Академический Документы
Профессиональный Документы
Культура Документы
Loucif Kharouni
Feike Hacquebord
Numaan Huq
Jim Gogolinski
Fernando Mercs
Alfred Remorin
Douglas Otis
Forward-Looking Threat Research Team
Trend Micro | Operation Pawn Storm
CONTENTS
Introduction.....................................................................................................................................1
SEDNIT....................................................................................................................................2
Attack Timeline.........................................................................................................................2
Attack Details............................................................................................................................4
Attack Evolution........................................................................................................................5
Case 4: ACADEMI............................................................................................................14
Conclusion....................................................................................................................................16
References...................................................................................................................................17
TREND MICRO LEGAL DISCLAIMER
The information provided herein is for general information and educational purposes only. It is not intended and should not be construed to constitute legal advice.
The information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein should be relied on
or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise. Trend
Micro reserves the right to modify the contents of this document at any time without prior notice.
Translations of any material into other languages are intended solely as a convenience. Translation accuracy is not guaranteed nor implied. If any questions arise
related to the accuracy of a translation, please refer to the original language official version of the document. Any discrepancies or differences created in the
translation are not binding and have no legal effect for compliance or enforcement purposes.
Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warranties or representations of any kind
as to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this document and the content thereof is at your own risk. Trend
Micro disclaims all warranties of any kind, express or implied. Neither Trend Micro nor any party involved in creating, producing, or delivering this document shall
be liable for any consequence, loss, or damage, including direct, indirect, special, consequential, loss of business profits, or special damages, whatsoever arising
out of access to, use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content thereof. Use of this information
constitutes acceptance for use in an as is condition.
Trend Micro | Operation Pawn Storm
INTRODUCTION
Operation Pawn Storm refers to economic Access (OWA) users from the previously
and political espionage attacks instigated by mentioned organizations. The OWA phishing
a group of threat actors primarily targeting attacks seemed effective and so could be
military, embassy, and defense contractor particularly dangerous to any organization
personnel from the United States and its that allows employees to use OWA.
allies. Opposing factions to and dissidents of
the Russian government, international media, An in-depth look at six multistage attacks
and even the national security department revealed one thing in commonthe use of
of a U.S. ally were also targeted. The threat SEDNIT/Sofacy malware [1], [2]. The use
actors used three attack vectorsspear- of such multistage downloaders provided
phishing emails with malicious attachments, attackers additional protection against
an advanced network of phishing websites, detection. We believe the threat actors aimed
and exploits injected into legitimate Polish to confuse their targets IT administrators
websites. Among the targets of the advanced by making it hard for them to string attack
phishing attacks were ACADEMI, a defense components together, thus evading detection.
contractor formerly known as Blackwater,
SAIC, and the Organization for Security This research paper details when certain
and Co-operation in Europe (OSCE). attacks occurred, what tools were used in
As discussed in this research paper, the attempts to get in to target networks, and
attackers used a simple but clever JavaScript target profiles to form a general picture of
trick to target Microsoft Outlook Web Operation Pawn Storm.
1
Trend Micro | Operation Pawn Storm
SEDNIT malware are mostly backdoors [3], [4] The investigation focused on a group of
and information stealers [5] that log affected attacks that has been dubbed Operation
users keystrokes, steal system information, Pawn Storm [6] due to the attackers use of
and send stolen information to remote two or more connected tools/tactics to attack
command-and-control (C&C) servers. a specific target similar to the chess strategy
it was named after. This paper illustrates how
Analyses of the SEDNIT infectors that arrived the Pawn Storm attacks were carried out with
as email attachments in the attacks featured the aid of five spear-phishing emails, which
in this paper revealed six distinct chains [see used contextually relevant subjects to get
diagram on page 3]. specific targets from different countries to
open weaponized attachments designed to
compromise their systems.
