Vectra reports mention that ISMDoor (a known malware family previously used by Iranian groups) was used to steal credentials. Later, the threat actors deployed Shamoon 2 malware from the hosts they accessed with the stolen credentials. The Magic Hound group is also linked by toolset with Greenbug, OilRig/APT34 and Rocket Kitten/APT35/NewsBeef by infrastructure overlap. Shamoon is also linked to APT33/Elfin/Refined Kitten by Kaspersky. Clearsky assesses with medium confidence that APT33 and APT34 have been collaborating since at least 2017 in their recent “Fox Kitten“ report. APT33 targeted a variety of sectors including petrochemical, financial, critical infrastructure aerospace, defense, aviation, and other critical infrastructures like healthcare, also in Saudi Arabia institutions, which is also seen in a handful of related Iranian APT groups (Operation Cleaver, MagicHound/APT35, and APT39/Chafer/Cadelle). Some of the members of these groups were exposed previously in multiple leaks (and http://t.me/lab_dookhtegan) and reports, suggesting a link between members participating in Shamoon and other wipers like StoneDrill, with the Kavosh Security Group and the Nasr Institute. 3.3 About Cylera Labs research Pablo Rincon released Cylera Labs’ analysis and first findings of Kwampirs and its relation to Shamoon in December 2019 in a talk given at the XIII STIC conference held in Madrid (video, slides). Cylera researchers were cautious about attribution as they consider that even strong code similarities doesn’t imply the same developers. Code could have been stolen, reverse engineered, shared, or repurposed. Our researchers continued to meticulously analyze the evolution of both families to try to determine what had really happened. Beginning in January 2020, the FBI released a series of three advisories warning of usage of Kwampirs against supply chains and the healthcare industry, and warning of the potential ties to Shamoon, in three consecutive months: January 6, February 5, and March 30, 2020. ----- ###### 6 ###### SCOPE ###### The linkage between Kwampirs and Shamoon ##### 4. Scope ###### This document will focus on the technical evidence that links Kwampirs, the malware used by Orangeworm, to the Shamoon malware family, as well as the relation of the threat actors using them. As an added challenge, there are samples of Shamoon that have been reverse engineered and open sourced by researchers, like open-Shamoon, that increase the difficulty of attribution. Cylera researchers analyzed a representative set of these samples and found multiple pieces of evidence that would invalidate the association of open-source versions to the focused sample set of this paper. The final sections of this document discuss the potential implications pertaining to attribution. This paper consists primarily of technical analysis of TTPs (Tools, Tactics and Procedures) observed in the Kwampirs and Shamoon campaigns, including strong similarities in code, toolset and structure, with additional discussion of auxiliary non-technical similarities at the end. During this investigation Cylera Labs has conducted the following main analysis milestones: meticulously gathered and analyzed Kwampirs and Shamoon malware artifacts publicly available identified multiple campaigns and versions of Kwampirs (which was also done by Reversing Labs) and analyzed their evolution by distinguishing code changes meticulously analyzed what, in software programming, would be very likely “the commit history” comparing both malware families, realizing that Kwampirs is based on Shamoon 1, but Shamoon 2 and 3 reporter components seem to be based in the Kwampirs reporter component, which may be evidence that both families belong to the same chain of development efforts analyzed Kwampirs infrastructure, domain registration information, and IPs listed as C2 of all the campaigns found an active command and control server back in November 2018 and extracted connection logs from victims sinkholed multiple domains corresponding to different campaigns to understand their victimology and identified some of their targets identified custom auxiliary tools used in common between both malware families (the Builder and Template system). INDEX ###### cylera com ###### Cylera researchers did not have contact with affected organizations and therefore did not conduct any form of forensic analysis or observe the full lifecycle of the Kwampirs attacks. The research outlined in this paper was performed strictly using public IOCs and OSINT. Cylera encourages entities affected by Orangeworm, as well as investigators, to contact Cylera for collaboration and assistance. The research entailed technical analysis of multiple Kwampirs and Shamoon samples, most of them downloaded from VirusTotal and Hybrid Analysis. If not specifically indicated, the referenced samples will correspond to the hashes listed in Table 1. ###### f8022b973900c783fd861ede7d0ac02f665c041b9cd0641be7318999fb82ce8f ###### Kwampirs Dropper ###### 4f94d67c9da7e340b258e26dee7269c89f1e7c2c2625a96073adeec794541e66 ###### Kwampirs Reporter ###### 4f02a9fcd2deb3936ede8ff009bd08662bdb1f365c0f4a78b3757a98c2f40400 ###### Shamoon Dropper ###### 7dad0b3b3b7dd72490d3f56f0a0b1403844bb05ce2499ef98a28684fbccc07b4 ###### Shamoon Reporter ###### 61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842 ###### Shamoon 2 Reporter ###### Table 1: hashes of the default samples analyzed Other hashes will be indicated in some sections, where special details need to be pointed out. Researchers may also refer to the sample with the corresponding hash of “886e7271b1a0b0b6c8b2a180c2f34b1d08d899b1e4f806037a3c15feee604d7b” as its prefix string “886e7” or just “886”. ----- ###### 7 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ##### 5. Analysis Sections ###### 5.1 Components overview Here is a walkthrough of the two families focusing on their similarities in key components and features. Like many malware families, Shamoon and Kwampirs each consist of a “dropper” that is responsible for dropping components hidden in the binary’s resources onto the target system. The resources dropped by each family are: ###### Shamoon A reporter component that communicates with the C2 to send system information and download new modules A wiper component that is carried with a driver A 64-bit version bundle of all the previously mentioned components ###### Kwampirs A reporter component that communicates with the C2 to send system information and download new modules, capable of working in 32-bit and 64-bit architectures. ###### The two families share a similar general structure, though the structure itself is particularly unique. Kwampirs exhibits a simpler design, based on the number of components dropped relative to Shamoon. This is likely a reflection of the difference in intended purpose of the campaigns for each respective family. Each family’s handling of the reporter component, which exists in some form within the resource container of each family, seems to exhibit general alignment in functionality but differences in specific implementation: Shamoon stores its reporter payload as named resource PKCS7 while Kwampirs stores its reporter payload as resource ID 101 Both use XOR-based encryption on the report payloads contained within their resource containers, a common and not particularly noteworthy technique Kwampirs further obfuscates the payload by hiding its reporter within a BMP file after a sequence of valid image rows at the beginning of the file, a technique that has been seen in other campaigns and families (such as certain Lazarus campaigns). A resulting image can be seen at Figure 2. Shamoon’s reporter component is an executable (.exe), while Kwampirs’ is a DLL Figure 2: Example of a resource image contained in a Kwampirs ‘dropper’, looking like broken, but hiding the “XORed” ‘reporter’ DLL using steganography ###### The following diagram (figure 1) shows the various dropped components, with components present in only Shamoon displayed semi-transparently. Shamoon Worm/Dropper **Drops from resources** **Drops from resources** **Drops from resources** 64bit Shamoon Worm/Dropper wiper exe **Report/Request Modules** “Reporter” netinit.exe **Driver** C2 **Encrypted response** module filer.exe wiper drdisk.sys ###### Figure 1: Shamoon/Kwampirs diagram of dropped components. INDEX ###### cylera com ----- ###### 8 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### 5.1.1 A walkthrough on the dropper differences In this section, some explanations about the general architecture differences and main execution flows of both families will be covered to understand how they differ between each other, and how the refactor -- or component reuse -- was probably done. Kwampirs garbage string handling can be seen in Figure 3. Figure 3: Kwampirs handling garbage strings. An example of a Kwampirs garbage string value can be found in Snippet 1. ###### “kijjjjnsnjbnncbknbkjadc\r\nkjsdjbhjsdbhfcbsjkhdf jhg jkhg hjk hjk \r\n slkdfjkhsbdfjbsdf \r\n klsjdfjhsdkufskjdfh \r\n” ###### As an introduction, the two families share a common behavior involving a “std::basic_ streambuf” type containing what appears to be garbage strings of characters, maybe for breaking Antivirus patterns based on them. This behavior of adding garbage strings has been seen before in OilRig/APT34 campaigns (search “jgvchhctf” at this report). The strings do not appear to be truly randomly generated but instead look as if the author had smashed their keyboard almost without control. Both families include the familiar escape character sequences of “\r\n” that separate them into multiple lines. As a side effect, when both binaries are executed by a user, they will only see the output of these printed strings, as if the execution had failed because the file was somehow corrupted. Shamoon garbage string handling can be found in Figure 4. Figure 4: Shamoon handling garbage strings. A sample of Shamoon garbage string value can be found in Snippet 2: ###### “Dfhghdfghwetyertdfgd\n\n\r\n Jh;jgdsaf;jkfdsa\r\n ytiirukghktuutyutyutry;\t zKJYERHHF;dsfKKKKK\r\nrtyrty\r\n” ###### Snippet 2: Shamoon garbage string value ###### Snippet 1: Kwampirs garbage string value INDEX ###### cylera com ----- ###### 9 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### When the droppers are executed they will print the garbage strings to the screen using “xsputn()” if certain conditions -- such as a comparison against the trigger date for Shamoon or if the target platform is supported as well as the OS version (in the case of Kwampirs) -- are satisfied. This may be done to make the user believe that the executable is broken. Assuming this purpose, it is somewhat interesting that the strings are different between the two families, but still seemingly generated in the same manner. So just keep in mind that Kwampirs main function contains these strange strings. Turns out this behavior has been present in many campaigns, including Shamoon and Kwampirs campaigns, and the place (the functions) where this code exists, seems to be a good reference for understanding how the “refactor” between the two families was performed This will be explained a bit later. Here is the walkthrough to reach Kwampirs “main” function inside Shamoons v1 dropper. In Shamoon the “main” function does three things: It fetches the reference time attributes of a legitimate Windows file It checks the architecture of the system It attempts to start the service If the architecture is 64-bits, it will drop the resource X509, the 64-bit version of the dropper, and update the service If the architecture is 32-bits, it will attempt to start the service by calling StartServiceControlDispatcher(). If this fails it issues an explicit call to the main function of the service and tweaks the service status and controls (0x00405B50) The main function of the service behaves differently based on the arguments used in the invocation of the binary. The general purpose of the function is to orchestrate how the persistence modules behave and what runmode is pretended for execution. Multiple calls can be issued to the same binary with different arguments to invoke different code paths or execution flows. It can: Run the persistence thread and spreader process Perform local host infection Run only the propagation module Try to infect a specific list of IP addresses INDEX ###### Some of these options may indicate that the binary was meant to be sometimes executed manually, i.e. with a list of main servers connected to other subnets that should be targeted first for fast propagation. In the case of the default execution path, the executable will start a persistence thread then execute an interruptible loop that checks the “final activation” date of Shamoon’s destructive payload (which is either the hardcoded Aug 15, 2012 date or a date extracted from the file modification time attribute of netft429.pnf). When this date is reached, the execution flow will call the function 0x004056B2, which will print the previously discussed garbage strings, drop PKCS12, load the burning flag “image12767” and so on. In Kwampirs, the main entry point is at 0x00CE44C0 and looks like a mixture of the code Shamoon executes after the date check, with a few calls and checks of the parent calling functions. It begins by performing operations similar to those executed by the parent function in Shamoon, including: Retrieving the architecture of the system Retrieving of reference time attributes from legitimate Windows files It also contains additional functionality not seen in Shamoon such as a system version check and, most importantly, the decryption of the main configuration settings. Following these initial checks it will: Print the “garbage” strings, drop the hidden DLL payload from resource ID 101 Execute its main function along with the propagation and persistence mechanisms The DLL payload appears to be the replacement of the wiper component in Shamoon, PKCS12. This payload, whose original name is Actuator.dll and whose main callback function is MyDllMain, acts as an information gathering component. Similar to the higher-level function in Shamoon, this function will execute in different run modes depending on the number of arguments provided. A nice technical walkthrough of Kwampirs run modes was provided by the cybersecurity company Lab52 . Essentially this component will retrieve some basic information (network adapters information, native system information, and keyboard layout list) and then it will encrypt and submit it to a C2, while asking for new modules to download and execute. Cylera researchers have seen only one of these modules, and it consists of information gathering, mostly based on wmic commands (an evolved version of the one analyzed by Symantec, which was based only on windows binary shell commands). ###### cylera com ----- ###### 10 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### The way the logic differs between both malware families indicates Shamoon has part of Kwampirs’ structure “embedded” in it, or simplified. This suggests the possibility that Kwampirs could have been developed first, and Shamoon was based on it, adding more logic and complexity, like wrapping it. At the same time it contrasts with the dates available on other reports, as Kwampirs’ first campaigns (at least publicly known) were first identified in early 2015. Nevertheless, exif and executable metadata indicates earlier compilation timestamps, some of them previous to Shamoon’s first campaign. Why is this important? Shamoon has been widely analyzed and there are a few publicly available reverse engineered source codes. This is a fact that goes against any attribution intent based on technical proof. However, on the other side, if Kwampirs was created before Shamoon, then the chances that it is the same group increases. Before Shamoon was discovered, no similar source code had been found. This would increase the probability that the authors are APT33, validating the attribution of Symantec about APT33 as the author of Shamoon (or that the authors shared the source code with APT33 somehow). However given the publicly available information and described dates, as well as our review of coevolution (check this section) the timeline says that Shamoon was first, then Kwampirs started to be used, and was followed by Shamoon versions 2 and 3, taking some of the improvements developed first in Kwampirs. Kwampirs performs the operation near the top of its “main” function, as displayed in Figure 5, after a few checks inside the function renamed as get_windows_dir_create_file_get_filetime() in IDA decompiled code. ###### 5.1.2 Timestamp Modifications Once the reporter files are dropped to disk, both Kwampirs and Shamoon alter their creation, modification, and access time attributes to mimic a legitimate Windows file, with Shamoon using “kernel32.dll” as the reference file and Kwampirs using “user32.dll.” This transmutation is additionally performed by each family after copying files to remote hosts during the infection process. Both families store the three reference timestamps (creation, modification, and last access) in global variables. Both droppers execute code to retrieve these reference dates and times from their respective reference files as one of the first steps of their “main” functions. Kwampirs performs the operation near the top of its “main” function, as displayed in Figure 5, after a few checks inside the function renamed as get_windows_dir_create_file_get_filetime() in IDA decompiled code. Shamoon performs the operation as the very first step of its “main” function, as displayed in Figure 6, before any checks. ###### Figure 5: Kwampirs retrieving reference file timestamps (decompiled code using IDA Pro). Figure 6: Shamoon retrieving reference file timestamps. INDEX ###### cylera com ----- ###### 11 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### 5.1.3 Propagation Implementation The propagation modules in each sample consist of two main functions, one that generates IP addresses and one that attempts to infect each generated IP. There is a near one-to-one correspondence between the functionality and implementation of the two modules, excluding differences like step naming. Figure 7: Kwampirs IP address generation code INDEX ###### cylera com ###### Address Generation The first function (neighbor propagation) iterates the list of network adapters in order to read and generate neighbor IP addresses based on the infected host’s address. These IPs are then passed to the second function, as well as the local file path, for self propagation. These similarities in implementation are clearly seen in the following reverse-engineered functions, which are almost identical except that the decompiler recognizes some loops as “while (condition) {}” and “for (...) {}” statements, and in the other family as “do {} while(condition)” statements, for iterating the network adapters and generating the last octets of the IPs to infect. Kwampirs can be seen in Figure 7, and Shamoon in Figure 8. Figure 8: Shamoon IP address generation code ----- ###### 12 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### Some newer Kwampirs campaigns show improved functionality for the address generation. A separate thread is created, then it makes use of the API call GetTcpTable() (or GetExtendedTcpTable()) to extract the list of active TCP connections of the victim. Then, it will iterate over those results trying to infect each endpoint connected. It does this to spread over past local /24 ranges, through Windows peers (Figure 9). ###### 1 When a call to the main propagation function is done, Kwampirs will first create and run concurrently a new separate thread. 