Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations – Mandiant

admin on August 5, 2022 Leave a Comment

Executive Summary

In mid-July 2022, Mandiant identified a new ransomware family dubbed ROADSWEEP which drops a politically themed ransom note suggesting it targeted the Albanian government. In addition, a front named HomeLand Justice claimed credit for the disruptive activity that affected Albanian government websites and citizen services on July 18, 2022. The HomeLand Justice front posted a video of the ransomware being executed on its website and Telegram channel alongside alleged Albanian government documents and residence permits of ostensible members of the Mujahedeen-e-Khalq/Peoples Mojahedin Organization of Iran (MEK, also known as MKO or PMOI), an Iranian opposition organization that was formerly designated as a terrorist group by the U.S. Department of State.

On July 21, 2022, a front named HomeLand Justice leveraged the website homelandjustice.ru to start publishing ostensible news stories on the ransomware operation against the Albanian government along with a link to a Telegram channel named HomeLand Justice. The website, which implies that it is run by Albanian citizens, claimed credit for the ransomware activity with a video of wiper activity, and posted documents ostensibly internal to the Albanian government along with what it claimed to be Albanian residence permits of MEK members.

Mandiant further identified CHIMNEYSWEEP, a backdoor that uses either Telegram or actor-owned infrastructure for command-and-control and is capable of taking screenshots, listing and collecting files, spawning a reverse shell, and supports keylogging functionality. CHIMNEYSWEEP shares code with ROADSWEEP and based on observed decoy content has likely been used to target Farsi and Arabic speakers as far back as 2012.

On July 19, 2022, one day after the Albanian government announcement of the disruptive activity, an Albanian user submitted a ZEROCLEAR wiper payload to a public malware repository. The ZEROCLEAR payload takes in command line arguments from the operator and results in corruption of the file system using the RawDisk driver.

While we are unable to independently prove or disprove whether the ZEROCLEAR sample was used in this or any disruptive operation, the malware has previously been publicly reported to have links to Iran-nexus threat actors deploying it in support of disruptive activity in the Middle East as recently as 2020.

Mandiant does not have evidence linking this activity to a named threat actor but assesses with moderate confidence that one or multiple threat actors who have operated in support of Iranian goals are involved. This is based on the timing of the disruptive activity, the MEK-focused content of the HomeLand Justice personas Telegram channel, and the long history of CHIMNEYSWEEP malware targeting Farsi and Arabic speakers.

However, we do note that the ransomware attack is significantly more complex than prior CHIMNEYSWEEP operations, which raises the possibility of a cross-team collaboration or other scenarios that we lack insight into at this time. We are continuing to investigate this cluster and will provide updates as we are able.

Mandiant has frequently reported on Iranian threat activity targeting Iranian dissidents and opposition groups abroad by cyber espionage groups such as UNC788 and malware such as SCRAPWOOD, publicly known as MarkiRAT. Additionally, numerous recent lock-and-leak operations by suspected Iran-nexus personas such as Black Shadow and Moses Staff have involved disruptive activity against primarily Israeli organizations in an attempt to embarrass them.

The use of ransomware to conduct a politically motivated disruptive operation against the government websites and citizen services of a NATO member state in the same week an Iranian opposition groups conference was set to take place would be a notably brazen operation by Iran-nexus threat actors. As negotiations surrounding the Iran nuclear deal continue to stall, this activity indicates Iran may feel less restraint in conducting cyber network attack operations going forward. This activity is also a geographic expansion of Iraniandisruptivecyber operations, conducted against a NATO member state. It may indicate an increased tolerance of risk when employing disruptive tools against countries perceived to be working against Iranian interests.

ROADSWEEP is a newly discovered ransomware tool, which upon execution will enumerate files on the device and encrypts the content in blocks using RC4. Window API names, malware configuration parameters, and the basis of a ransomware note are RC4 encrypted within ROADSWEEP. During execution, ROADSWEEP will decrypt these encrypted strings and dynamically resolve necessary imports.

ROADSWEEP requires four command line arguments to execute correctly, otherwise ROADSWEEP will produce a message box and halt execution. Upon successful execution, ROADSWEEP creates the following global mutex:

Following initialization, ROADSWEEP will begin resolving the necessary APIs using the Windows GetProcAddress API. The function names are encrypted using RC4 with the hardcoded key "8c e4 b1 6b 22 b5 88 94 aa 86 c4 21 e8 75 9d f3".

ROADSWEEP contains multiple embedded scripts which are used to either execute additional commands or to remove itself from the victims device. These scripts are never written to disk, instead ROADSWEEP will create a new command prompt (cmd.exe), then send these commands to the process with a pipe. The scripts are embedded within the binary as RC4 encrypted blocks and are decrypted at runtime by the payload. The first script decrypted by ROADSWEEP is responsible for disabling settings like SystemRestore and Volume Shadow Copies, along with disabling critical services and processes.