The attackers sent emails to potential victims, International Military.rtf. Trend Micro
including military, embassy, and defense received a sample of this on October
contractor personnel. The following emails 17, 2011 and has been detecting it as
were among those that were found related to TROJ_ARTIEF.AP [8] since then.
this operation:
An email sent to a potential victim
An email sent to a potential victim working from the Vatican Embassy
from the Ministry of Defense in France in Iraq used reports of a bombing
had an exploit for CVE-2010-3333 incident [9] that occurred on January
[7] disguised as a document named 9, 2012 as social engineering lure.
2
Trend Micro | Operation Pawn Storm
3
Trend Micro | Operation Pawn Storm
Attack Details
4
Trend Micro | Operation Pawn Storm
We only managed to collect latter- Although some of the C&C servers were still
stage payloads for two out of the six alive at the time of investigation, they did not
aforementioned attacks. The C&C servers respond to our infected systems. Repeated
tied to the other four attacks refused to serve attempts to trick the C&C servers into serving
the rest of the files to complete the attack the next files in the incomplete attack chains
chains. failed. The attacks they were tied to could be
time sensitive and it is possible that they no
Multistage attacks are a double-edged sword. longer hosted the files for succeeding stages.
If one link in the attack chain, aside from
the end node, is detected and removed in Attack Evolution
the initial infection stage, the entire attack
fails. On the other hand, having several
links in the attack chain makes detecting the Even though the filenames used for different
final component more difficult. Tracing the components remained fairly consistent from
previous and next links is also difficult when 2010 to the present, earlier attacks were
any of the components is inspected on its more elaborate and complex compared with
own outside the attack chain. those seen this year. The 2014 attacks we
have seen were more streamlined.
5
Trend Micro | Operation Pawn Storm
Although variations in past and current thingdetection evasion. The following table
attack chains exist, both are still being compares and contrasts the six Operation
used by threat actors to date to ensure one Pawn Storm attacks in greater detail.
6
Trend Micro | Operation Pawn Storm
7
Trend Micro | Operation Pawn Storm
Saver.scr drops:
Decoy
document
(Military
Cooperation.
Saver.scr drops:
doc; SHA-1: 0E
Dropper.exe drops: IDF_
12C8AB9B89B6
Decoy file Spokesperson_
EB6BAF16C4B W.q drops:
(Letter to IAEA. Targeted_
3BBF9530067 Coreshell.dll
pdf; SHA-1: 6ad Attack_101012.
963F) into (SHA-1: A85513
a11c71a5176a8 doc (SHA-1: F5
<Local 97E1F1A2C014
2a8898680ed1e 42C5F9259274
Settings>\Temp\ Dropper DLL drops 8E6EADCB56F
aa4e79b9bc3) APEC Media list D94360013D14
Skype.exe netids.dll (SHA-1: dd A35EE6009CA)
into <Local 2013 Part1.xls drops FFBECC43AAE
(SHA-1: 550AB 61530076152dae56 into <Program
Settings>\Temp\ dw20.t (SHA-1: ac6b 552), a decoy
D71650BAEA05 8b4834b1899212c9 Files>\Common
Downloader 465a13370f87cf579 document,
A0071C4E084A 6c1a02) into Files\System\
(netids.dll; SHA- 29b7cfd1e45c36945 into <Local
803CB413C31), <Local Settings>\ Tmp64.dat,
1: c5ce5b7d10a 85), a .DLL file Settings>\Temp\
a SEDNIT Application Data\ a copy of
ccb04a4e45c3a Install.exe
variant, coreshell.dll,
4dcf10d16b192 (SHA-1: BC58A
into <Local into <Program
e2f) into <Local 8550C53689C8
Settings>\Temp\ Files>\Common
Settings>\ 148B021C917F
Cryptmodule. Files\System\
Application B4AEEC62AC
exe (SHA-1: 4B
Data\ 1) into <Local
8806FE8E0CB4
Settings>\Temp\
9E4AA5D8F877
66415A2DB1E9
A9) into
<AppData>\
Microsoft\Crypt\
8
Trend Micro | Operation Pawn Storm
Military
Cooperation.
doc has been
encoded
using Cyrillic
characters and
opens in Word
Skype.exe
drops:
Downloader
(netids.dll;
SHA-1: 6b87
5661a74c46
73ae6ee89a
cc5cb6927ca Netids.dll downloads Install.exe drops Coreshell.dll
5fd0d), a and saves msmvs. netids.dll (SHA-1: 14 downloads conhost.