2 In this new thread, the function GetTcpTable returns an array of Tcp connections. 3 Kwampirs will iterate the first 100 entries. 4 For each entry, it will check if ports 445 or 139 are in use (which means that they will also try to infect neighbor hosts using Windows protocols SMB or NetBios with the current victim). 5 Then it will call the infection function for those Windows-based hosts. Infection Function ###### The second function is responsible for probing each generated IP address, checking for a set of possible Windows administrative shares, and infecting the host if possible. For each target IP it will iterate over a set of possible shares and attempt to read “\\[SHARE]\ Figure 9: Kwampirs IP address generation code with GetTcpTable window\system32\csrss.exe” for each. The target shares can be seen in the Figures 10 and 11 for Kwampirs and Shamoon respectively. Figure 11: Common network shared drives checked remotely by Shamoon (string copied with qmemcpy) Figure 10: Common network shared drives checked remotely by Kwampirs (strings copied to the array as numbers) INDEX ###### cylera com ----- ###### 13 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### If a target share is accessible with sufficient permissions, each module will then check for the existence of a particular file and, if it is not present, create it. The purpose is twofold: one, determine if the machine is already infected, and two, test if we have permissions to write to the share. Kwampirs, for example, uses “ie11.png” as the target filename and will write 34 random bytes to it if not already present. If the module can proceed, it will then perform a self-copy to the destination host to a randomly generated temporary filename. In the case of Shamoon, the name to use as the first destination is a random name picked from a predefined set of command line tools. In the case of Kwampirs, it is a name starting with the prefix “wmiap” and some pseudo random choices. After the copying is done, in both of the cases the file is moved to a final destination path. Both modules will next change the creation, modification, and last access time attributes for the copied file, then enter a routine responsible for installing the transferred file as a remote service to ensure its execution. The service installation process will try to connect to the service manager of the victim host by using OpenSCManagerW(), and then it will try to open the services “WmiApSrvEx” (in case of Kwampirs) or “TrkSvr” (in Shamoon). If it does not exist, a new service is created, specifying the service name, display name, dependencies (RpcSs), among other parameters. In Shamoon, it will also add a scheduled task. After service creation, each module calls ChangeServiceConfig2W() to modify the service information and extended description. If successful, it will set the binary path name and then will connect to the remote registry (in Kwampirs, the remote registry service will be started first), then a key “\SYSTEM\CurrentControlSet\Services\SrvName” will be added to start the service on startup (were SrvName can be “TrkSvr” or “WmiApSrvEx”). The two functions vary a little bit. The Shamoon version does not enable the service of remote registry, but it does change the LanmanWorkstation dependencies adding Shamoon into it. INDEX ###### Minor Similarities There are numerous cases of small errors, bugs, or idiosyncrasies present in both families. For example: Both functions loop through the first 10 network adapters when finding the host’s local IP addresses in the IP generation function. This limit not only appears entirely arbitrary but also unnecessary as the API call used to retrieve the network adapters returns a NULL-terminated array that can be easily and safely iterated over in full. When retrieving an interface’s IP address, each module checks that the string returned by net_ntoa() does not exceed 18 characters in length, which is the length of the CIDR representation of a subnet. The module does not use CIDR representations anywhere, making this check effectively incorrect (with the valid value being 15) and likely an artifact from code that the authors had borrowed from some reference; additionally, the proper way to perform this check would be to simply reference the h_addrtype field in the returned hostent struct. Minor Differences There are two main differences in the implementation of the two modules, both of which have been mentioned. First, Shamoon installs a scheduled job in addition to the service registration step shared by both. Second, the filename generation procedures use different logic and will output different sets of filenames. While Kwampirs follows some simple logical rules to pick and modify slightly the names, ending in a limited set of strings similar to “wmiapsvre.exe”, Shamoon picks a name randomly from an array of common Windows tool names, without any further modification. The generated name is just a pivoting name. After the transfer is done, they both move the copied dropper to a final fixed name (in other parts of the code, a copy to this generated path is also done). The fact that this name selection is done in the middle of this large function invites us to discard the idea that the propagation code could be just a simple third party library inclusion. This is also partially the reason why the basic blocks graph changes slightly. Also, the way the loops are handled appears to change from “while()” statements to “do{ } while()”, or “for(;;)”, which could be explained in multiple ways. First, that they just changed the code, second that Kwampirs’ base code is a reverse engineered and refactored version of Shamoon where wrong loop statements were inferred, and third, this might be also produced by the compiler optimizations. The rest of the logic, in essence, is almost the same, and the service installation is pretty similar too, which will be explained a bit later. ###### cylera com ----- ###### 14 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### 5.1.4 C2 Communication The reporters of both Kwampirs and Shamoon contain functionality to upload host information and download additional payloads to execute from their C2s. In general, the DLL that Kwampirs drops appears to be a complete refactor of the netinit.exe executable dropped by Shamoon. At the core, both modules use the same network API, both call InternetOpenW to create requests, and both handle the same general reporting-related tasks (ignoring anything wiper-related, which is only relevant to Shamoon.) However, the two have some differences in their implementations of these tasks. Figure 12: Kwampirs C2 selection process, first call to report_data_to_c2 makes use of proxy and proxy bypass options, second try calls without proxy and proxy bypass options, defaulting as system settings. INDEX ###### cylera com ###### C2 Selection Kwampirs, contains two sets of 100 C2 URLs. Kwampirs will pick and try a URL at random from the first list (Figure 12), using Proxy Bypass information if present in its configuration, and iteratively test the subsequent URLs until an active C2 is found. If no active C2 is found within the first list it will rerun the same procedure on the second, this time ignoring any Proxy Bypass configuration and just using the host configuration. This strategy is their attempt to hide from the Proxy and content filtering solutions integrated with it, by default, when possible: Shamoon 1 samples, on the other hand, use a single C2 identified by an IP address hard- coded in the binary. Interestingly, many Shamoon samples contained an internal IP address (within the 10.0.0.0/8 range specified by RFC1918) that initially led researchers to believe the attackers may have used a host on the targeted organization’s internal network as the C2. Later samples, however, used more obviously fake IP addresses (i.e. 1.1.1.1) that indicate that the C2 functionality was not meant to be used, and may be an artifact from a builder tool used by the attackers (as previously suggested by Unit42, a hypothesis that we will later review and confirm, at least, for Shamoon 2 and 3). While there are proxy and proxy bypass arrays, there is no fallback list, to ignore proxy options like in Kwampirs, and the C2 selection goes iteratively, one by one, without any random selection (Figure 13). Figure 13: Shamoon C2 selection and proxy options. ----- ###### 15 ###### ANALYSIS SECTIONS Host Information ###### The linkage between Kwampirs and Shamoon ###### In Shamoon 1 (2012) there are pieces of code that suggest they might copy some of the files before destroying the hard drive. Before destroying anything, it will try to download an executable file from the C2 with the name “filer” which sounds like a custom tool for collecting and exfiltrating files, or maybe just encrypt what they were going to destroy just as an early ransomware tool). Apart from the aforementioned “Filer” functionality (which has been mentioned in previous research but no code samples have yet found or shared openly), the information gathered by Shamoon 1, using Windows API calls, to build the URLs submitted to the C2 is not much. On the other hand, Kwampirs issues more API calls and uses a custom packing format to embed this information inside the URLs to request. It is intriguing to note that Shamoon 2 and 3 feature the same information gathering and packing as Kwampirs rather than Shamoon 1, leading to further speculation about the evolutionary relationship between the families. Here is how Shamoon 1 reviews the host information and URL formats: Shamoon 1 Depending on the stage of the attack as well as the combination of the number of arguments and values: IP address corresponding to the hostname of the infected machine (Figure 14) Iteration number of a loop checking the presence of a signaling file GetTickCount()’s value The contents of a signaling file INDEX ###### Figure 14: Shamoon 1 fetching victims IP information, ----- ###### 16 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### The URL related code with the different parameters can be seen in Figure 15. Figure 15: Shamoon 1 format string and parameter names used while formating the C2 URL request. Once formatted, the final URLs would look something like Snippet 3. ###### Figure 16: Kwampirs fetching the victim MAC address. ###### Kwampirs and Shamoon 2 & 3 Kwampirs gathers and sends more host information inside the URL requests: the OS major version, OS minor version, platform, build, architecture, keyboard layout, and MAC addresses, among others. The data pivots in a temporary file (digirps.PNF). Then a base64 is generated and the URL is formatted. Here Kwampirs is compared with Shamoon 2, but keep in mind also that Shamoon 3 is almost identical to Shamoon 2. The data collected and the way it’s packed, encoded, and sent, is almost identical between Kwampirs and Shamoon 2: Fetching MAC Address in Kwampirs (Figure 16) is pretty similar, almost identical to Shamoon 2 (Figure 17). ###### Figure 17: Shamoon 2 retrieving the victim MAC address ###### hxxp://10.1.252.19/ajax_modal/modal/data.asp?mydata=[data]&uid=1.2.3.4&state=[Millisecs] ###### Snippet 3: A Shamoon 1 URL For now keep also in mind that this is 3 GET parameters (mydata, uid, state). The purpose of GetTickCount, while not immediately clear, may be to avoid cached data of transparent proxies and/or detect sandboxes where the tick count value does not increase from one request to another. INDEX ###### cylera com ----- ###### 17 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### Retrieving the system info in Kwampirs (Figure 18) is almost identical to Shamoon 2 (Figure 19). Figure 19: Shamoon 2 routine for gathering the hosts native system and version information. Figure 18: Kwampirs’ gathering system and version information. INDEX ###### cylera com ----- ###### 18 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### Both families retrieve the Keyboard layout list, again almost identical implementation (Figures 20 and 21). Figure 20: Kwampirs fetching the victims keyboard layouts information. Figure 21: Shamoon 2 (and 3) code that retrieves the keyboard layout list. Initial host information: In Kwampirs, while pivoting on the digirs.pnf file the data to send in the URL, it uses the encryption key of Snippet 4. ###### 53 11 37 16 72 BA 01 79 FA 3E 91 8A 83 BE DE B4 ###### Snippet 4: Kwampirs XOR key for digirs.pnf INDEX ----- ###### 19 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### The overall initial information gathering sequence is common in both families: first it will fetch the MAC, then system and version info, then keyboard layout list. Note also how some numeric flags are used for signaling the information gathered, where values differ, but the parallelism looks pretty interesting (Figures 22 and 23). Figure 22: Kwampirs retrieving the victims host information for building the first C2 requests for additional modules. INDEX ###### cylera com ###### Figure 23: Shamoon 2 (and 3) sequence for gathering host information. ----- ###### 20 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### After issuing the API calls, the resulting buffer containing all the information is encrypted with a simple XOR algorithm and the key displayed at Snippets 5 and 6. ###### 28 30 A4 3F 6D 28 04 23 36 2A 32 DC AD 0B A0 4B E8 20 1F 64 84 0A F4 C4 C7 8A 8D C0 A2 C4 40 19 A1 43 82 38 14 FD 6C 90 E0 7E 2A 40 DF D3 F2 3E 72 38 C4 96 4D 98 7C 16 3B 3C E7 27 B7 D0 EF 7B 3C 45 06 9A 69 0D 6A 41 18 95 95 46 88 CC 19 6F EB 6B 5B F8 51 E4 2E E1 E6 8F 44 CF 20 2F 2B DE 7A 28 5D DB 55 5A 1A 35 AF D8 5F 57 B8 0F A5 F7 08 4A D0 AB E5 95 31 A1 25 31 00 65 3C 70 73 99 42 0A 02 1A 69 D9 A6 DF 14 B2 05 DD A8 DF F5 D9 71 6D 6E 96 5F 1B D1 0F 8E 0A 35 D4 65 FA 90 58 CC 75 02 92 B7 2C 46 ED 66 33 44 75 FC A4 E0 FD B8 C8 B5 0C 3A 84 D9 23 16 A4 AF 3B 57 C6 D2 5C B3 AB 9C CD F0 B2 A4 51 43 D3 F0 30 21 B5 ED 25 E3 64 B7 0C 1C A8 50 3A FF 6B 2C 32 06 B2 D1 54 3D 86 B9 1A BF 59 D7 92 59 EC 40 4A 8D B0 E7 9A 9A 0D 94 19 27 D8 6D AD 5C 3E BE 14 67 DC F0 92 ###### Snippet 5: Kwampirs XOR key used to cipher the host information ###### 7B 71 44 F7 9F 30 BE 8B DC A9 F9 31 6B DB BA 1C 01 71 56 16 AE 41 78 38 F5 89 CD 91 B5 D1 A4 48 11 AC 76 08 75 51 00 D4 66 2C BF 9C AB FA 04 0F 92 8D FB 94 D1 29 50 FB D1 C6 C5 B6 DA 96 77 A0 EA 05 A1 4D 44 2E 8B 47 E3 7E 84 31 F8 E5 0C D0 0E DE 99 5E 7D 32 91 9B DB B8 E1 A4 75 FE 57 ED 0C 0F 1E DD 6F 43 0C 00 1F E9 90 3A 88 1C 7C 88 22 80 02 9B DC 7B 81 66 46 69 23 FC 45 6A 46 4A CA 67 3A 71 6B D0 61 80 32 3C 9C AA 26 DC B1 C0 4E 10 F9 95 AF E6 18 0E 95 E7 FD 83 20 F9 FB B0 51 AD 37 E6 C0 DB 1E 2E 8D C3 57 1A 2F AD 3B E5 E7 AE 3F 3D C7 9A 84 2C 26 C6 D9 A0 EB 17 63 81 1F 86 48 BC 8E AB 8A D2 F3 58 E2 BF 95 58 DD 4C 96 02 FE A3 8E 80 27 BB A2 9D 12 DE 27 EA 98 82 07 97 18 1A 84 4C 21 1C 7F CE 55 7B E0 E9 13 29 59 34 5E 01 FD C7 17 1B 0F 05 78 EF E0 E5 70 5B ###### Snippet 6: Shamoon 2 XOR key used to cipher the host information INDEX ----- ###### 21 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### The URL formats for Kwampirs (Figure 24) and Shamoon (Figures 25 and 26) are also very similar, but Shamoon has the option to pass an array of paths. Figure 24: Kwampirs URL format string. This is almost the same format as Kwampirs, but Shamoon 2 also has an array of paths, to append to the domain. While Kwampirs has been shown to take them already concatenated, it seems that Shamoon 2 improves on this. The parameter name, in this case, is ‘shinu’. In Kwampirs, it was just ‘q’. In Shamoon 3 and other samples, we’ve also seen the usage of the value ‘selection’ as the parameter name. ###### In Shamoon 2 the format is