ROADSWEEP also decrypts the following script, which is used to delete itself after execution:

ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "%s"

Next, ROADSWEEP extracts configuration values that are RC4 encrypted and embedded within the binary itself. The first is a list of extensions that should be avoided when the encryption occurs:

ROADSWEEP also decrypts the filename for the ransomware note, "How_To_Unlock_MyFiles.txt" (MD5: 44d1c75815724523a58b566d95378825) and the note itself as shown in Figure 1.

After creating the file, the encryption key that is used to encrypt each file is computed. The key is derived through producing a random data stream using the algorithm shown in Figure 6, then hashing this value with MD5 and using this as an RC4 key.

ROADSWEEP then encrypts this key with an embedded RSA public key and proceeds to format the ransomware message by appending the Base64 encoded and encrypted recovery key to the message itself. The Base64 encoding uses a custom alphabet of "wxyz0123456789.-JKLMNOPghijklmnopqrstuvQRSTUVWXYZabcdefABCDEFGHI".

Next, ROADSWEEP enumerates all logical drives on the victim's device and checks whether the drive is one of the following:

For each discovered drive, ROADSWEEP will initialize a new thread which is responsible for encrypting all files within that drive. This thread enumerates the file system using the Windows FindFirstFileW and FindNextFileW APIs. For each root directory, a ransomware note is created with the content and filename noted above.

Following this, ROADSWEEP will check whether the files within the directory match the extracted extension list, if they do not the file is encrypted. The encryption process takes place by renaming the file with the .lck extension. ROADSWEEP then takes the creation time, last access time, and last write time for the file and stores these internally. These values are then used after the wipe to preserve the file times, although the purpose of this is currently unknown.

ROADSWEEP will then open the file and compute the size using the GetFileSize API. Then by chunking the files content into blocks of 0x100000, ROADSWEEP will read in the data, encrypt the chunk using RC4, and then overwrite the file to disk. This is completed until the entire file is overwritten.

Following this, the aforementioned self-delete script is executed and the process exits.

We identified a ZEROCLEAR payload which takes in command line arguments from the operator and results in corruption of the file system using the RawDisk driver.

The first command line argument must be one of the following:

The second argument is the drive letter that the operator wants to corrupt, previous variants of ZEROCLEAR only wiped the system drive, determined from calling the GetSystemDirectoryW API.

ZEROCLEAR then opens a handle to the RawDisk driver by opening a handle to the following:

It then computes the disk size using the Windows IOCTL_DISK_GET_DRIVE_GEOMETRY_EX, IOCTL_DISK_GET_DRIVE_GEOMETRY and IOCTL_DISK_GET_LENGTH_INFO DeviceIoControl calls. The ElDos driver is used to overwrite the data with the value "0".

While Mandiant was unable to uncover the infection vector for CHIMNEYSWEEP, we note that the dropper has a valid digital signature. In addition to dropping the CHIMNEYSWEEP installer, this dropper also contains either an Excel or Word document or an MP4 video file.

The dropper is a signed version of a Windows Cabinet self-extracting file, which is signed by the now revoked certificate "Atheros Communications Inc." As of 2022-07-28, the certificate used in the ROADSWEEP campaign has not been revoked. Historically we have seen APT41 also use this signature, although as noted byDUOthe password for this certificate was widely available. The threat actors choice of signing certificate and dropper is likely based on the fact the legitimate Atheros certificate was used to distribute legitimate drivers using the legitimate dropper. This indicates the threat actors have a high degree of operational security.

Upon execution, the self-extracting tool finds the resource named Cabinet, drops it to disk, and then executes a process named unpack.exe.

After being dropped by the dropper, the installer is executed. The installer, some of which are padded with null bytes (0x00) to inflate their size, is responsible for deploying an embedded executable to disk and then executing the backdoor itself. The installer initially drops the payload as m.d in the covert store ("C:ProgramDataMicrosoft Installer{EA2C6B24-C590-457B-BAC8-4A0F9B13B5B8}Force"). Some of the installers forge the dropped files CreationTime, LastAccessTime, and LastWrite time from C:WindowsSystem32smss.exe

The installer then executes the Alloc export which checks whether the device is currently running DeepFreeze by Faronics, although this is not applicable for the samples analysed by Mandiant. If the process name contains creensaver., the backdoor will write the image to %SYSTEM32%Slui and then execute a task named "\Microsoft\Windows\License Manager\LicenseExchange". Alloc ultimately calls the Control_Provider export, which will initiate the backdoor.

The main functionality is provided in the next export called by the installer, RatingSetupUI. This export is responsible for all the command-and-control (C&C) interactions and backdoor capabilities.

The last two exports are related to the update process. Control_Provider manages the update process whereas Telephon executes the Control_Provider function.