Netids.dll Dw20.t drops netids.
SEDNIT exe (SHA-1: 88f7e27 BEEB0FC5C8C887 dll (SHA-1: B49FAD
communicates dll (SHA-1: 3814eec
variant, into 1e54c127912db4db D0435009730B6370 3E5E6787E96373A
with a C&C server 8c45fc4313a9c7f65c
<Windows>\ 49e37d93aea8a49c BF94BC93) into C37ED58083F7572
(200.106.145.122) e882a7899cf0405)
system32\ 9) in <Local <Windows>\ D72A), a dropper,
Copy of Settings>\Temp\ system32\ from a C&C server
netids.dll
(mscsv.
tmp) into
<Windows>\
system32\
Cryptmodule.
exe drops s.vbs
(actually a
.PE and not a
.VBS file) and
communicates
with a C&C
server (windous.
kz)
9
Trend Micro | Operation Pawn Storm
Netids.dll
communicates
with a C&C
server
(70.85.221.20)
S.vbs (SHA-1: 0 Msmvs.exe drops
C&C server Conhost.dll drops
A3E6607D5E9 conhost.dll (SHA-1:
confirms receipt of Netids.dll Netids.dll advstoreshell.dll
C59C712106C3 55318328511961EC
communication from communicates communicates (SHA-1: E338A57C3
55962B11DA29 339DFDDCA044306
infected systems with a C&C server with a C&C server 5A4732BBB5F738E
02FC) runs 8DCCE9CD2) into
then stops further (70.85.221.10) (70.85.221.10) 2387C1671A002BC
CreateFile C:\\ <Local Settings>\
interactions B), a keylogger
DOCUME~1\\ Temp\
ADMINI~1\\
LOCALS~1\\
Temp\\update.
exe but does
nothing else
Conhost.dll drops
netui.dll (SHA-1:
Advstoreshell.dll
5A452E7248A8D37
sends logs of stolen
45EF53CF2B1F3D7
data to a C&C server
D8479546B9),
(software-update.
a keylogger, into
org)
<Windows>\
system32\
Netui.dll sends
logs of stolen data
to a C&C server
(200.74.244.118)
10
Trend Micro | Operation Pawn Storm
Exploits Spread SEDNIT Malware in the same time, tricked them into reentering
their credentials. To do this, the attackers
Poland redirected victims to fake OWA log-in pages
by setting their browsers open windows
The threat actors behind Operation Pawn property. The victims credentials thus ended
Storm spread SEDNIT malware via exploits up in the attackers hands.
on legitimate Polish websites. In September
2014, for instance, the Power Exchange Note that two special conditions need to
website in Poland, www.irgit.pl, was be met for the attacks to succeedvictims
compromised. The attackers rigged it with an should use OWA and click the embedded
iframe that pointed to http://defenceiq. links via the web portals preview pane. The
us/2rKYZ_BGxPM and http://api.akmicdn. attacks worked on any popular browser such
com/gpw?key=1072726955. The first link as Firefox, Safari, Chrome, and Internet
led to an exploit kit [14] that was responsible Explorer. No vulnerabilities need to be
for spreading SEDNIT malware. The exploited for the JavaScript to work.