encrypted. Figure 25: Shamoon 2 URL format string encrypted. The format, as many other config variables, is decrypted in real time. The authors are just trying to hide from static analysis, but the algorithm is just a per-character value addition (or subtraction). The decrypted value will be used in a _vswprintf function call to format the final URL. This value corresponds to: Figure 26: Shamoon 2 URL format string decrypted. Note also that Kwampirs and Shamoon 2 and 3 use only one parameter in the query string instead of 3 (both differing from Shamoon 1), and it changes considerably with respect to the collected data for building the URL. In Kwampirs, the parameter name is set to ‘q’ (in the samples we have seen) and the C2 (plus path to the script) is pseudo randomly picked, as explained before. Data is the host information collected in the aforementioned API calls (Figure 22), XOR-encrypted and customly packed and encoded in base64 both in Shamoon 2 and 3. In short, Kwampirs and Shamoon 2 and 3 retrieve the MAC address, system and version information, and keyboard layouts. Then it packs this information in the same binary structure and type, encodes this structure with base64, and builds the URL for the C2 with almost the same format (different values each, but same format) using nearly identical code. ###### hxxp://18.25.62[.]70/groupgroup/default.php?q=[base64_string] ###### The format, as many other config variables, is decrypted in real time. The authors are just trying to hide from static analysis, but the algorithm is just a per-character value addition (or subtraction). The decrypted value will be used in a _vswprintf function call to format the final URL. This value corresponds to: ###### Snippet 7: A Kwampirs URL ###### hxxp://server/category/page.php?shinu=[base64_string] ###### Snippet 8: A Shamoon 2 URL INDEX ###### cylera com ----- ###### 22 ###### ANALYSIS SECTIONS C2 Requests ###### The linkage between Kwampirs and Shamoon ###### Shamoon 1 uses InternetOpenW to send C2 requests (Figure 27). Shamoon creates an HTTP request containing the host information, unencrypted, and picks the hardcoded value of “you” as the HTTP User Agent. Figure 27: Shamoon 1 API used for C2 communication INDEX ###### Kwampirs uses the same network API, including the InternetOpenW call (Figure 28), to create requests. This information is packed into a struct and encrypted with a basic XOR cipher, then encoded in base64. It then creates an HTTP request using this obfuscated data and picks “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18) Gecko/20100101 Firefox/18.0” as the HTTP User Agent. Figure 28: Kwampirs API used for C2 communication ###### cylera com ----- ###### 23 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### There is no index operator for the variables dwAccessType, lpszProxy and lpszProxyBypass at Figure 28. The index at this point has been computed from the upper level function (calling function displayed at Figure 29) in Kwampirs, before the call to InternetOpenW. The difference is that Shamoon will always try to use the options, but Kwampirs introduces a change here. It will first try to use the options, and if all the requests to the C2s fail, it will try with a secondary list without using Proxy and ProxyByPass information. Figure 29: Kwampirs making use of proxy and proxy bypass configuration arrays with an iterator (v2). Shamoon 1, 2 and 3 and Kwampirs, all contain arrays for C2, and Proxy, ProxyByPass, and accessType information. INDEX ###### C2 Responses Shamoon 1, 2 and 3 are capable of handling two commands from the C2: “E” (related to execute) which will perform a second request to download a file and subsequently execute it through a command line that was broken in the first version (“%S%S%d.%s”, note the capital letters problem in the format) “T” (related to time) which will modify the time of the netft429.pnf file, which is used to signal when the wiper has to start destroying The Kwampirs C2 has been observed responding to requests with a hash value corresponding to an additional module to download, corresponding to the “E” command from the Shamoon C2. Kwampirs will check the authenticity of the module using digital signatures and a public key embedded in the binary. Example: Kwampirs Auxiliary Module The module examined here, a DLL provided by the Kwampirs C2, has the following SHA256 hash: a7ab680c5ba9ea2ba40c25ea94bf4b0e8ab47533631f2739fc2dc15c269547bd The Kwampirs C2 provides additional modules to download and execute in the form of DLL files with callback functions named “CF.” The loader of the DLL and callback resolver appear to be shared and similar to ones used by other groups such as Lazarus and Sofacy. This module executes a series of commands to gather additional host information, which is subsequently uploaded to a C2 server. Interestingly, the commands are not identical to the analogous module examined in the initial Symantec report. These commands executed by this module are almost all wmic commands and are used to retrieve extensive information related to the computer, drivers, IRQs, baseboard, partitions, bios, logon, logical disks - a complete “radiography” of the system, displayed at Snippet 9. ###### cylera com ----- ###### 24 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### hostname getmac ver arp -a systeminfo wmic nic get caption,AdapterType,Manufacturer wmic timezone get caption wmic IRQ get caption, IRQNumber wmic port get StartingAddress, EndingAddress wmic csproduct wmic computerSystem wmic baseboard wmic cpu wmic partition wmic bios wmic startup wmic netlogin wmic portconnector wmic memphysical wmic share wmic logon wmic OS wmic logicaldisk get caption,description,size,providername wmic desktop ###### Snippet 9: Kwampirs commands found in a module downloaded by the reporter. Considering the level of detail found in the information gathered, it seems likely that the use of this module is intended for a reconnaissance phase. The types of information gathered may imply that the physical attributes of the device are of interest. This may imply that the ultimate goal of the campaign only relates to devices that satisfy particular physical properties that can be inferred from this information. INDEX ----- ###### 25 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### 5.1.5 Artifact Similarities File Metadata The metadata of the dropper and reporter components (DLL and EXE) are based on metadata taken from legitimate Microsoft files in both Kwampirs and Shamoon (Figures 30, 31, 32 and 33), but in the case of Kwampirs, metadata from other files/companies was also used in later campaigns. Kwampirs Dropper Shamoon Dropper Figure 30: Kwampirs dropper metadata Figure 31: Shamoon dropper metadata INDEX ###### cylera com ----- ###### 26 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### Kwampirs Reporter Shamoon Reporter Figure 32: Kwampirs reporter metadata Figure 33: Kwampirs reporter metadata It is worth noting that the metadata of later Kwampirs samples looks different and contains many different tools. One example is: e3bc08f7a12f9b68a73de99ecd0aaef1447bbbba9e35f518d42fd0e751be858f INDEX ###### cylera com ----- ###### 27 ###### ANALYSIS SECTIONS 5.1.6 Rich Headers ###### The linkage between Kwampirs and Shamoon ###### Rich Headers are an interesting indicator to consider. They include a list of the tools, by ID, collected by the linker to produce the binary and the number of “units” produced with each tool. Analysis of the headers reveals that the total units for Kwampirs is slightly lower than Shamoon, as expected since it has less functionality (see Figure 1) than Shamoon but is similar in proportion. Note also that the compilation tools and unit types are nearly identical between the two. The Rich Headers of the droppers can be seen below (the only difference relating to LTCG → The Rich Headers of the reporters can be seen below (the only differences relating to Link Time Code Generated) in Figure 34. Export1000 being present in Kwampirs because it is a DLL, and LTCG → Link Time Code Generated) in Figure 35. Figure 34: Rich headers of Kwampirs and Shamoon droppers Figure 35: Rich headers of Kwampirs and Shamoon reporters The units seem correct, but researchers are aware this could be faked. The downloaded file of Kwampirs does match this tool’s identifiers too. INDEX ###### cylera com ----- ###### 28 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### 5.2 Common Template System Exposed (Builder) While typical Kwampirs droppers contain a single RT_BITMAP resource, which stores an obfuscated version of the reporter payload, our researchers uncovered some dropper samples containing two. In one case, the extra resource was a small artifact used to “pivot” privileged operations with the token of “explorer.exe” (similar to a small kind of mimikatz). But in some other cases, the extra resource stored under id “102”, appears to be a generic template DLL for the reporter module, accidentally included in the dropper. This indicates that the Kwampirs droppers were created using a Builder/Binder tool, responsible for rendering new campaign configurations. The template for the reporter module contains a series of configuration-related variables that are set to three-letter placeholder variable names in the form of “###VARNAME###” by default (Figures 36 and 37). The first letter seems to always be an ‘A’, but the second and third seem to be acronyms. The configuration parameters available for rendering include a primary C2 list, a secondary C2 list, the lengths of each list, and the lengths of the buffer containing each list, in addition to a handful of others, some of them being related to proxy configurations and bypass lists. Eleven unique variables have been identified in total. Our researchers believe there are similar templates for the droppers (similar placeholders were found in Shamoon 2 and 3 droppers, as explained later). Figure 36: Placeholder variables included in Kwampirs leaked template INDEX ###### cylera com ###### When attackers want to start a new campaign, they use the builder. It renders a new DLL replacing these “tags” (placeholders) with the values corresponding to the new campaign. When this DLL is ready, the content is encrypted with an XOR-based algorithm and embedded into the dropper’s resources. Most of the information and code of the new campaign remains the same, as it is taken from the same template as older campaigns, except the C2 and communications configurations. Figure 37: Example of rendered values for ###AQF###, ###AAC### and ###ACT### ----- ###### 29 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### Notes C2 primary list, binary data Array, tries to use custom Proxy Bypass settings if provided ###### Name format unicode ###### Value (buffer bin data) ###### Value format struct array ###### In newer campaigns, the dropper can remain the same, with almost the same DLL, just with different configuration values, without recompiling the code. This way, attackers review the metadata of templates once, making sure they do not leak pdb paths, computer names, artifacts and other handles or footprints. After this, production of new campaigns becomes more stable and safer, avoiding leaks (operating much the same as deployment tools, like Puppet templates). This can confuse researchers too as they might think that a DLL belongs to a known campaign when, in fact, it could have a totally different set of C2s. This is an indicator that there is a professionalization in the modus operandi of the authors. At the same time this modularization allows that the dropper could be used by other APT groups as false flag operations. If handled correctly, this modus operandi should help attackers -- except in cases where they leak the templates or placeholders, as these can become identifiable footprints that can lead to discovery (see attribution section below). On the other hand, the fact that a resource 102 was found with the “unrendered” template suggests that this binding was performed by someone that was not familiarized with the building process and added it by mistake (Ops problem now..). On the other hand Shamoon contains more components to bind to the resources. However, the process of implementing a template system can be considered a weaponization process that implies attackers are getting ready to use it multiple times, against multiple targets, improving the ease of use and limiting possible mistakes in the process. See Table 2 for a full list of variables rendered by the builder and an extract of the values that we’ve found rendered. Some of the placeholders and values are in Unicode format, others are ASCII. INDEX ###### Variable name ###ASA### ###### cylera com ###### ###ASL### ###### ASCII ###### uint ###### Length of ASA in bytes ###### 7650 ###### ###AQF### ###### ASCII ###### uint ###### A value flag used as a kind of separator/check, for the binary exfiltrated data ###### 180 ###### ###AAC### ###### ASCII ###### uint ###### Number of items (count) in C2 first list ###### 100 ###### ###ACT### ###### ASCII ###### unicode ###### C2 primary list flags for access type for InternetOpenW dwAccessType (1 = Connection Direct) ###### 111 (...) ###### ###ABA### ###### unicode ###### struct array ###### C2 secondary (backup) list, binary data Array encrypted, uses default proxy settings ###### (buffer bin data) ###### ###ABL### ###### ASCII ###### uint ###### Length of ABA in bytes ###### 7668 ###### ###APN### ###### unicode ###### unicode ###### C2 Proxy Network bypass flags ###### 1 ###### ###APB### ###ABC### ###ASI### ###### unicode ASCII ASCII ###### unicode uint unicode ###### List of Proxy Bypass hostnames and addresses for InternetOpenW (not used in the samples analyzed, it has invalid values, but given that it is the first argument of one of the main functions, we believe it is, or will be, in use in other campaigns) Number of items (count) in C2 second list C2 secondary list flags for InternetOpenW dwAccessType (1 = Connection Direct) ###### 1 1 1 (...) 100 111 (...) ###### Table 2: Kwampirs unrendered placeholders found in leaked template. ----- ###### 30 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### The ###APB### default value, which should be a list of IP addresses and hostnames passed to InternetOpenW has a unicode string value of 1111111111[…] which resembles the Shamoon 2 “1.1.1.1” IP address, as hypothesized by Unit42. When they do not need a variable, they just fill it with fake values. The binary template of this table can be found in the dropper with hash 1314a078a06d1dc528014715d229b173ed5fbdff42ccde33fb933cdb0b82727e. Inside, there is the resource named 102, that contains the hash bbd346e70b3858682f9f54ff9a3aa86dd286a98ff2386fbaa929edf86bb6d3f2. And also you can find the rendered DLL at resource 101 with hash 3c51cc159d604627e8e0d53373b49453d80b200e8cc4ffe1552574e4aeb8a3a3. We’ve seen other versions of the DLL, changing the way the C2 lists are stored (some encrypted, others not), but indicating that there has been an evolution of the droppers and the payloads. Our researchers believe most of the compilation timestamps are clearly fake (like 2003, using Visual Studio 2010). Others could be real, but this would mean there was a Kwampirs previous to the Aramco attack, which could be possible. But given the publicly known dates of Kwampirs detections, it seems unlikely. Our researchers are considering all of them developed after the Aramco attack. Attackers were probably using a development environment with a fake date and time, so there is zero trust for them in terms of timeline. Below is a list of droppers with the resources they carry, and each with its corresponding compilation timestamp (Snippet 10). INDEX ###### cylera com ###### [+] Droper 091d42e5425584de6b3385992b687b43fe5addba7a240f362c7d1ae463b459b8 Time Stamp : 2011:04:08 16:59:35+02:00 - Reporter b749a8592078777fdb10eff1d6d488c71e39b81f28c2ec0cd5e74e9de2a9e01_101 Time Stamp : 2011:04:08 16:57:19+02:00 [+] Droper 14461260f9b3988d4eb4e46bc7d9861172266a9a01bf15c57916a9e4f9dc0618 Time Stamp : 2011:06:17 16:35:44+02:00 - Reporter 71f6d3b5c8171ff34b8fb8cad48bcaa70aafd7b8e36035a135c57b8de56992e0_101 Time Stamp : 2011:06:17 16:34:54+02:00 - Reporter 71f6d3b5c8171ff34b8fb8cad48bcaa70aafd7b8e36035a135c57b8de56992e0_102 Time Stamp : 2011:06:17 16:34:54+02:00 [+] Droper 6112238eebc4ee75b54971d6542baad9686210de4727b0507d5a7ccecf241003 Time Stamp : 2008:08:15 02:36:03+02:00 (Obviously fake) - Reporter 3c5b1cc159d604627e8e0d53373b49453d80b200e8cc4ffe1552574e4aeb8a3a3_101 Time Stamp : 2011:06:22 15:51:40+02:00 - Reporter bbd346e70b3858682f9f54ff9a3aa86dd286a98ff2386fbaa929edf86bb6d3f2_102 Time Stamp : 2011:06:22 15:51:40+02:00 [+] Droper 9c08769d6f8370720438f3c619557a6e5dcb6d5ceb3f37adc8d172e2beb7468a Time Stamp : 2003:12:17 05:51:18+01:00 (Obviously fake) - Reporter 3c51cc159d604627e8e0d53373b49453d80b200e8cc4ffe1552574e4aeb8a3a3_101 Time Stamp : 2011:06:22 15:51:40+02:00 - Reporter bbd346e70b3858682f9f54ff9a3aa86dd286a98ff2386fbaa929edf86bb6d3f2_102 Time Stamp : 2011:06:22 15:51:40+02:00 [+] Droper 613cf53dba46e78303f9b6d106a6e8c71547143d96a6c06776907d5b117bafc9 Time Stamp : 2011:06:22 15:55:09+02:00 - Reporter 3c51cc159d604627e8e0d53373b49453d80b200e8cc4ffe1552574e4aeb8a3a3_101 Time Stamp : 2011:06:22 15:51:40+02:00 - Reporter bbd346e70b3858682f9f54ff9a3aa86dd286a98ff2386fbaa929edf86bb6d3f2_102 Time Stamp : 2011:06:22 15:51:40+02:00 ###### Snippet 10: Kwampirs droppers and resources with their corresponding timestamps ----- ###### 31 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### 5.3 Kwampirs C2 Infrastructure Cylera researchers paid careful attention to the C2 infrastructure used by active Kwampirs campaigns throughout the course of this research. Of the assets monitored, one domain used during campaigns around November 2018 attracted particular attention. The domain was protected using Cloudflare, making it difficult to uncover the server’s physical location, hosting provider, or co-hosted domains. However, the Apache web server used was configured to allow open directory listings for all directories, including the web root, which provided a glimpse into the contents of the C2 server. 