If the backdoor is not running as an administrator, the backdoor may use embedded payloads to escalate privileges. A mutex named rerunadmn is used internally by the backdoor and the two RC4 encrypted payloads are extracted. The first payload is a .NET loader, which loads the second payload and calls the type "vjp5ZPP9AidVjXxofy" and method "s7tajdxvX. The loader (MD5: 779940f675ff4ab4e8cab7a1b7cf5d3c) will first enumerate the loaded .NET modules looking for the above class and methods. If they exist, it will execute that module. If the module is not loaded, the assembly is loaded and then executed in memory. The backdoor will then pass through the string AD if the payload is already executing as Administrator or the path to a temporary file on disk, directly to the loaded .net module. This temporary file is created by writing the content of the SoftwareAppDataLoadGLXaex and writing the content to the Windows %TEMP% directory with the name APPX..tmp. This file is a copy of the backdoor itself. If the payload cant resolve the export CP from the loader, it reverts to invoking PowerShell with the following command, passing in the path to the second payload, the type and method and either AD or the path to the second module:

[Reflection.Assembly]::LoadFile("%s")n$i=""n$r=[%s]::%s("%s",[ref] $i)necho $r,$in

Execution will then proceed within the second payload (MD5: 3633b3d69060a5882656b69f81655f0a), responsible for ensuring that the payload is running with administrator privileges. This payload is obfuscated by reactor and contains encrypted strings used throughout the execution. Upon execution, the payload will create the mutex rerunadmn and subttoadmn. The module utilises the following techniques to execute the payload as administrator:

CHIMNEYSWEEP has the following major functionality:

The backdoor contains settings that are found either encrypted within the payload or stored in the registry (SoftwareAppDataLowGLXSetting). The values stored in the registry will be provided from the update mechanism. The configuration is split using the tags {BEGIN} and &{END}, and each value within the settings are referenced by an integer. For extracting the C&C values, the parser stores a reference to values 30-39 where each reference can be a different C&C and URI in order.

Based on our analysis we assess that the IDs correspond to the following settings:

Id

Purpose

1

Perform file collection

2

Perform directory listing of new drives

3

Perform key logging

4

Monitor clipboard data

5

Boolean value as to whether the actor should take screenshots

6

The timeout value between each screenshot

7

Default JPEG quality for BMP2JPGpourVBFrance export

8

Execute system information command

9-29

Missing

30-39

C&C information

40

File collection config

During the initialisation of CHIMNEYSWEEP, a thread is created which makes HTTP GET requests tohttps://api.telegram.org/. The response is checked for the string "{"ok":false," and if that string is present, the threat actor attempts to use Telegram for C&C communications.

The threat actor used the following Telegram bots:

URI Path

bot username

bot real name

channel id

bot661217919:AAG9PrAybrKF5y8HxMA14THNZtWXw5Sv4w

net21007bot

net21007

-1001262963819

bot692407219:AAFlfj9N3gx7vCJlsFi3Ej0qzZgpL8CNmj0

net11007bot

net11007

-1001188059110

These Telegram channels appear to have been in use by the threat actor for a significant period and have messages in the hundreds of thousands which relate to individual tasks. The backdoor usesTelegrams GetUpdates API endpoint, which returns a list of messages for the bot. The backdoor then parses this data to execute specific commands, download additional payloads, or to create a reverse shell. Data sent and received by the Telegram channel are encoded using Base64 and the same alphabet as ROADSWEEP.

Within the context of Telegram, CHIMNEYSWEEP uses a unique identifier for the victim based on the computer name and username prepended by TL. This ID is used for filtering commands for the specific device:

TL_-

Following the victim identifier, the backdoor uses the string 1 to indicate a task for the update process and 2 to indicate a command to execute on the host.

If Telegram is not available, the threat actor communicates to threat actor-owned infrastructure. This infrastructure is embedded within the payload and may include one or multiple of the following:

The C&C communication protocol consists of several HTTP requests to the server using the argument do to specify the command id and arg to transfer associated data. Communication to these servers is done with a specific User-Agent, which includes the victim's computer name and username in the following format:

:---:-:---:init:---:www:---:MNEW

Upon initialization, the backdoor will create two networking threads, one for managing updates and the second for managing tasking:

Command Id

Purpose

Response

0

Start the plugin update process

Updates settings within the backdoor like the current C&C for this communication channel or the settings in the registry

2

Update the core backdoor

RC4 encrypted executable, which is written to the disk, time stomped to be between 2010-2021, then executed. The backdoor uses the mutex "runupdate" before executing the executable, then after the process returns, will check for the mutex "runupdateok". If this mutex exists, the backdoor instance who requested the update is terminated.

20

See the article here:
Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations - Mandiant

Related Posts
Posted in Encryption

Comments are closed.