ESET paper did not mention that an earlier
incident occurred in mid-July 2014 wherein Because many companies allow employees
a malicious iframe pointing to yovtube.co to use webmail services to access their
was injected into Polish government mailboxes while on business travel or at
websites though. And that the same domain, home, these attacks are likely to succeed.
defenceiq.us, was used against Japanese Once they do, attackers can gain access to
targets in September 2014. compromised mailboxes that they can then
use to gain a foothold in target networks.
It is remarkable that a mass infection
methodology was used by the Pawn Storm Throughout the course of investigation,
actors even though the actual SEDNIT several targets have been identified,
samples were only served to particular including:
targets. Actual exploitation was only triggered
when certain criteria that had to do with OS, ACADEMI, formerly Blackwater
language settings, time zone, and installed (United States)
software were met.
Broadcasting companies in various
countries
Next-Level Phishing Targets
Military attachs from various
The attackers used specially crafted emails countries
to redirect targets to any of several phishing
websites with domain names that were very Ministry of Defense (France)
similar to those of well-known conferences
and media outfits. These websites did not Ministry of Defense (Hungary)
host malicious content but visiting them
did lead to the automatic execution of a Multinational company based in
nonmalicious JavaScript. Links to these fake Germany
websites were then embedded in spear-
phishing emails and sent to selected targets. OSCE (Austria)
11
Trend Micro | Operation Pawn Storm
12
Trend Micro | Operation Pawn Storm
13
Trend Micro | Operation Pawn Storm
CASE 4: ACADEMI
Comparison of the legitimate (top) and spoofed
Malicious news domain: tolonevvs. (bottom) OWA log-in pages of ACADEMI
com
Apart from the four specific cases presented
Real news domain: tolonews.com above, evidence pointing to a fake OWA
server for a multinational company based in
Phished OWA domain: academl. Germany was also discovered. The threat
com actors registered a domain that looked
very similar to the targets real domain and
Real OWA domain: academi.com purchased a Secure Sockets Layer (SSL)
certificate for the fake domain as part of
This attack targeted the employees of U.S. preparations for a targeted attack. Trend
defense contractor, ACADEMI, using the Micro was able to warn the target early on,
same phishing tactics as in the second case. which helped thwart the threat.
14
Trend Micro | Operation Pawn Storm
Sample Gmail, Live Mail, Hushmail, and Yandex account phishing websites
15
Trend Micro | Operation Pawn Storm
CONCLUSION
Operation Pawn Storm used next-level Messaging security solutions such as Trend
spear-phishing tactics to obtain the email Micro InterScan Messaging Security
credentials of primarily military, embassy, [16] and the ScanMail Suite for Microsoft
and defense contractor personnel from the Exchange [17] can send suspicious email
United States and its allies. The threat actors attachments to a sandbox for analysis, thus
used a mix of spear-phishing emails and protecting recipients from threats. Other
specially crafted webmail service phishing products such as OfficeScan [18] for
websites to gain access to victims inboxes in endpoints and InterScan Web Security Virtual
hopes of getting better footholds inside target Appliance [19] for gateways can also block
organizations. So as not to raise suspicion, user access to known phishing websites.
the attackers used well-known events and
conferences as social engineering bait. They For overall protection against targeted
have been quite persistent as well, as we attacks, Trend Micro Deep Discovery
have seen evidence that attacks have been [20] can help protect potential targets by
going on since 2007. sandboxing and analyzing suspicious
attachments to identify phishing emails via
Apart from effective phishing tactics, the Email Inspector. Via 360-degree monitoring
threat actors used a combination of proven of network traffic to get networkwide
targeted attack staples to compromise visibility and intelligence, Deep Discovery
systems and get in to target networks allows users to detect and respond to
exploits and data-stealing malware. SEDNIT targeted attacks and advanced threats.
variants particularly proved useful, as It also monitors all ports and more than
these allowed the threat actors to steal all 80 protocols, giving users the broadest
manners of sensitive information from the protection available. Even more, specialized
victims computers while effectively evading detection engines and custom sandboxing
detection. help identify and analyze malware, C&C
communications, and evasive attacker
Trend Micro has notified the targets that have activities that are invisible to standard
been identified in this paper. Individuals and security solutions. Along with in-depth threat
their respective organizations, meanwhile, intelligence, it allows for rapid response
should use solutions that can help protect and automatic sharing with other security
against the various attack vectors that the products to create real-time custom defense
threat actors behind Operation Pawn Storm against attacks.
used.