5.3.1 Web Server Contents The domain name for the server was “servncjikjpbn.in”, believed to be active from August 2018 to November 2018, contained the following structure in its root web directory shown in Figure 38. Figure 38: C2 web directory structure of servncjikjpbn.in server INDEX ###### cylera com ###### A handful of files of particular importance are: s.php → contains the string “This work!”... almost like Apache’s “It works!” (Figure 39). Figure 39: Listing of servncjikjpbn.in C2 server, root directory users/users/main.php → the script processing Kwampirs reporter requests (Figure 40). Without parameters it was displaying the string “REQUEST: []”. In well formed requests it was observed to respond with a prefix of “911:{HASH}” indicating the hash of the component to download on the next request. Figure 40: Directory listing of /users/users folder of servncjikjpbn.in server ----- ###### 32 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### users/users/files/cmd → It was empty, but we assess the modules to download were stored here (Figure 41). Figure 41: Directory listing of /users/users/files folder of servncjikjpbn.in server users/users/files/k/PuK → contains a public key whose purpose is not entirely clear (Figures 42 and 43). Potentially, it could have been used for a variety of different purposes, but Cylera researchers have found that the same key is embedded in the reporters of all Kwampirs versions (noteworthy to mention as a key indicator that the same actor is the same in all Kwampirs’ campaigns) and is used for digital signature checking of additional downloaded modules. Figure 42: Directory listing of /users/users/files/k folder of servncjikjpbn.in server INDEX ###### cylera com ###### Figure 43: Public key in /users/users/files/k/PuK users/users/files/log → A directory containing log files (Figure 44). Figure 44: Directory listing of /users/users/files/log folder of servncjikjpbn.in server ----- ###### 33 ANALYSIS SECTIONS The linkage between Kwampirs and Shamoon 5.3.2 Modification Timestamps The screenshots of the web server directory listings in the previous section show the modification timestamps for the files and directories contained. While some appear to be within the expected general range of 2018, such as the files and directories in the root directory, other files appear to predate the campaign: main.php, the PHP script handling reporter communication, shows a modification time of April 30, 2016 cmd/, a directory believed to store downloadable modules, shows a modification time of January 8, 2010 PuK, an unknown public key embedded also in all the Kwampirs reporter binaries, contains a modification time of July 10, 2009 The timestamp for main.php falls within the known Kwampirs activity timeline, which is believed to begin in 2015. However, the cmd/ and PuK timestamps significantly predate the first known Kwampirs activity, and even that of Shamoon. While this server was not in use then, it is likely that the base contents of this server were stored and deployed using a timestamp-preserving tar/gz file from past servers. While it is certainly possible to fake these timestamps, it seems like an unlikely precaution to take. One expects that the group would ensure no directory listings were being exposed, if they were conscious of such details. While it could be argued that the directory listings could have been intentionally left open to expose the intentionally modified timestamps, it seems safe to invoke Occam’s Razor here. Additionally, if this was the case, it would be most sensible to fake the timestamp of main.php, as the path would be known to any researcher, and the web server may send this date as the last-modified header. It is also worth noting that the hours found in the various timestamps are within a ~12-hour range from 03:00 UTC to 15:30 UTC, ignoring the log directory whose contents are updated automatically by main.php. Considering daylight savings for applicable timestamps, this range maps to approximately 8:00 am - 7:00 pm in Tehran’s local timezone. INDEX ###### cylera com ###### 5.3.3 Exposed Logs The users/users/files/log/ directory contains log files that are exposed and accessible to web browsers. The log files increased in size proportional to the volume of HTTP requests to main. php, indicating that they were used to store requests from infected hosts. The naming scheme is simple: The “cl” filename seems to be an acronym of “Current Log” When this file nears 1MB in size it is compressed to a 56kb “7z” file, which includes a date- time string in the new filename (something like cl_YYYYMMDDHHMMSS.7z). A new “cl” file is then created and the log rotation is completed. Each log file contains records corresponding to HTTP requests performed by infected hosts. The logs are encrypted and base64 encoded. The encryption key is identical to one present in and used by Kwampirs binaries, making it very easy to decrypt the logs. Unfortunately, the web server was improperly configured with Cloudflare’s reverse proxy and reported Cloudflare proxy IP addresses instead of the true (external) IP addresses behind each victim request. While it was possible to view the information in the request payloads logged, it was not possible to analyze the geographic distribution for many of the infected hosts. The payloads contained the local IP addresses of the victim and geolocation was not possible. Then researchers thought of the possibility of sinkholing some domains to uncover some of the real victims. ----- ###### 34 ANALYSIS SECTIONS The linkage between Kwampirs and Shamoon 5.3.4 Sinkhole Domains Kwampirs’ C2 selection logic is simple and noisy: it will start at a random offset in the list of C2 addresses and try them one-by-one. The C2 lists are a mixture of IP addresses and domain names, of which the majority of the latter are not yet registered. Registering one of the available domains within a C2 list will therefore provide telemetry regarding the set of actively-infected hosts as they attempt to find an active C2 at set intervals, starting in a random position of the C2 lists and then iterating one by one until a valid response is received. On the other hand, providing new samples to download from these sinkholes does not look possible, as the downloaded components are cryptographically signed and checked with a hardcoded key at the dropper before any execution. Cylera researchers registered at least one domain per unique C2 list contained within each analyzed sample to view a cross-section of infected hosts across different campaigns. The domains registered are shown in Table 3 ###### servncjikjpbn.in (after expired) ###### Logs collected over an extended period of time indicate that the most frequently targeted country for the campaigns analyzed is Saudi Arabia, followed by France and the Netherlands, followed by the UK and US. Within the logs, Cylera researchers were able to identify multiple infected Saudi and US hospitals as well as other healthcare institutions. Table 3: Sinkholed domains ###### dswmain.org ###### untnewsgbrnkggb.co ###### srvncdnservsiteyhd.org ###### fjrfjrsitenchdnfjr.org ###### srvkcnyhd.org ###### mainpbnpower.info ###### jfnnrjfjrfjr.com ###### sitencjsite.org ###### powersitemainservfjr.org ###### pbnkcnjfnikjserv.org ###### ncjjfn.org ###### nrjfjrkcnsite.org ###### INDEX ----- ###### 35 ANALYSIS SECTIONS The linkage between Kwampirs and Shamoon 5.4 Indicators of co-evolution Many researchers were surprised about Shamoon 2 campaigns. Shamoon reappearance was somehow unexpected, especially because it had been a long time since Shamoon 1 (almost 5 years, at least on publicly known campaigns). However, Cylera Labs assess: That while Shamoon was left in the vault, its code was forked into Kwampirs, used against strategic targets for CNE That at some point, the actors decided to recover the Shamoon wiper with destructive intentions. That part of the Kwampirs’ changes were transferred back to Shamoon for campaigns 2 and 3. That both projects have their own paths now, one for destructive operations the other for network and infrastructure exploration, but maybe they should be considered the same malware family. In this section our researchers explain: A reasonable doubt of ambiguous ancestry, since some dates found seems to indicate that Kwampirs existed even before Shamoon 1. A sample discovered that looks like the starting point of the fork between the two malware families. The divergence of both families’ evolution, from a code level perspective including: Differential analysis for each new version of both malware families, key similarities, code added, updated, deleted. Key pieces of code that allowed researchers to understand how the projects diverged and why. INDEX ----- ###### 36 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### 5.4.1 Ambiguous Ancestry Based on the dates of known attacks it appears that Shamoon, with its first known usage occurring in 2012, predates Kwampirs, whose first known usage (or at least detection) occurred in 2015. There are a handful of details that seem to potentially contradict this notion of ancestry. Cylera researchers do not discard the possibility that there could be a precursor Kwampirs version even before Shamoon 1, which would be just a lightweight Shamoon, with only the reporter components for CNE operations. A few details considered are: Compile Times The compile times for Kwampirs samples are within the 2010-2012 range, predating those of Shamoon. However, these can be manipulated very easily, and there are samples with obviously modified timestamps (i.e. from 2001, compiled with Visual Studio 2010). This reduces the amount of validity of the timestamps and compile times analyzed. This would indicate the binaries were built using a host or virtual machines that had a date which was set intentionally to obscure its creation time. Interestingly, Shamoon’s dropper sets the date on infected hosts back to a point in time where the license key embedded for the Eidos disk driver was valid; however, there is no evidence this is related, and the Kwampirs compilation times actually predate this time. Simplicity It would be expected that future iterations and development of an application, malware or otherwise, would often increase the complexity and overall entropy of the application. This, however, does not often seem to be the case -- Kwampirs often appears simpler, with less abstraction, than Shamoon. This, of course, is not a definitive indicator of anything, as Kwampirs lacks the destructive components of Shamoon and the Eidos driver. On the other hand, Kwampirs sometimes exhibits improved functionality, such as the usage of GetTcpTable to spread past local /24 ranges. And the changes performed to Kwampirs with respect to Shamoon seems to follow two goals. First: minimize size and simplify the malware stack, reducing it to just perform a light reconnaissance (completed with a more detailed module downloaded from the C2, if they are interested in the target). Second: remove and/ or modify strings and code that could be potentially used by antivirus rules to evade detection (and implicitly to diverge more from Shamoon). Taking this in consideration, and given that Kwampirs doesn’t need a wiper module, an archiver component, or the Eldos driver (or any other), complexity gets lowered. INDEX ###### Shamoon C2s Shamoon samples often contain non-functional C2s, sometimes overtly invalid (i.e. 1.1.1.1.) This may indicate that the samples were generated from a template, or using a builder tool, that takes C2 options as parameters. It is strange that the samples would include this when no active C2 was in use for years, so this may indicate that Shamoon was based on code that already included C2 logic (which will be covered in later sections). Kwampirs C2 Timestamps Timestamps of key files and directories on the Kwampirs C2 server date back to 2009. A few core directories, such as /log and /cmd date back to 2010. This may imply that Kwampirs was active at the time; but it may alternatively imply that Kwampirs’ C2 was based on an earlier family, such as Shamoon’s. Keep in mind that the protocol is still the same, and both families return a prefix of “911” from the C2. These dates could be preserved over the deployment of the file structure, during the decompression process of the files. It seems entirely unnecessary to fake the timestamps of these files, and the fact that they left the directory listings exposed indicates they were not particularly cautious when setting up the C2. However, it is possible that these files were created within a VM whose date was rewinded, and that the older timestamps were therefore modified as a potentially-unintended side effect. ----- ###### 37 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### 5.4.2 The missing link (886e7) In November 2019, an old dropper was uploaded to VirusTotal (Figure 45) from Saudi Arabia that shed some additional light on the evolution of Shamoon and Kwampirs, completing the puzzle of its evolution. Our researchers believe this sample is dated between Shamoon 1 and all the known Kwampirs campaigns, at least all that Cylera labs is aware of. One of two C2 IP addresses hardcoded in the sample is contained with a netblock that was assigned to Netflix in mid 2015, making this sample likely to have been created and used before then. Figure 45: VirusTotal information about the old Shamoon/Kwampirs dropper INDEX ###### cylera com ###### This sample, 886e7271b1a0b0b6c8b2a180c2f34b1d08d899b1e4f806037a3c15feee604d7b (also known as 886e7, or simply 886), appeared to be a mixture of components of Shamoon and some Kwampirs, more similar to Shamoon than to Kwampirs, but showing a development line pointing to Kwampirs, were some changes went back to Shamoon version 2, but some continued only on the Kwampirs branch. This mixture of components seems so interesting that we believe it could be the starting point of the fork between both families: The resources are named PKCS12 and PKCS7, similar to the first Shamoon. There’s some dead code, unreachable by default, indicating that this sample was probably compiled in the middle of a refactor or repurpose process. The resources are executables, similar to Shamoon, but the downloaded components are DLLs, with the same loader code as Kwampirs. The resources contain only reporter modules, without a wiper, like Kwampirs. Both reporters use “ItIsMe” as the user agent (Figure 46), like some early Kwampirs samples, which seems like a continuation of the one used by Shamoon (“you”). Researchers found requests with this user-agent at the sinkhole server, indicating that there is still some activity of infected hosts (See for example the sample: a5e5b4e6caf7ac3ac8d9b7b3527f767ff011d138246686822fea213a3b0597fc). Figure 46: Old dropper “ItIsMe” user agent One of the reporter modules sends data similar to the data sent by the first Shamoon, including a similar format and similar values (i.e. tick count for cache busting). The second reporter reduces the number of parameters and encodes everything into a base64 string, except the value of GetTickCount, in a very similar way as Kwampirs does. The C2 returns data in the format of the Kwampirs C2, not like Shamoon 1. We know this because the sample explicitly looks for 911: in the messages received (Figure 47), which is used by the Kwampirs C2 to download additional modules. ----- ###### 38 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### Figure 47: Sample checking “911” value Note: Later in Kwampirs they removed the explicit check of the string 911, which was replaced by a cryptographic signature check. The presence of the string “911:” in the C2 responses did continue after that. This change was probably motivated because someone (another nation state) could hijack the victims issuing them to download other modules (researchers cannot tell if this happened with Kwampirs, but there are reports indicating that other botnets (some presumably belonging to Iranian APTs) were hijacked as shown it the Snowden leaks. This could happen because after this sample (886e7..), they started adding lists of unregistered C2s, which could be sinkholed. The first versions were downloading the DLL component and executing it without further inspection of the source legitimity, opening the possibility to create sinkholes based on the C2 lists and distribute custom executables to the victims, which could be used to “steal” the victims (or to distribute a vaccine too). INDEX ###### In Kwampirs, when the reporter executes the downloaded component (DLL), it will search for an exported function called “CF”. Turns out this sample uses the string “cmdFunc” for the same purpose, so CF is probably the acronym in which it evolved. The C2s are hardcoded in clear text within the binary, like Shamoon 1. The sample uses GetExtendedTcpTable, similar to Kwampirs’ use of GetTcpTable. On the other hand, Shamoon versions do not use any of these propagation methods. Some hypotheses for this limitation are explained in the Shamoons usage section. Name arrays for the executables name selection contains wmi* related names (Figure 48), just