1 Reply Latest reply on Jul 1, 2014 8:08 AM by SafeBoot

    Symantec Backdoor.Oldrea and Trojan.Karagany

    akif.akyuz

      Hi all,

       

      Does anyone know is there any mcafee signatures to prevent these malware (products : Network IPS or antivirus or HIPS).

       

       

       

       

       

       

      SERVICE ALERT DETAILS


       

      Emerging Threat: Dragonfly / Energetic Bear – APT  Group

       

       

      Emerging Threat:  Dragonfly / Energetic  Bear – APT Group

        

       

      EXECUTIVE SUMMARY:

        

       

      On June 30th 2014, Symantec  Security Response released a whitepaper detailing an ongoing cyber espionage  campaign dubbed Dragonfly (aka Energetic Bear).  The attackers appear to  have been in operation since at least 2011.  They managed to compromise  a number of strategically important organizations for spying purposes and  could have caused damage or disruption to energy supplies in affected  countries.  The two primary tools the group uses are Remote Access  Trojans (RAT) named Backdoor.Oldrea and Trojan.Karagany.

        

       

      Targets

        

      Dragonfly initially targeted defence and  aviation companies in the US and Canada before shifting its focus mainly to  US and European energy firms in early 2013.  Among the targets of  Dragonfly were energy grid operators, major electricity generation firms,  petroleum pipeline operators, and Energy industry industrial control system  (ICS) equipment manufacturers. The majority of the victims were located in  the United States, Spain, France, Italy, Germany, Turkey, and Poland.

        

       

      Tactics,  Techniques, Procedures (TTP)

        

      The Dragonfly group uses attack methods  which are centred on extracting and uploading stolen data, installing further  malware onto systems, and running executable files on infected  computers.  It is also capable of running additional plugins, such as  tools for collecting passwords, taking screenshots, and cataloguing documents  on infected computers.

        

       

      The first phase of Dragonfly’s attacks  consisted of the group sending malware in phishing emails to personnel in  target firms. In the second phase, the group added watering hole attacks to  its offensive, compromising websites likely to be visited by those working in  the energy sector in order to redirect them to websites hosting an exploit  kit. The exploit kit in turn delivered malware to the victim’s computer. The  third phase of the campaign was the Trojanizing of legitimate software  bundles belonging to three different ICS equipment manufacturers.

        

       

      Well resourced,  possibly State-Sponsored

        

      Dragonfly bears the hallmarks of a  state-sponsored operation, displaying a high degree of technical capability.   The group is well resourced, with a range of malware tools at its  disposal and is capable of launching attacks through multiple attack vectors  while compromising numerous third party websites in the process. Its main  motive appears to be cyber espionage, with potential for sabotage a definite  secondary capability.

        

       

      This campaign follows in the footsteps  of Stuxnet, which was the first known major malware campaign to target ICS  systems. While there are parallels between the motivations behind the Stuxnet  malware and the Dragonfly attack group, Dragonfly appears to be focused more  on espionage, whereas Stuxnet was designed specifically for sabotage.

        

       

      Origins

        

      Analysis of the compilation timestamps  on the malware used by the attackers indicate that the group mostly worked  between Monday and Friday, with activity mainly concentrated in a nine-hour  period that corresponded to a 9am to 6pm working day in the UTC +4 time zone.  Based on this information, it is likely the attackers are based in Eastern  Europe.

        

       

      Prior to publication of the whitepaper,  Symantec notified affected victims and relevant national authorities, such as  Computer Emergency Response Centres (CERTs) that handle and respond to  Internet security incidents.

        

       

      THREAT TECHNICAL DETAILS:

        

       

      Remote Access  Tool/Trojan (RAT)

        

      Dragonfly uses two main pieces of  malware in its attacks. Both are remote access tool (RAT) type malware which  provide the attackers with access and control of compromised computers.  Dragonfly’s favored malware tool is Backdoor.Oldrea, which is also known as  Havex, or the Energetic Bear RAT. Oldrea acts as a back door for the  attackers on to the victim’s computer, allowing them to extract data and  install further malware.

        

       

      Oldrea appears to be custom malware,  either written by the group itself or created for it. This provides some  indication of the capabilities and resources behind the Dragonfly group.

        

       

      Once installed on a victim’s computer,  Oldrea gathers system information, along with lists of files, programs  installed, and root of available drives. It will also extract data from the  computer’s Outlook address book and VPN configuration files. This data is  then written to a temporary file in an encrypted format before being sent to  a remote command-and-control (C&C) server controlled by the attackers.

        

       

      The majority of C&C servers appear  to be hosted on compromised servers running content management systems,  indicating that the attackers may have used the same exploit to gain control  of each server. Oldrea has a basic control panel which allows an  authenticated user to download a compressed version of the stolen data for  each particular victim.

        

       

      The second main tool used by Dragonfly  is Trojan.Karagany. Unlike Oldrea, Karagany was available on the underground  market. The source code for version 1 of Karagany was leaked in 2010.  Symantec believes that Dragonfly may have taken this source code and modified  it for its own use. This version is detected by Symantec as Trojan.Karagany!gen1.