16
Trend Micro | Operation Pawn Storm
REFERENCES
[1] Trend Micro Incorporated. (2014). [9] Post Staff. (January 9, 2012). New York
Threat Encyclopedia. SEDNIT. Last Post. Three Car Bombs Explode in Iraq,
accessed October 13, 2014, http:// Killing 17. Last accessed October 16,
about-threats.trendmicro.com/us/search. 2014, http://nypost.com/2012/01/09/three-
aspx?p=SEDNIT. car-bombs-explode-in-iraq-killing-17/.
[7] The MITRE Corporation. (19992014). [14] ESET Research. (October 8, 2014).
CVE. CVE-2010-3333. Last accessed WeLiveSecurity. Sednit Espionage
October 16, 2014, http://cve.mitre.org/cgi- Group Now Using Custom Exploit Kit.
bin/cvename.cgi?name=CVE-2010-3333. Last accessed October 23, 2014, http://
www.welivesecurity.com/2014/10/08/
[8] Trend Micro Incorporated. (2014). sednit-espionage-group-now-using-
Threat Encyclopedia. TROJ_ARTIEF. custom-exploit-kit/.
Last accessed October 21, 2014, http://
www.trendmicro.com/vinfo/us/threat- [15] COGES. (2013). EUROSATORY 2014.
encyclopedia/malware/TROJ_ARTIEF. The Largest International Land and Air-
Land Defence and Security Exhibition.
17
Trend Micro | Operation Pawn Storm
Last accessed October 17, 2014, http:// Last accessed October 22, 2014, http://
www.eurosatory.com/. www.trendmicro.com/us/enterprise/
product-security/officescan/.
[16] Trend Micro Incorporated. (2014). Trend
Micro. InterScan Messaging Security. [19] Trend Micro Incorporated. (2014). Trend
Last accessed October 21, 2014, http:// Micro. InterScan Web Security Virtual
www.trendmicro.com/us/enterprise/ Appliance. Last accessed October 22,
network-security/interscan-message- 2014, http://www.trendmicro.com/us/
security/. enterprise/network-security/interscan-
web-security/virtual-appliance/.
[17] Trend Micro Incorporated. (2014). Trend
Micro. ScanMail Suite for Microsoft [20] Trend Micro Incorporated. (2014). Trend
Exchange. Last accessed October 21, Micro. Deep Discovery Advanced
2014, http://www.trendmicro.com/us/ Network Security. Last accessed October
enterprise/network-web-messaging- 21, 2014, http://www.trendmicro.com/
security/scanmail-microsoft-exchange/. us/enterprise/security-risk-management/
deep-discovery/.
[18] Trend Micro Incorporated. (2014). Trend
Micro. OfficeScanEndpoint Protection.
18
Trend Micro Incorporated, a global leader in security software, strives to make the
world safe for exchanging digital information. Our innovative solutions for consumers,
businesses and governments provide layered content security to protect information
on mobile devices, endpoints, gateways, servers and the cloud. All of our solutions are
powered by cloud-based global threat intelligence, the Trend Micro Smart Protection
Network, and are supported by over 1,200 threat experts around the globe. For more
information, visit www.trendmicro.com.
2014 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the Trend 225 E. John Carpenter Freeway, Suite 1500
Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. Irving, Texas 75062 U.S.A.
All other product or company names may be trademarks or registered trademarks of
their owners. Phone: +1.817.569,8900