like Kwampirs, so it seems that with Kwampirs they removed the rest and started from there: Figure 48: WMI related executables names included in the old dropper Other noteworthy points about this sample are: Timestamps of the samples were set to the morning of September 11, 2001, right in between the collision of the first and second planes. The dropped files have similar timestamps, but slightly later in the day, which likely indicates that the resources were built in a VM with the clock rewound. This anti-American message also matches the burning American flag that the original Shamoon attack wrote to the disk. The XOR keys used in the resources are unique relative to other samples The second reporter contains the same C2 servers but replaces .aspx with .htm. It also leaks less information on the URLs built with the host information, but the responses are handled in the same way. ###### cylera com ----- ###### 39 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### Due to the upload date one would initially assume that this is a recent sample. However, analysis of the code shows that the sample appears to contain way more simpler, more basic logic and abstraction in the reporters (just the bones). For example, the function handling C2 communication performs more brittle checks, such as directly looking for 911, directly within the function itself, while normal Kwampirs samples have more robust checks (cryptographic signature) and abstract the functionality out to separate functions (ignoring the possibility of inlining). Analysis of the C2 IPs shows that both are unlikely to be under the attacker’s control currently (one is owned by Netflix), though it is possible. However, the IPs were used for web hosting in the general range of 2010 - 2015, which potentially indicates that this is when the sample was in use. This would place it before the known Kwampirs campaigns, and after the first Shamoon 1 attack. It aligns with the possibility that Kwampirs was developed from this sample. The usage of the “ItIsMe” user agent is only seen in these two reporters and in one of the original Kwampirs samples (the first one known), which also implies that 886e7 predates the first Kwampirs. It also mirrors the first Shamoon’s “you” user agent, which was later changed to match typical browser values (as was Kwampirs). The usage of GetExtendedTcpTable is also interesting; the first known Kwampirs binary does not use this method in its propagation function. Kwampirs binaries from later campaigns use GetTcpTable, which returns only IPv4 values. This could indicate that this sample came between the first known Kwampirs sample (2015) and the next (2016). Researchers conclude this is likely a step between Shamoon & Kwampirs: possibly the starting point of Kwampirs own malware family. INDEX ----- ###### 40 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### 5.4.3 Differential analysis of the Reporters Having the aforementioned missing link, Cylera researchers thought that it could be possible to rebuild the “commit history” and timeline, not based on dates but on the code evolution itself, of both Shamoon and Kwampirs from scratch, since the timestamps of the Kwampirs samples were manipulated. There are a few dates that can be found from OSINT, and Shamoon campaigns are publicly known, but the key here is to understand how the fork of both families occurred, what were the purposes, and if we identify anything that could help us assess if Kwampirs could be a false flag operation or just the opposite. Kwampirs main activity begins between Shamoon 1 and Shamoon 2. For this analysis Cylera Labs gathered the Shamoon reporters corresponding to versions 1 and 2 along with Kwampirs reporters from all the known versions to date and the reporters of the sample 886e7. Having them all in the same set, we then compared each of them through code changes. Sorting and inspecting the results, our researchers were able to see how the evolution occurred between the two families, rebuilding the history timeline, all inferred just by code changes. The results are explained following the inferred order of the samples analyzed, mentioning also the names of campaigns assigned by Reversing Labs for the samples that they track. This will help contextualize the compilations, but we mention a few more “commits” of the history (the two reporters of 886e7, that sets the fork from Shamoon 1) and the sample between Campaign 0 and 1 (that allowed us to understand how and when the implementation of the template system occurred). The samples covered are listed in Table 4. INDEX ###### (*) In terms of code, campaigns from A to F contain a few minor differences, mainly a few bug fixes, so minor that they could be considered the same version. Table 4: Reference malware hashes for the Reporters’ evolution analysis cylera com ###### INDEX 1 ###### SAMPLE (SHA256) 7dad0b3b3b7dd72490d3f56f0a0b1403844bb05ce2499ef98a28684fbccc07b4 ###### VERSION Shamoon 1 Reporter ###### 2.1 ###### d42e48d39540eccce812e5335a390acab5cf72457465765c949a29933f422465 ###### 886e7 Reporter 1 ###### 2.2 ###### 1eb2c0e3868758bbb1c6fa8fc3b5ee7aa8f93ade19f543ccfa61f149cf418701 ###### 886e7 Reporter 2 ###### 3 ###### a5e5b4e6caf7ac3ac8d9b7b3527f767ff011d138246686822fea213a3b0597fc ###### Kwampirs Campaign 0 Reporter ###### 4 ###### 4f94d67c9da7e340b258e26dee7269c89f1e7c2c2625a96073adeec794541e66 ###### Kwampirs Campaign 0-1 Reporter ###### 5 ###### bd1e8f21dcb48c6dcc37304d697053b83417929305de4663907e6283db5c1ddd ###### Kwampirs Campaign 1 Reporter ###### 6 ###### 6f7173b7ae87b5f3262e24a5177dbbd4413d999627f767754f08d8289f359bb3 ###### Kwampirs Campaigns A-F (*) Reporters ###### 7 ###### 61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842 ###### Shamoon 2 Reporter ----- ###### 41 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### Also note that for Kwampirs samples there can be multiple hashes identifying the same compilation because of a different set of C2s, and because it started changing some bytes after each infection to make each sample look like a different one. This way, when a researcher checks if a sample is available at VT (just if an antivirus or EDR checks a specific hash value), it may look as if it is not malicious, but only because the hash was not seen yet because of a few bytes changes. This kind of duplication has been resolved for the analysis, and Cylera researchers have selected only a set of hashes that represent different versions (even with small code changes). In order to perform the comparison of all these reporters, our researchers extensively used the tool radiff2 from radare2, for clustering samples by proximity and setting an initial order between versions (looking also at the number of functions implemented, the number of imports, etc). In addition, we used diaphora (with IDA pro), to inspect the differences between every pair of these versions one by one (with the pre established order), inspecting with greater detail, just like DNA sequences, to identify feature updates, bug fixes, functionality removed and new features. In short, we traced the evolution through differential analysis. INDEX ###### Shamoon 1 Shamoon version 1, the first known sample of the family, was used against Saudi Aramco in August 2012. It has a “.exe” reporter and a C2 URL format containing 3 parameters (Figure 49). Figure 49: Request to C2 with parameters “mydata”, “uid” and “state” ###### cylera com ----- ###### 42 ANALYSIS SECTIONS The linkage between Kwampirs and Shamoon Configuration values were not decrypted in runtime, and the Shamoon 1 reporter was capable of doing two things with the C2 response: downloading and executing a new “.exe” component (renamed as “filer”), which seems it could be used for doing “remote backups” before destroying), or modifying the detonation date of the wiper component. The execution was apparently broken (Figure 50) because some of the format strings were specified as capital letters (“%S%S….”). Figure 50: Broken implementation by using “%S” formatter instead of “%s” 2.1 2 “886e7” (aka, the Kwampirs fork initial commit) Shamoon 1 can be traced back to 2012. Some time after August of that year and before 2015 (when Kwampirs’ first sample was identified), the Shamoon malware family forks, creating a lightweight version without destructive components but still with some traces of them in the code. This is the dropper 886e7271b1a0b0b6c8b2a180c2f34b1d08d899b1e4f806037a3c15feee604d7b (which will be referenced as “886e7” or just “886”), and it’s considered the link between Shamoon and Kwampirs. The interesting fact of 886e7 is that it contains two different reporters (Figure 51), of sizes 65Kb and 63Kb, evolving in the direction of Kwampirs: ###### “886e7” reporter 1 (PKCS12) The first “reporter” of 886e7 has the following sha-256 hash d42e48d39540eccce812e5335a390acab5cf72457465765c949a29933f422465 (encrypted and hidden at the image located in resource 112 (under PKCS12). It is more similar to Shamoon 1, with three parameters (Figure 52), sending data similar to the data sent by the first Shamoon, including a similar format and similar values (i.e. gets the adapters address, tick count for cache busting). ###### Figure 51: The two reporters (PKCS12 and PKCS7) included in 886e7 Figure 52: PKCS12 reporter that sends parameters “afg”, “i” and “c” INDEX ###### cylera com ----- ###### 43 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### “886e7” reporter 2 (PKCS7) The second reporter of 886e7 is 1eb2c0e3868758bbb1c6fa8fc3b5ee7aa8f93ade19f543ccfa61f149cf418701 (encrypted and hidden in resource 113 under PKCS7). It does reduce the number of parameters to two (Figure 53), and the first is set to NULL, except the value of GetTickCount (for busting web caches). This means that the only purpose of this one was to download and execute an additional module from a C2. Figure 53: PKCS7 reporter that sends parameters “abc” and “cache” In both reporters, the C2 returns data in the same format as Kwampirs C2 (different to Shamoon 1). We know this because the samples explicitly look for the prefix “911:” in the messages received (Figure 54), and this is how Kwampirs C2 was indicating victims to download additional modules (responding with 911:md5_of_module_to_download). INDEX ###### cylera com ###### Figure 54: Code of PKCS12/7 that searches for “911” string in C2 response ----- ###### 44 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### Both use the same XOR key (“¦(}¡È¦(}â”) to decrypt the downloaded component, which is a DLL instead of an exe (differing from Shamoon 1, but exactly the same as Kwampirs). In the same way as Kwampirs does, both reporters will load the dll in memory and both will search for an exported function called “cmdFunc” (Figure 55). Figure 55: Search for “cmdFunc” in PKCS12/7 Turns out Kwampirs samples use the string “CF” for the same purpose, so they switched to the acronym. INDEX ###### 3 Campaign 0 After 886e7 our researchers believe the authors start what could be considered Kwampirs own path, with sample a5e5b4e6caf7ac3ac8d9b7b3527f767ff011d138246686822fea213a3b0597fc (campaign 0 identified by Reversing Labs). This sample starts shifting Kwampirs away from Shamoon, to avoid detection via Shamoon patterns. - This reporter is a DLL, not an “.exe” file, as opposed to previous reporters. - The name of the reporter is “Actuator.dll” (Figure 56). Figure 56: Kwampirs reporter Actuator.dll metadata The new reporter starts adding garbage strings (Figure 57), the same as the dropper components (something that was not found in the 886e7 reporters). Figure 57: Creation of garbage strings in Actuator.dll ###### cylera com ----- ###### 45 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### Configuration constant strings are encrypted using an XOR based algorithm (Figure 58). This sample has two XOR-encrypted C2 lists, ~100 URLs each (Figure 59), like Kwampirs’ known C2 lists, as well as proxy and proxy bypass configurations (if available, but we have not found a sample using these options). Figure 58: XOR based encryption in Actuator.dll Figure 59: Decryption of C2 list in Actuator.dll INDEX ###### cylera com ----- ###### 46 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### Depending on the number of arguments, the configuration will be decrypted and it will launch a thread activating the payload functionality. This thread will pick a random host from the main C2 list, which may have proxy and proxy-bypass configuration settings. If the communication cannot be established with this set of C2s, it will fall back to the secondary list, picking a random start as well (Figure 60). ###### While Kwampirs’ dropper gets compatible with x64 in the reporter, they want to get back to retrieving more host information using the Windows API from the victim before getting additional modules from the C2, probably to avoid fake victims (bots) from researchers, sandboxes, etc. So they start retrieving the network adapter’s information (MAC address) again, as well as native system and version info, and the keyboard layouts (Figure 61). Figure 61: Kwampirs dropper retrieving host information ###### This information is packed into a custom buffer, encrypted with a simple XOR-based algorithm Figure 60: C2 pick algorithm in Actuator.dll using the key in Figure 62 and encoded in base64 before appending it to the final URL. Figure 62: Base64 chunk obtained from host information INDEX ###### cylera com ----- ###### 47 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### The reporter requests the previously built URL to the C2, which responds with the payload of the additional module. Then the reporter performs a cryptographic signature check against the downloaded module with an RSA1 public key that is embedded in it, possibly to avoid MITM attacks from other nation states (Figure 63). Figure 63: Signature verification of Kwampirs module The public key was released by Symantec in their Yara rules. It is worth mentioning that this RSA1 key is consistent in all the reporters analyzed, which means that very likely the actor has been the same in all the campaigns (but keys stolen too). INDEX ###### cylera com ###### The URL format is changed to minimize the number of parameters to just one (cache parameter disappears). Still in clear text, but only for a while (Figure 64). Figure 64: Kwampirs request with just one parameter The User-Agent remains “ItIsMe” (Figure 65). Figure 65: Kwampirs request with the user agent “ItIsMe” The callback function for starting the downloaded component is renamed to CF. Cylera researchers believe the program makes all these changes with two goals in mind. First, one tries to diverge both families, specializing just for CNE, minimizing number and size of the components, and second, improving AV evasion and resilience, changing some of the constant strings, adding configuration encryption, and adding a larger set of C2 lists. ----- ###### 48 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### Lost sample between campaigns 0 and 1 A sample between RLs campaigns 0 and 1. Just a bit later appears another version, 4f94d67c- 9da7e340b258e26dee7269c89f1e7c2c2625a96073adeec794541e66. In the timeline, this sam- ple would be between campaigns 0 and 1. This sample is pretty similar to the previous one, but has a kind of file cache for the information gathered from the host in the first stage (net- work adapters info, native system and version info, and keyboard layout). The user agent is also switched from “ItIsMe” to “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0” (Figure 66). This is probably done to “break” the simple connection to Shamoon just by user-agent. The number of functions changes from 101 to 106. These represent pretty small changes but seem to prepare the reporter for communicating through a “privileged pro- cess proxy” component that we will uncover later. Figure 66: User agent used by sample discovered between campaign 0 and 1 Campaign 1 Next goes a reporter we can identify with the hash bd1e8f21dcb48c6dcc37304d697053b- 83417929305de4663907e6283db5c1ddd. This corresponds to Reversing Labs campaign 1. This reporter contains another component (resource 104) that acts as a process proxy for down- loading and executing new modules by impersonating the user token of “explorer.exe”, ala mimikatz style. The resource 104 is a bitmap image (Figure 67) containing the component stored by the end, to make the image look as if it was corrupted (note that Kwampirs’ reporters are stored in the same way on the droppers). INDEX ###### Figure 67: Bitmap image included in resource 104 ----- ###### 49 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### It is a privilege escalation based on user tokens. Communication with this component is performed using pipes (Figure 68) through the CreatePipe() function. By pivoting on this component for privilege escalation, Kwampirs is able to perform internet-related queries in cases where the user does not have enough privileges. This improvement is, in later Kwampirs’ versions, refactored and integrated into the main Kwampirs binary as another runmode to minimize the number of components to be dropped and as a technique for confusing static analysis based on the invocation parameters. Figure 68: Privilege escalation for communications based on user tokens, implemented in Kwampirs INDEX ###### cylera com ###### The name is still “Actuator.dll” but the entry function is renamed from “MyDllMain” to “ControlTrace” (Figure 69). Figure 69: Kwampirs sample with ControlTrace as entry function The number of arguments in the reporter invocation can now be zero, 6 or 7. Only with 6 or 7 arguments, the communication thread is launched. With 7 parameters, the communication is performed through the “proxy process” component already mentioned (Figure 70). Figure 70: Kwampirs communication when arguments number is 7 ----- ###### 50 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### The size of the sample is increased to 530 because of the resource image containing the “process proxy” payload, while previous samples were around 148Kb. This sample has two large C2 lists (~100 URLs each), like the previous Kwampirs C2 lists, but stored in clear text (Figure 71), as opposed to other Kwampirs. It is strange because previous versions were already decrypting the lists in runtime. Our researchers believe they were in the middle of a refactor of the configuration, as explained in the next point. Figure 71: List of C2 in plain text INDEX ###### In this sample, something strange happened with the encrypted configuration. The main configuration decryption function gets a new function level -- a function on top of it. The size of the C2 lists appears to now be stored in ASCII, and it gets converted to an integer with the atoi() function. This is strange because the size was not “moved around” before. It was just accessed directly where it was needed and in binary (integer) format already. But in this sample, it is in ASCII in one fixed offset, and then converted to integer (Figure 72) and used later in other parts related to the C2 lists configuration preparation. At the same time, the offsets of the configuration lists (with the sizes) are grouped by the end of the old decryption routine. Figure 72: Traces of auxiliary code related to the template system. ###### cylera com ----- ###### 51 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### The upper level function processes these offsets as raw buffers, converting the ASCII raw lists (separated by new lines) to arrays (Figure 73). This is all auxiliary code related to the template system. Figure 73: Kwampirs auxiliary code related to the template system. INDEX ###### The C2 lists are not encrypted, but our researchers conclude this could be exactly the version where the builder and template were being created (or tested) because: 1 Previous reporters have the C2 lists encrypted. Researchers believe they were testing the builder options and one was C2 list encryption. 