        

       

      Karagany is capable of uploading stolen  data, downloading new files, and running executable files on an infected  computer.  It is also capable of running additional plugins, such as  tools for collecting passwords, taking screenshots, and cataloguing documents  on infected computers.

        

       

      Symantec found that the majority of  computers compromised by the attackers were infected with Oldrea. Karagany  was only used in around 5% of infections. The two pieces of malware are  similar in functionality and what prompts the attackers to choose one tool  over another remains unknown.

        

       

      Trojanized  Software

        

      The most ambitious attack vector used by  Dragonfly was the compromise of a number of legitimate software packages.  Three different Industrial Control System (ICS) equipment manufacturers were  targeted and malware was inserted into the software bundles they had made  available for download on their websites. All three companies made equipment  that is used in a number of industrial sectors, including energy.

        

       

      The first identified Trojanized software  was a product used to provide VPN access to programmable logic controller  (PLC) type devices. The vendor discovered the attack shortly after it was  mounted, but there had already been 250 unique downloads of the compromised  software.

        

       

      The second company to be compromised was  a European manufacturer of specialist PLC type devices. In this instance, a  software package containing a driver for one of its devices was compromised.  Symantec estimates that the Trojanized software was available for download  for at least six weeks in June and July 2013.

        

       

      The third firm attacked was a European  company which develops systems to manage wind turbines, bio-gas plants, and  other energy infrastructure. Symantec believes that compromised software may  have been available for download for approximately ten days in April  2014. 

        

       

      The Dragonfly group is technically adept  and able to think strategically. Given the size of some of its targets, the  group found a “soft underbelly” by compromising suppliers, which are  invariably smaller and less protected.

        

       

      TARGETS

        

       

        
      • Aviation Industry – US and Canada (Pre 2013)
      • Defence Industry – US and Canada (Pre 2013)
      • Energy Industry – US and Europe (Spain, France, Italy,  Germany, Turkey, Poland)
                

      o   Energy  Grid Operators

        

      o   Major  Electricity Generation Firms

        

      o   Petroleum  Pipeline Operators

        

      o   Energy  Industry, Industrial Control System (ISC) Equipment Manufacturers

        

       

      ATTACK VECTORS

        

       

        
      • Spear Phishing, Email Spam
        

      o   February  2013 – June 2013

        

      o   7  organizations targeted

        

      o   1-84  emails sent to each organization

        

      o   Sent  to Executives and Senior employees

        

      o   Sent  from single Gmail account

        

      o   Subject  lines:  “The Account” or “Settlement of Delivery Problem”

        

      o   Emails  contained a malicious PDF

        

       

        
      • Watering Hole Attacks, Exploit Kits
        

      o   Watering  Holes consist of compromise of energy-related websites

        

      o   iFrame  injected into each site

        

      o   Redirects  visitors to another compromised legitimate website

        

      o   Compromised  website hosts Lightsout Exploit Kit

        

      o   Lightsout  Exploit Kit

        

      §   Exploits Java or Internet Explorer

        

      §   Installs Backdoor.Oldrea or Trojan.Karagany on the  victim computer

        

      o   Hello  Exploit Kit

        

      §   Since September 2013

        

      §   Landing page contains JavaScript which fingerprints  system

        

      §   Identifies installed browser plugins

        

      §   Victims redirected to URL which determines best  exploit to use based on collected information

        

       

        
      • Remote Access Tools/Trojans (RAT)
        

      o   Backdoor.Oldrea  (aka Havex, aka Energetic Bear RAT)

        

      o   Trojan.Karagany

        

       

        
      • Trojanized Software
        

      o   Compromise  of legitimate software packages

        

      o   Industrial  Control System (ICS) equipment  manufacturers

        

       

      MOTIVATION

        

       

        
      • Cyber-espionage
      • Sabotage as a definite secondary capability
            

       

      SYMANTEC MSS SOC DETECTION CAPABILITIES:

        

       

      For customers with our IDS/IPS Security  Management services, vendor-based signatures will be automatically deployed,  as per the vendor’s recommendation.  If you would like further  information regarding the signature states on your devices, or would like to  request the activation of a specific signature, the  Analysis Team can be reached by requesting help via phone, e-mail, chat, or  by visiting the MSS portal at https://mss.symantec.com.

        

       

      For customers with monitor-only IDS/IPS  devices, Symantec MSS stands ready to provide security monitoring once your  IDS/IPS vendor releases signatures and those signatures are enabled on your  monitored devices.