2 It seems strange that these offsets all get grouped by the end of the routine. It is a sign the developers were doing a refactor preparing all the code related to supporting the template system. Our researchers confirm most of the properties that can be set with the placeholders seen from the leaked template are grouped at this area. 3 And the sizes appear stored in ASCII, not as binary. They just copy the values of the templates as ASCII, and then a conversion is needed. Neither the small traces “leaking” the presence of the template, nor the failing code wrapping the dead code on the x64 Dropper, were found in Shamoon 1. Then this is probably because there was no builder yet (or if there was, it was a very rudimentary one). The most simple explanation is that Kwampirs was possibly first using this template system, and then this system was adopted back to Shamoon 2 (as it is a clear copy), but failed in the macro wrapping code (Ops problem now ;-) ). Last but not least, checkout how this reporter starts impersonating user tokens via explorer.exe tokens for creating new processes. Here is how the “proxy process” is created: 4 First it will iterate through all the running processes to find the PID (process ID) of explorer. exe (Figure 74). Figure 74: Kwampirs code to find the explorer.exe PID ###### cylera com ----- ###### 52 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### 2 Then it requests SeDebugPrivilege. Then it will open the process with the ID found for explorer.exe. and extract the User Token 3 (TokenHandle) 4 Lastly, it will use the token with CreateProcessAsUserW() (Figure 75). Figure 75: Launch process as user of explorer.exe process INDEX ###### Final thing to note: the user-agent string is built in the stack frame with mov instructions (Figure 76), possibly to avoid static analysis extraction/identification: Figure 76: Creation of user agent using mov instructions ###### cylera com ----- ###### 53 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### Campaigns E and F followed by the others (A, B, C, D..) The sample with hash 6f7173b7ae87b5f3262e24a5177dbbd4413d999627f767754f08d8289f359bb3 belongs to campaign E, and it was uploaded to VirusTotal with a first submission date of 2016-06-23 15:40:12, note: before the first Shamoon 2 campaigns of late 2016! Cylera researchers believe the next samples would be the ones corresponding to Campaigns E and F, as opposed to Reversing Labs campaigns A and B. Simply because the garbage strings are the same, and they use them to evade antivirus firms that are created by using them. The reason is that Campaigns 1, E and F use the “garbage string” “hjghjkdsfhgdf\nuidfygf\njkjkjki” (Figure 77), while campaigns A, B, C and D use “11hjghjkdsfhgdf\nuidfygf\njkjkjki”. It would make no sense to go back again to an already used “garbage string” after changing it (but who knows? It doesn’t make much sense to have the previous string contained inside the next one too). Figure 77: Garbage string contained in sample 6f717 In terms of code, campaigns A to F use almost the same source code. There are very few differences between campaigns A and C, in the way the strings are treated to temporary file naming (2 wsprintfs instead of only one and a loop), but that is a pretty minor difference. The match is almost perfect. However, focusing on reviewing the differences of this set of versions in comparison to Campaign 1, which are just a continuation: More static strings become “built strings”, or in other words, strings built in the stack frame issuing movs. This way strings are hidden for commands extracting raw/static strings from the binary. INDEX ###### cylera com ###### Campaign 1, invocation of downloaded module can be seen at Figure 78. Figure 78: Invocation of downloaded module in campaign 1 Campaigns A to F (Campaign E in this case), invocation of downloaded module (Figure 79). Figure 79: Invocation of downloaded module in campaigns A to F ----- ###### 54 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### The URL format string is one of those strings built in stack: Implementation in Campaign 1, shown at Figure 80. Figure 80: URL string format in campaign 1 Implementation in Campaigns A to F (Campaign E in this case), shown at Figure 81. Figure 81: URL string format in campaigns A to F INDEX ###### While Campaign 1 hardcodes a null byte (Figure 82, first param) in the buffer that will be sent to the C2 in the first request, Campaign C hardcodes a string formatted as a ‘7’ followed by an integer value (Figure 83, at the format string). This constant is passed as the first parameter of the function responsible for retrieving the first set of host information (MAC address, system and version info, keyboard layouts): Implementation in Campaign 1: Figure 82: Hardcoded 0 in fetch_preinfo function Figure 83: Hardcoded 7 plus random number in prefetch_system_info ----- ###### 55 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### Another thing changing with respect to Campaign 1 is the way it performs some write opera- tions in the Windows root directory. It does a 2-stage write pivoting in temporary files and then concatenates with a cli command, probably to avoid some antivirus signatures and other detec- tion systems (Figure 84). 1 First it creates two temporary files. 2 Then it will use one temporary file to store the first byte of the string. 3 It will check if the write was completed for the 1 byte. 4 If it works, it will write the reminder of the string in the secondary file. 5 Then it will check if the write was completed for the second chunk. If all the operations complete successfully, then it will invoke the command copy, passing 6 these two temporary files to concatenate its contents into the final destination file. 7 At last it will make sure the final destination was created : Figure 84: Dropping payload pivoting on two temporary files to evade Antivirus INDEX ###### cylera com ###### An example commandline of this concatenation would be Snippet 11. ###### cmd.exe /c copy /y /b “C:\Users\user\AppData\Local\Temp\Fh16965.tmp” + “C:\Users\user\AppData\Local\Temp\Fh173F5.tmp” “C:\Windows\inf\mtmndkb32.PNF” ###### Snippet 11: Dropping the payload concatenating contents of two different files, to evade Antivirus Shamoon 2 Late 2016 and after Shamoon 2 appeared back in November 2016. Turns out the reporter’s URL format is different to Shamoon 1, but the format string matches the format of Kwampirs URLs (Figure 85), just a different path and parameter names but the same URL and binary message formats. More importantly, the reporter of both Kwampirs and Shamoon 2 collects the same host information (API calls) for the initial request. Figure 85: URL decrypted in Shamoon 2/Kwampirs Shamoon2 reporter has also the same code for processing the data rendered by the template system, indicating that someone transferred this code from Kwampirs to Shamoon 2 (Figure 86). Figure 86: Shamoon 2 auxiliary code of the template system ----- ###### 56 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### On the other hand, this Shamoon 2 reporter is still downloading EXE modules instead of DLLs. Kwampirs and Shamoon 2 are not using the same reporter code directly, but just maintaining both as separate projects and sharing some of the improvements in the evolution of both families. The Shamoon 2 reporter’s initial information gathering is used for building the first request to the C2 (Figure 87), matching the Kwampirs Reporters behavior (MAC address, system and version info, keyboard layout, check the C2 communications section). Figure 87: Shamoon 2 collection of system information (MAC address, OS and keyboard) INDEX ----- ###### 57 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### The fork is completed then, as Shamoon 2 is following its own code branch (influenced by Kwampirs modifications), and the same with Kwampirs, which follows its own development line. But at the same time, the C2 communications follow the same specifications, except the responses (EXE components and detonation dates for Shamoon, DLLs for Kwampirs). Something else to notice here is that many of the Shamoon 2 literal strings are now decrypted in runtime, with a simple algorithm based on single value addition. And Kwampirs started using decryption of strings in runtime too, but with a simple XOR based algorithm. The sample 886e7 was using GetTcpTable as a way to speed up the propagation process, and Kwampirs inherited this, then also GetExtendedTcpTable. But Shamoon 2 and 3 do not use it, lending credibility to the intentionality to keep two different families, one with reconnaissance purposes, and the other with purely destructive goals, limiting its spread in order to better control the scope of damage. One of the late Kwampirs (as mentioned in another section), leaks the reporter template with a dropper of 1314a078a06d1dc528014715d229b173ed5fbdff42ccde33fb933cdb0b82727e (explained in the “Builder exposed” section). Shamoon 2 and 3, in their 64-bit dropper, leaks similar placeholders on a buggy, unfinished, or incomplete template render. This is also commented on in the attribution section. The analysis could continue with Shamoon 3, which also leaks these placeholders on the x64 dropper, but there aren’t any further significant details to point out. Following this sort of reporters, Cylera researchers want to point out that this is a clear sequence of small improvements between versions, in such a way that Kwampirs’ reporter does not appear as its own version from scratch. Instead there is a path of small improvements step- by-step starting from Shamoon, through the reporters of 886e7, Campaign 0, the samples between 0 and Campaign 1, in Campaign 1, and then the set from A to F. Many of those changes were also applied back to Shamoon 2 and 3 reporters (starting around December 2016), with the motivation of evading detections, protecting the botnets from third-party operations (cryptographically signing and checking the downloaded modules), and improving in terms of efficiency. The improvements increased the stealth, complicating static and dynamic analysis, and indicating that the development of the Kwampirs and Shamoon components evolved as a linked chain sequence from Shamoon 1 (Figure 88). INDEX August 2012 November 2016 December, 2018 ### 1 2 3 Shamoon 1 Shamoon 2 Shamoon 3 Shamoon 886E7 kwampirs Campaign 0 kwampirs Campaign 0-1 kwampirs Campaign 1 A sample corresponding to Campaigns E was uploaded to Campaigns E&F VirusTotal in June 23rd, 2016, before Shamoon 2 campaigns Campaigns A&B URL new format Runtime config decryption Campaigns C&D Host info Template system ###### cylera com ###### Figure 88: Mixed reporter history (Shamoon1 - 886e7 - Kwampirs - Shamoon 2) ----- ###### 58 ANALYSIS SECTIONS The linkage between Kwampirs and Shamoon 5.5 Shamoon Usage Unit 42’s analysis of Shamoon 2 uncovered a zip file containing tools used by the attackers to deploy Shamoon in a target organization. This showed that attackers would manually infiltrate an initial server, referred to as the Distribution Server by Unit 42, which was then used to infect the organization. Interestingly, the infection itself was done manually, using scripts and binaries contained in the zip file. Shamoon’s propagation method only scans the host’s local /24 range, like Kwampirs’. Many researchers have wondered how Shamoon could prove so destructive, destroying 30,000 hosts in its 2012 attack, when each infected host could only infect devices on its local subnets. No matter what the host’s true local subnet is (/23, /24, /25, etc) it could only possibly infect up to 256 hosts (254 if it is indeed on a /24) for each network adapter with an IP address. However, each of those infected hosts could only infect the same hosts that the original host could, as they reside in the same /24. Only if it had more than one network adapter could it propagate over a different subnet, which still sounds somehow limited. The finding of the zip file by Unit 42 sheds light on how mass destruction was made possible. The distribution server contained a list of hosts that the attacker would compromise and infect with the Shamoon dropper, using scripts and binaries in the zip file. These hosts span multiple subnets, and from there infect hosts on their local /24. Therefore, the propagation between /24 ranges was done from the distribution server, surprisingly manually (with the helper scripts). What does this tell us? First, there is clearly a heavy reconnaissance phase -- not only is a list of hosts needed, but the Shamoon binaries themselves often contain credentials specific to the organization. Shamoon is not suited for this reconnaissance, so it is possible that attackers used another tool to handle this process (if it was not done manually). This also shows us that the usage of template systems was a certain necessity. Beyond customizing binaries for new large campaigns, attackers often had the need to customize binaries for each individual target. The sloppy nature of some binaries (i.e. including double resources or the template resource) may indicate that the attackers did this as part of their initial infection phase on the distribution server. INDEX ###### cylera com ###### Next, the issue regarding /24 spread raises an interesting point -- Kwampirs actually worked around this by adding usage of Get*TcpTable to the second (and later) variants. This looked for active connections on the infected host and attempted to spread to the remote peers (no matter from which subnet). Interestingly, Shamoon did not include this type of functionality, even in later versions. One would assume that this would be desired functionality in Shamoon, and if the two threat actors were linked they would have added it to both. However, it may very well be the opposite; for malware of a destructive nature, the attackers may have wanted stricter control over where the wiper would propagate. This way it would not spread to, and wipe hosts on, unintended remote networks, networks over VPN connections, etc. The Shamoon binaries often included credentials specific to the organization, which prior researchers believed were retrieved from the organization’s AD servers. As most workstations will often establish connections to them, Kwampirs’ usage of GetTcpTable may have stemmed from the desire to reach these servers for reconnaissance. Researchers have uncovered usage of other tools like ISMDoor linked to Iranian APTs, such as Greenbug, directly before Shamoon 2 and Shamoon 3 attacks, so it is clear that the attackers use multiple tools throughout the entire attack process. Usage of Kwampirs would provide an additional benefit: because the propagation mechanisms were extremely similar (Kwampirs contains the same propagation as Shamoon plus the extra Get*TcpTable mechanism that enables wider propagation), the spread of Kwampirs would provide an indication of how Shamoon’s spread would work. This would potentially let the attackers gauge the magnitude of damage that Shamoon could perform, while disguising the fact that they were planning a wiper attack if the Kwampirs sample was discovered (as it did not contain a wiper). ----- ###### 59 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### 5.6 Regarding Shamoon open source projects Researching on attribution, the first thoughts were pointing to original Shamoon authors. However, it turns out there are at least two reverse-engineered versions of Shamoon’s source code publicly available. This fact turns attribution into something even more complicated, and our researchers took some time looking very thoroughly into these projects: christian-roggia/open-Shamoon (developed by Christian Roggia) micrictor/disttrack (developed by Michael R. Torres but based on Christian Roggia’s first source, as the license headers display “Copyright 2013 Christian Roggia”) Most of the code of Torres’ Disttrack is based on Christian Roggia’s open-Shamoon, and the earliest date (2013) can be found on the copyright headers of the source files. There are a lot of obvious differences with Kwampirs, as this project’s purpose is to mimic Shamoon as much as possible. But even with Shamoon (and Kwampirs), one can spot some differences, since people inferring the code can make some mistakes or interpretations that do not really adjust to the exact code, leading to small inconsistencies. Taking some time, one can find this kind of inconsistency between the open sourced codes and the binary samples, in utility functions usage, and even in the logic’s interpretation. As an example, in the original Shamoon 1 sample while reading the addresses of network adapters, a conversion to ASCII string is performed. Then the length of the resulting string is calculated, and this value minus one is compared against the number 18 (Snippet 12). Even decompilers will display the original Shamoon version like this (same as Kwampirs). ###### Snippet 14: Michael Torres’ source code of Disttrack Referenced line can be found here: micrictor/disttrack Comparing the length being less than or equal to 19 is totally correct in terms of logic, as it is the same as the length of “minus one” (less than or equal to 18). At assembly level, we found this “minus one” in the original Shamoon and Kwampirs, as “lea ecx, [eax-1]” (Figure 89), but cannot find it in the reverse engineered versions. Cylera researchers do not believe the compiler would introduce this “minus one,” but the source code itself would have it. If the compiler introduced it, it would be treating an unsigned number as signed, which in some cases (i.e. when comparing to greater than zero) could be just catastrophic as the integer could underflow. But researchers do not discard a person optimizing the comparison erroneously like this. Therefore, if Kwampirs was based on those projects, our researchers believe this kind of inconsistency would have been populated to newer binaries, and it looks like that did not happen. Kwampirs keeps that “minus one” in its code, so it seems that Kwampirs code was not based on either of these two reverse engineered projects. Kwampirs binary: Figure 89: Kwampirs containing the -1 operation ###### And Torres’ Disttrack has the following code for the same comparison (Snippet 14), probably based on the previous version of Roggia’s Shamoon code, per the copyright header date. ###### if(strlen(inet_ntoa(in)) <= 19) ###### if ((unsigned int)(result_of_strlen_addr_in_ascii - 1) <= 18) ###### Snippet 12: Shamoon 1 and Kwampirs decompilation Note the “minus one” after the string length. But, on the other hand, Roggia did the math and simplified the code in open-Shamoon (Snippet 13). ###### if(strlen(inet_ntoa(in)) <= 19) ###### Snippet 13: Christian Roggia’s source code of open-Shamoon Referenced line can be found here: christian-roggia/open-Shamoon INDEX ###### cylera com ----- ###### 60 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### Shamoon’s binary has the same instructions as Kwampirs (Figure 90). 5.7 From Kwampirs to Shamoon 2 After finding the leaked template and discovering the template system for Kwampirs (Figure 91), Cylera researchers thought it would be worth it to check for any traces of these placeholders in Shamoon 2. Figure 90: Shamoon containing the -1 operation Figure 91: Unrendered Kwampirs placeholders in the template found (a reporter), auxiliary code related to the C2 lists and options as well as the steganographically hidden payloads at the PE resources. INDEX |Col1|Col2| |---|---| ||| ###### cylera com ----- ###### 61 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### Turns out we have found some hidden handlers in Shamoon 2 (and 3), see Figures 92 and 93. pointing to the same Kwampirs template system (which is also explained at section “Common Template System Exposed”), specifically at the 64-bit version of the dropper component (which is first hidden at the resources of the 32-bit dropper). Reference code is found at one of the configuration decryption related routines (64-bit dropper with sha256 47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34 function 0x140004900 ): Figure 92: mistakenly unrendered Shamoon 2 placeholders that can be found at the 64-bit dropper, related to hidden payloads Figure 93: more unrendered Shamoon 2 placeholders INDEX ###### ###AV1### and ###AV2### placeholders are located in the same area as the resource payload configuration settings, needed for payload extraction: at the configuration decryption routines. Our researchers have matched these placeholders corresponding to the resource configuration related to the 64-bit version of the dropper. It is very likely to be dead code related to the macros handling the multi-architecture compilation process. In Shamoon 2, the same source code is used for producing 32-bit and 64-bit binaries, and the 32-bit version of the dropper embeds the 64-bit version as a resource named x509. But the 64-bit dropper does not need to embed yet another dropper for a different platform, and this is why these placeholders were not rendered for the 64-bit dropper, which is correct. The attackers’ mistake is that they did not wrap the related instructions with a macro similar to the following example in C code shown at Snippet 15, which lead to the inclusion of dead code containing the unrendered placeholders in the final 64-bit dropper: ###### #ifdef __COMPILATION_FOR_X86__ ... // Instructions for decrypting 64-bit Dropper, with vars like ###AV1### #else // Leave this empty to avoid leaks #endif ###### Snippet 15: What should have been done to the 64-bit dropper to prevent the placeholders from being leaked ----- ###### 62 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### A macro like that one would have omitted the insertion of the code related to those two placeholders, avoiding the exposure of the presence of the builder at the configuration decryption routines (exposed in Figure 93). On the other hand, the attackers correctly handled similar macros when wrapping (avoiding to include) the 64-bit resource dropping (as expected) : The 32-bit version of the dropper checks if the architecture is 64-bit and tries to drop and switch to the 64-bit dropper executable (Figure 94). Figure 94: Conditional branch in 32-bit that allows deployment of a 64-bit executable The 64-bit version of the dropper does not check for any other architecture but just follows the normal execution flow (Figure 95). Figure 95: Lack of executable conditional branch on 64-bit INDEX ----- ###### 63 ###### ANALYSIS SECTIONS ###### The linkage between Kwampirs and Shamoon ###### On the other hand, because of the public dates known for Kwampirs and Shamoon 2 campaigns, it seems that the template system was implemented first in Kwampirs, as Kwampirs’ template system code was used before Shamoon 2 and 3 (or at least that’s what OSINT tells us). They both use a similar building process rendering configurations and binding components in the resources on the droppers. In Shamoon 1, the code didn’t contain the helper functions related to parsing the template values, indicating that the C2 and proxy configurations were very probably set manually at the source code in each compilation. If there was any builder, its functionality might be reduced to just binding the payloads into the dropper resources. ###### In conclusion, the Shamoon 2 dropper uses a template system with a similar placeholder format and an extremely similar auxiliary code. The builder exposure very probably links Kwampirs source code with the original Shamoon 2 (and 3) source codes. The placeholders are filled with information related to hidden payload extraction contained at their resources, such as resource identifiers, decryption keys and sizes. In addition, considering that the dropper and reporters are based on templates, the general process of the builder tool responsible for creating new Shamoon 2 and Kwampirs campaigns can be illustrated in the following diagrams Figure 95 (Shamoon 2 and 3) and Figure 96 (Kwampirs). ###### Looking at the Shamoon diagram, one has to admit that doing all this process manually would be really tedious. The template system just makes sense for weaponizing these families to gain agility and avoid mistakes while preparing operations. Figure 95: Building process for new campaigns in Shamoon 2 INDEX |Col1|pirs’ s ents ns| |---|---| ||e its| |New Campaign Config No template was found for shamoon 2 reporter but we ASA inferred it from common 64 Bit 32 Bit traces (the auxiliary code) used for the kwampirs leaked template ABA Reporter 64 bit Reporter 32 bit exe template exe template Other configs ###ASA### ###ASA### Render Render ###ABA### ###ABA### 64 bit exe 32 bit exe reporter reporter 64 bit exe 32 bit exe wiper wiper Eldos Driver Render and Render and resource resource binding binding ###AV1### ###AV1### ###AV2### ###AV2### 64 bit exe 32 bit exe dropper template dropper template Shamoon ready for distribution 64 bit exe dropper|| ###### cylera com ----- ###### 64 ###### ATTRIBUTION ###### The linkage between Kwampirs and Shamoon ##### 6 Attribution ###### 6.1 Connecting the Dots At Cylera Labs we assess: 6.1.1 Kwampirs is based on Shamoon 1 Confidence: High -- The Kwampirs developers had knowledge of the Shamoon 1 source code while creating Kwampirs. Findings that support this conclusion include: There is strong code and behavioral similarity between Kwampirs and Shamoon 1. Components such as the propagation module, dropper, and C2 communication inherit the majority of their code from a fork of Shamoon. Cylera researchers have found a sample (886e7) that seems to be an intermediate step in the evolution from Shamoon to Kwampirs, containing a mix of characteristics found in each family. While there are “open source” versions of Shamoon publicly available, each has numerous differences with Kwampirs, making the relation between the two codebases unlikely. Despite significant code overlap, it is important to note that Shamoon and Kwampirs do have differences in implementation or approach in a variety of areas, even as simple as the usage of EXE vs DLL files. It is not the case, therefore, that Kwampirs is simply a “slimmer” Shamoon with certain components removed, but a unique family created and maintained separately, whether due to differences in purpose or as properties that emerged due to the organizational structure of the threat actors. INDEX ###### cylera com ###### 6.1.2 Shamoon 2 is based on Kwampirs Confidence: High -- The actors behind Shamoon 2 (and later Shamoon 3) had knowledge of the Kwampirs source code while creating Shamoon 2, based on: Shared Template System & Builder Tool Kwampirs and Shamoon 2 (x64) contain traces of a shared template system and builder tool, including leaked placeholder strings present in a handful of samples and common auxiliary code for parsing the embedded values. This was not apparent in Shamoon 1 and is first found (in publicly-available samples) in Kwampirs. Shared Reporter Updates Indicating Co-evolution The “reporter” components of Kwampirs and Shamoon 2 contain signs of co-evolution over time, with Shamoon 2 mirroring updates first observed in Kwampirs. Both implement: the same custom communications protocol retrieval of the same initial host information a shared custom binary message format an encryption routine for build configuration parameters the same C2 URL format, all of which were first seen in Kwampirs campaigns based on publicly-known samples Given (1) Shamoon 1’s lack of auxiliary template system code, leaked placeholders, or the described reporter functionality and (2) Kwampir’s inclusion of these updates before Shamoon 2 (based on publicly-known samples) Cylera researchers conclude that the developers of Shamoon 2 had knowledge of the source code of Kwampirs during development. ----- ###### 65 ###### ATTRIBUTION ###### The linkage between Kwampirs and Shamoon ###### 6.1.3 Direct relationship between the Kwampirs and Shamoon actors Based on our analysis, including the following points: Shamoon 1 precluding Kwampirs: relationship described above implies that the Kwampirs group copied from the Shamoon 1 group Kwampirs precluding Shamoon 2: relationship described above implies that the Shamoon 2 groups copied from the Kwampirs group It is commonly accepted that the group behind Shamoon 1, 2, and 3 either belong to the same single group or a set of smaller groups within a larger organization This would imply both that the Kwampirs group copied from the larger Shamoon group and the larger Shamoon group copied from the Kwampirs group at different times over the course of multiple years We conclude with medium-high confidence that there is a direct relationship between the actors behind Kwampirs and the actors behind Shamoon 1, 2, and 3. The extended, bidirectional sharing of information between the two actors, revealed by the sequence of updates to each malware family, makes the possibility of a collaborative relationship more likely than alternatives such as false-flag operations or opportunistic theft and repurposing of source code. 6.1.4 A single actor is responsible for Kwampirs and Shamoon The previous claim implies a range of possible relationships, from weakest to strongest: **A** Different groups with a working collaborative relationship **B** Different groups within the same larger parent entity **C** The same group ###### Of the three possibilities, Cylera researchers believe that the first (A) is least likely, for reasons including: Shamoon actors would probably prefer to avoid sharing source code for malware they intended to reuse; this would increase the possibility of later detection and add the risk of the Shamoon actors receiving false attribution for activities of the third-party campaigns Kwampirs actors would likely not want to base their recon malware on Shamoon, risking having it attributed to them INDEX ###### cylera com ###### The apparent serialized sequence of updates, observed in the publicly-known samples, seen across Kwampirs and Shamoon would not be characteristic of two separate entities working in parallel Dev timelines never overlap, seeming like it’s one group shifting efforts. 201x-2013 Shamoon, ~2014-2016 Kwampirs, 2016- Shamoon 2, 3 Considering the common attribution of Shamoon to Iranian APTs specifically, the following points also support this conclusion: Iranian APTs would very likely primarily collaborate with other nation-states; this limits the number of potential collaborators and therefore the likelihood that they are an external collaborator Known to collaborate with Hezbollah, but differences in resources and skill between the two nations at the time of development make this type of bidirectional collaboration unlikely Iranian “cyber army” structure is fragmented in a way that would naturally lead to the types of patterns observed without any third-party involvement The victimology of the Kwampirs campaigns had significant similarities to that of campaigns by Iranian APTs (i.e. stonedrill and newsbeef), including heavy targeting of Saudi Arabia and regular targeting of hospitals Of the remaining two possibilities (B and C), prior reports of the involvement of multiple Iranian APTs in the Shamoon 2 attacks would leave the second option as the only possibility. However, recent reports by Clearsky have claimed that the multiple Iranian APT groups commonly attributed to Shamoon 2 by the security community (specifically APT33 and APT34/Oil-Rig) have in fact always been one single group. In either case, the final conclusion is that Kwampirs seems to be related to Iranian APTs. Each of these two possibilities (B and C) would attribute the activity to threat actors linked to the Iranian state. So, assuming one of these two commonly accepted possibilities is truly valid, the final conclusion is effectively equivalent considering the scope of our report, as the remaining ambiguity is mostly a matter of understanding the inner workings of the Iranian cyber operations. Assuming Shamoon versions 1, 2 and 3 are correctly attributed to Iranian APTs, then this claim would also imply that the group behind Kwampirs is indeed an Iranian APT. ----- ###### 66 ###### ATTRIBUTION ###### The linkage between Kwampirs and Shamoon ###### 6.2 Other indicators and speculations At this point, our researchers want to point out some interesting facts that are just too weak by themselves to use for any kind of attribution, but that are still worth mentioning. 