        

       

      MSS SOC Analytics  Detection

        

       

        
      • Malicious URL (WSM) Signatures
      • [MSS Threat Intel - Regex] Backdoor.Oldrea (Havex  RAT) C2
      • [MSS Threat Intel - Hash] Backdoor.Oldrea (Havex  RAT) C2
      • [MSS URL Detection] Possible Backdoor.Oldrea Command  and Control Communications
      • [MSS URL Detection] Possible Backdoor.Oldrea C2  Communications (Regex)
      • [MSS URL Detection] Possible Trojan.Karagany Command  and Control Communications
      • [MSS Threat Intel - Hash] Lightsout Exploit Kit  (Hello EK) landing page
                                

       

      Vendor Detection

        

       

        
      • FireEye
      • Trojan.Karagany
      • Trojan.Karagany:Local.Infection
                

       

        
      • Palo Alto
      • virus[2]/TrojanDownloader/Win32.karagany.[Random]
      • virus[2]/Virus/Multi.karagany.[Random]
      • spyware[4]/Karagany.Gen Command and Control Traffic
                    

       

        
      • Snort/Emerging Threats (ET)
      • SID 2014230 ET TROJAN Karagany/Kazy Obfuscated  Payload Download
      • SID 2015533 ET CURRENT_EVENTS Karagany checkin
      • SID 2015534 ET CURRENT_EVENTS Karagany checkin
      • SID 2804942 ETPRO TROJAN Win32/Karagany.E Checkin 2
      • SID 2804391 ETPRO TROJAN  TrojanDownloader.Win32/Karagany.H checkin 2
      • SID 2017533 ET CURRENT_EVENTS Possible LightsOut EK  sort.html
      • SID 2017534 ET CURRENT_EVENTS Possible LightsOut EK  leks.html
      • SID 2017532 ET CURRENT_EVENTS Possible LightsOut EK  inden2i.html
      • SID 2017541 ET CURRENT_EVENTS Possible LightsOut EK  inden2i.php
      • SID 2017538 ET CURRENT_EVENTS Possible LightsOut EK  start.jar
                                                

       

        
      • Snort/SourceFire (VRT)
      • SID 31252 BLACKLIST DNS request for known malware  domain toons.freesexycomics.com - HAVEX RAT
      • SID 18279 MALWARE-CNC Win.Trojan.Karagany.A variant  outbound connection
      • SID 30001 EXPLOIT-KIT Hello/Lightsout Exploit Kit  Landing Page Detected
      • SID 30002 EXPLOIT-KIT Hello/Lightsout Exploit Kit  Java Download Attempt
                        

       

        
      • SEP/AV
      • Backdoor.Oldrea
      • Backdoor.Oldrea!gen1
      • Trojan.Karagany
      • Trojan.Karagany!gen1
                        

       

        
      • SEP/IPS
      • System Infected: Backdoor.Oldrea Activity
      • System Infected: Backdoor.Oldrea Activity 2
      • System Infected: Karagany BOT Activity
      • Web Attack: Ligthsout Exploit Kit
      • Web Attack: Lightsout Toolkit Website 4
                            

       

      This list represents a snapshot of  current detection.  Symantec MSS stands ready to provide security  monitoring once additional vendors or additional detection is identified and  enabled on your monitored devices.  As threats evolve, detection for  those threats can and will evolve as well.

        

       

      MITIGATION STRATEGIES:

        

       

        
      • Symantec recommends  customers use a layered approach to securing their environment, utilizing the  latest Symantec technologies, including enterprise-wide security monitoring  from Edge to Endpoint.
      • Symantec recommends that all customers follow IT  security best practices.  These will help mitigate the initial infection  vectors used by most malware, as well as prevent or slow the spread of  secondary infections.
      • Minimum Recommended Best Practices Include:
                

      o   Use/Require  strong user passwords (8-16+ alphanumeric characters, with at least 1 capital  letter, and at least 1 special character)

        

      o   Disable  default user accounts

        

      o   Educate  users to void following links to untrusted sites

        

      o   Always  execute browsing software with least privileges possible

        

      o   Turn  on Data Execution Prevention (DEP) for systems that support it

        

      o   Maintain  a regular patch and update cycle for operating systems and installed software

          
      • Deploy network  intrusion detection/prevention systems to monitor network traffic for  malicious activity. 
      • For technologies not  monitored/managed by MSS, ensure all signatures are up to date, including  endpoint technologies.
      • Ensure all operating  systems and public facing machines have the latest versions and security  patches, and antivirus software and definitions up to date.
      • Ensure systems have a  running firewall, unnecessary ports are closed/blocked, and unused services  are disabled.
      • To reduce the impact  of latent vulnerabilities, always run non-administrative software as an  unprivileged user with minimal access rights.
      • Do not follow links or  open email attachments provided by unknown or untrusted sources.
      • Ensure staff is  educated on Social Engineering and Phishing techniques.
                                

       

      REFERENCES:

        

       

             

       

             

       

             

       

      Thank you for choosing Symantec as your Managed Security  Services Provider.  Should you have any questions or feedback, please  contact your Services Manager, or the Analysis Team can be reached by  requesting help via phone, e-mail, chat, or by visiting the MSS portal at https://mss.symantec.com.

        

       

      Global Client Services Team

        

      Symantec Managed Security Services

        

      MSS Portal:  https://mss.symantec.com

      MSS Blog:  http://www.symantec.com/connect/symantec-blogs/managed-security-services-blog