6.2.1 OilRig/APT34/Helix Kitten Cylera researchers found similar looking placeholders as Kwampirs, in OilRig’s custom toolset, as well as malware handles using a three-hash constant string somehow (“###“). Keep in mind that the first Kwampirs samples were reported in January 2015. In May 2016 OilRig was discovered doing a reconnaissance campaign targeting Saudi Arabia with the Helminth executable variant, using a custom Keylogger module which is dropped to a PE32 executable file named wintrust.hlm (Figure 96), and it contains the following strings (at function 0x10001E30). Figure 96: Strings contained in Keylogger module of Helminth “####T####” would correspond to the placeholder for the symbol or string indicating the beginning of the “Title”; “####ET####” would correspond to the symbol or string for the “End of Title” (similar as Kwampirs “###APB###” was related to “Proxy Bypass” information). It is true that it is a sequence of four ‘#’ instead of three wrapping the acronyms, but the style is so similar that researchers wanted to point it out. Someone might think that these strings are just literals and not placeholders, but no other literals were found with this kind of format in these binaries (Snippet 16). ###### Snippet 17: Example of a captured clipboard content written by the helminth keylogger module It could just be coincidental that a similar format was used, but it could also be that they forgot to add these placeholders to the list of placeholders to render, especially if the source code developers were not the same as the ones converting them into templates, or if the keylogger was developed by a different person and the integrator did not realize the need to render them. “####ET####” means “End of Title”, and maybe it should have been rendered to strings similar to the “<<<” and “>>>”, so it would look pretty similar to the clipboard format. Our researchers have found multiple use of the substring “###”, and combinations of it, in OilRigs custom toolset and/or campaigns. From powershell to binary executables, used as empty or default values, or for signaling payload offsets, even in the Oilrig campaign in which they were dubbed OilRig: In the file adbmanager.exe, part of the Helminth executable variant (adbmanager.exe), in the same campaign where the placeholders “####T####” and “####ET####” can be found, another match of the substring “###” is found, this time it is a value of “#*###”, that in the powershell version was just “###”. Also note that when checking for the DNS resolution of the IP “35.35.35.35” (Figure 97), the ASCII code 35 is in fact a ‘#’ symbol. Figure 97: Placeholders in adbmanager.exe (Helminth) ###### In this example, the clipboard was stored in the same file, but with a different looking format (Snippet 17). ###### <<< Clipboard ---> [clipboard contents]>>> ###### ####T####[Window title here]####ET#### ###### Snippet 16: Example format of a captured window title written by the helminth keylogger module INDEX ###### cylera com ----- ###### 67 ###### ATTRIBUTION The linkage between Kwampirs and Shamoon The Helminth powershell version used the substring “###” as explained by Mandiant and LogRhythm, as a default value for the “botid”. Also in some campaigns they try to hide the “three hashes in a row” by splitting and concatenating it like in Figure 98. Figure 98: Helmint powershell version “###” string obfuscation This might have been done for AV/Sandbox evasion after the first campaigns to avoid detection. “###$$$” as a delimiter, signaling the offset of the payload to drop. These samples were identified as “ThreeDollars” by Unit 42, but the other part (the prefix “###”) was there too. It could have been called ThreeHashes too.. Not as just three in a row, but helminth also uses a string with value “#command#” as a separator between a GUID and the command being sent in their custom DNS C2 tunneling protocol. For example, with a sequence of “#command###filename” it will issue a victim to upload that filename. This could also be an unfinished placeholder, as OilRig does not really need to say “this is a command” when they know their own protocol, and it sends unneeded traffic over DNS, something that exposes them even more. But maybe not. Cylera Labs admits that OilRig using placeholders like “####T####”, “####ET####”, or “###$$$” does not provide enough indicators to imply that they are the group behind Kwampirs and Shamoon, but it is unavoidable to consider that these indicators could really be related. That’s why we decided to share them here, so other researchers can take advantage of them when trying to cross correlate toolsets, artifacts, or handles for attribution. On the other hand, taking into consideration that APT33 and APT34/OilRig have been discovered cooperating in other campaigns, likely sharing attack infrastructures, as well as the fact that some of the alleged members of both groups have been identified in leaks linked to Kavosh Security Group, our researchers believe Kwampirs could be a result of this cooperation between both groups. INDEX ###### Also, the APT34/Oilrig threat actor has been performing similar CNE operations as Kwampirs, with target overlaps where the malware payload consists of a set of shell commands that will extract typical Host and Domain/Network information, as well as processes, services and so on. For example with Helminth it executes the commands at Snippet 18. ###### whoami hostname ipconfig /all net user /domain net group /domain net group “domain admins” /domain net group “Exchange Trusted Subsystem” /domain net accounts /domain net user net localgroup administrators netstat -an tasklist sc query systeminfo reg query “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default” ###### Snippet 18: Information gathered (commands executed) by Helminth. ----- ###### 68 ###### ATTRIBUTION ###### The linkage between Kwampirs and Shamoon ###### In another example, with Poison Frog they execute the following commands at Snippet 19. On the other hand, Kwampirs first version, as indicated by Symantec’s first report, does execute the following commands at Snippet 20. ###### whoami hostname ipconfig /all net user /domain net group /domain net group “domain admins” /domain net group “Exchange Trusted Subsystem” /domain net accounts /domain net user net localgroup administrators netstat -an tasklist systeminfo reg query “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default” schtasks /query /FO List /TN “GoogleUpdatesTaskMachineUI” /V | findstr /b /n /c:”Repeat: Every:” WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List ###### arp -a systeminfo hostname ver routeprint getmac ipconfig /all netstat -nao tasklist /v tasklist /svc netshare net users set net accounts net config workstation net localgroup administrators net localgroup users net localgroup /domain net use net view dir /s /a c:\ >> “C:\windows\TEMP\[random].tmp” date /t ###### Snippet 19: Information gathered (commands executed) by Poison Frog. INDEX ###### cylera com ###### Snippet 20: Information gathered (commands executed) by Kwampirs (initial version of the downloaded component). ----- ###### 69 ###### ATTRIBUTION ###### The linkage between Kwampirs and Shamoon ###### And Kwampirs’ later versions make a switch to more specific WMI commands (Snippet 21), with a deeper interest in the hardware components (not only the drives), something that actually makes sense if their interests target medical devices and the workstations controlling them as well as Windows-based IoMT. ###### hostname getmac ver arp -a systeminfo wmic nic get caption,AdapterType,Manufacturer wmic timezone get caption wmic IRQ get caption, IRQNumber wmic port get StartingAddress, EndingAddress wmic csproduct wmic computerSystem wmic baseboard wmic cpu wmic partition wmic bios wmic startup wmic netlogin wmic portconnector wmic memphysical wmic share wmic logon wmic OS wmic logicaldisk get caption,description,size,providername wmic desktop wmic process get caption,commandline time /t date /t ###### Snippet 21: Information gathered (commands executed) by Kwampirs (newer versions). OilRig may or may not be the exact same actors behind Kwampirs. Definitely some of the style, with “living on the land” information gathering, and many TTPs are matching with this group, apart from what McAfee has already said about Shamoon 2 sharing the same infrastructure as OilRig (cited here as “Oil-RIG” ). INDEX ###### 6.2.2 “Ansar Group” The Ansar Group, a hacking team known to work directly for the Iranian government, had a batch of internal documents leaked by Lab Dookhtegan in 2020. Included in these documents are diagrams outlining possible future targets (Figure 99). Reviewing the translation of the original images, it’s clear that hospitals and healthcare-related organizations, even the Ministry of Health, were well within the scopes of this group, allegedly under the direction of the Iranian government: Figure 99: Health services targets of Ansar Group They also target a lot of military medical centers and cities, target types that match Trend Micro blog post (Figure 100). Figure 100: Military medical centers target of Ansar Group ###### cylera com ----- ###### 70 ###### ATTRIBUTION ###### The linkage between Kwampirs and Shamoon ###### The diagram even decomposes them by region (Figure 101). Figure 101: Medical targets of Ansar Group by region Obviously this does not imply that Kwampirs was done by the Ansar group, but it strongly suggests that the Iranian government would be heavily targeting healthcare in cyberspace. INDEX ###### 6.2.3 A strange match Cylera maintains a set of “livehunting” rules in VirusTotal. A rule based on a Kwampirs XOR key matched on a binary that was not Kwampirs nor Shamoon (upload date 2019-01-30). Looking closer at it, Cylera researchers realized it was a binary designed for a CTF game (ANSSI SSTIC 2016, SHA256: 0d39c9c1d09741a06ef8e35c0b63e538f60f8d5a7f995c7764e98a3ec595e46f - challenge.pcap this traffic capture contains a CTF game with a level called “video”, Figure 102). Figure 102: Level called “video” of ANSSI SSTIC CTF 2016 ###### cylera com ----- ###### 71 ###### ATTRIBUTION The linkage between Kwampirs and Shamoon Turns out the flag for passing the level was also an XOR key present in Kwampirs, indicating that it was not “an accidental leak,” but something done on purpose. They used one of the Kwampirs XOR keys to encrypt the data to leak in the game (28 30 A4 3F 6D 28 04 23 36 2A 32 DC AD 0B A0 4B E8 20 1F 64 84 0A F4 C4 C7 […]), and another Kwampirs XOR key as the final token for passing the level (53 11 37 16 72 BA 01 79 FA 3E 91 8A 83 BE DE B4). The description of the level states that “a cousin of DUQU” (Snippet 22) has been discovered trying to steal the master key of a company called “ThaBus” (and at the metadata we can reed “Airlhes PKI oldschool screensaver”, and Airlhes means Airline). ###### This challenge has a description,a video and a binary that looks like a screensaver. The text at the game (extracted from the initial pcap that contains all the CTF levels embedded in it) explains that the master key of a company called “Thabus” was leaked, and that you have to help them identify how it happened. [...] Notre stagiaire - l’autre - prétend que nous serions la cible d’une puissance cyber-plus- forte-que-nous, que notre réseau déconnecté serait compromis par une cousine de l’APT DuQu et que ses différents modules permettraient le vol et l’exfiltration de nos clés très-très privées. [...] Selon lui, l’exfiltration serait réalisée à l’aide de l’économiseur d’écran, ce qui serait fâcheux car nous le distribuons aussi à notre client public chez qui un Centre de Création des Clés identique au nôtre a été installé. Il prétend aussi que notre clé privée principale, la mère de toutes les autres, aurait été exfiltrée. Nous ne pouvons laisser notre stagiaire - l’autre - semer la panique sans preuves chez le client qui nous fait vivre. [...] ###### Interestingly on similar timelines, APT33 targeted Boeing, Alsalam Aircraft Company, Northrop Grumman Aviation Arabia (NGAAKSA), the Saudi General Authority of Civil Aviation (GACA), Snippet 22: level called “video” of ANSSI SSTIC CTF 2016 and Vinnell Arabia. So this CTF level could be suggesting that this European Airline had to handle an incident with Kwampirs (successful or not), which was recognized at the time as a There are not many airlines associated with buses out there, but it reminds us of a big one… cousin of DUQU because of the similarities and parallelism with Shamoon. AirBus. DUQU is considered a reconnaissance tool based on Stuxnet. Specifically, it is known to be a slimmed-down version of Stuxnet with just reconnaissance purposes for later operations, This would imply that in 2016 Kwampirs could have been used outside of the healthcare which coincidentally settles a parallelism between the relation of Kwampirs and Shamoon too, industry, against aviation/aerospace. With this incident, the victimology would look fully aligned at least at the technical level. Cylera labs did not find any evidence of Kwampirs being used with the targets of APT33 at that time, which makes our researchers believe that, because before any Shamoon attack, with both having different goals/industry. of the aggregation of all the indicators collected (the two malware families’ similarities, the builder/template traces, the reporters co-evolution, and this parallelism), Kwampirs attribution is pointing to APT33/APT34 and/or the associated groups collaborating closely with them. Kwampirs would be to Shamoon what Duqu was to Stuxnet, but as far as we know Kwampirs was never followed by destructive attacks. But.. Hey! This was just a Capture The Flag game! ;) INDEX ###### cylera com ----- ###### 72 ###### CONCLUSION The linkage between Kwampirs and Shamoon ##### 7 Conclusion ###### Cylera researchers have discovered connections between Kwampirs, a malware variant deployed against global healthcare supply chains, and Shamoon, a highly-destructive form of “wiper” malware believed to have been used by state-backed Iranian APT groups. Initial similarities in code and victimology were demonstrated by Cylera researcher Pablo Rincon at the XIII STIC conference held in Madrid in December 2019. The similarities were further confirmed by a sequence of FBI PIN notifications and independent researchers in early 2020. Cylera researchers have since continued analysis of the malware and its infrastructure, uncovering further evidence of links between the two families that extend beyond simple code similarity. These findings include a sample that appears to be a stepping stone between Shamoon 1 and Kwampirs, evidence of co-evolution between the two families over time demonstrated by bidirectional updates. Also discovered was a previously-unknown template system and builder tool used by the operators for Shamoon 2 and Kwampirs. Researchers additionally confirmed that Kwampirs did not branch from public “open source” Shamoon projects and further confirmed Kwampirs’ focus on US and Saudi targets through expanded sinkhole telemetry collection. Based on these findings, Cylera researchers conclude the following: the actors behind Kwampirs and Shamoon have collaborated continuously -- medium-high confidence the actors are indeed part of the same group, including the possibility that they are the same developers -- medium confidence Given the common attribution of all Shamoon campaigns to Iranian APT groups, Cylera researchers believe this report extends this attribution to Kwampirs campaigns and similarly concludes with medium confidence that the Kwampirs campaigns were conducted by state- backed Iranian APTs. These conclusions, if indeed correct, would recast Kwampirs as a large-scale, multi-year attack on global healthcare supply chains conducted by a foreign state actor. The data gathered and systems accessed in these campaigns have a wide range of potential usage, including theft of intellectual property, gathering of medical records of targets like dissidents or military leaders, or reconnaissance to aid in the planning of future destructive attacks. There is no evidence indicating the actor’s true intended or actualized use, however, so the ultimate intention of the Kwampirs campaigns remains uncomfortably ambiguous. Regardless of intent, this would represent a broadening of state-backed campaigns targeting critical infrastructure and supply chains of foreign adversaries to broadly include the healthcare sector, a boundary that had not previously been so brazenly crossed and a shift for which many healthcare organizations are unprepared. INDEX ----- ###### 73 ###### ACKNOWLEDGMENTS The linkage between Kwampirs and Shamoon ##### 8 Acknowledgments ###### We would love to dedicate this investigation to healthcare researchers. Those who play everyday by analyzing DNA sequences, adding and extracting genes to understand how diseases and viruses work, their variants, analysing cells and proteins, those who are the reverse engineers of real life, researching diseases, combating the most destructive, like cancer, designing vaccines. They are part of what matters most. Nowadays we need them more than ever. Multiple persons have participated in this investigation. Cylera would like to give thanks to: Pablo Rincón Crespo (@PabloForThePPL) Paul Bakoyiannis Markel Picado Ortiz (@D00RT_RM) Cylera would also like to give thanks to: Harmeet Dhingra Jon Dimaggio Luis Neira Jim Edwards Anoop Saldanha Giuseppe Longo INDEX ###### cylera com ----- ###### 74 ###### ABOUT CYLERA The linkage between Kwampirs and Shamoon ##### 9 About Cylera ###### Cylera is a leading IoT cybersecurity and Intelligence company founded and headquartered in New York City, USA. Cylera’s next-generation platform extends to security and managing the full scope of connected IoT devices from enterprises to delivery. Benefits include asset discovery, monitoring and threat detection, reduced cyber risk, and alignment with the needs of the business and cybersecurity standards and frameworks such as Cyber Essentials, DSPT, NIST CSF, ISO 27001, HIPAA, NIS, PCI DSS and others. Cylera’s mission is to safeguard what matters most: the operational safety of people, assets, and processes that support our world. http://www.cylera.com INDEX ###### cylera com ----- -----