By Daniel Lunghi (Threat Researcher)
A couple of common questions that arise whenever cyberpropaganda and hacktivism issues come up: who engages in it? Where do the people acquire the tools, skills, and techniques used? As it turns out, in at least one case, it comes from the traditional world of cybercrime. We’ve come across a case where a cybercriminal based in Libya turned from cybercrime to cyberpropaganda. This highlights how the cybercrime underground in the Middle East/North African region (covered in our paper titled Digital Souks: A Glimpse into the Middle Eastern and North African Underground) can expand their activity into areas beyond their original area of expertise.
Our first inkling of this threat came when we spotted a spear-phishing email campaign targeting several embassies of various European countries. These used an alarming “Tourist attack!!” subject, and usually spoofed addresses of various Foreign Affairs ministries.
The email attachments were RAR files containing an obfuscated VBS file, which had a low infection rate at the time of the incident. Once the multiple layers of script obfuscation are removed, the final payload arrives—a version of the njRAT Trojan; this family has been a known threat since 2015.
The obfuscation used was not particularly sophisticated. A variable containing a second layer VBS script was encoded in Unicode characters and decoded with a combination of basic string functions such as ChrW, AscW, and Mid before being run with a call to Execute.
A simple Yara rule allowed us to find more of these obfuscated VBS scripts:
$vbs = /[a-z]+ = [a-z]+ & ChrW\(AscW\(Mid\([a-z]+, [a-z]+, 1\)\) – [a-z]+ \* [a-z]+\)/ wide
We believe that this specific VBS obfuscation script was created by the N7r team, a North African hacking group known for making video tutorials on using common RATs (that this particular script wasn’t part of any such videos). We initially thought that this team—or someone close to them using their tools—launched the campaign.
As the campaign became more prominent, the detection rate for these scripts improved. This led the person behind the campaign to send new emails to other diplomatic targets, as well as other targets (such as hotels and other companies) in North Africa. The new emails used more common phishing tactics, such as alleged requests for payment confirmation. At least one message was sent to a diplomat based in the island of Saint Martin after Hurricane Irma hit. This particular actor was at something of a crossroads regarding his cybercrime “career”: while he’s still making good money from simple scams, he’s also improving his skills and branching out to targeted attacks.
The attachments used in this second wave was more sophisticated, but barely so. The most meaningful change was the addition of an extra layer of VBS obfuscation. The payload was still njRAT. We were able to find other samples with the same technique, but these samples did not have ties to N7r. We believe that our attacker finds obfuscators in various forums, and chains them together in an attempt to avoid detection. This is the Yara rule we used to search for similar samples:
$code = /Dim \w+\s+\r\n\s+For Each \w+ In split\(\w+,”.+”\)\r\n\s+\w+ = \w+ & ChrW\(\w+ – “\d+”\)/
These Yara rules allowed us to find other samples, which delivered other basic RATs like H-Worm, Luminosity, and RemCOS. These samples connected to other C&C servers, which we were able to use to connect them all to the threat actor. Some of these domains were also tied to banking malware, confirming our attacker was not limited to embassies.
OPSEC 101 – Or How Not To Do OPSEC
Gathering the above information was enough to protect our customers. However, we decided to dig a little further and noticed a few things.
The attacker almost always sent his mails from a Libyan IP address. In some cases, compromised SMTP servers belonging to the hotels he had breached were used. He didn’t bother using services which hid his IP addresses from mail headers, which allowed us to correlate these addresses to a dynamic DNS domain used by the attacker.
We also checked the registrant data of the domains used by the attacker. This information was exceptionally useful, as it allowed us to find multiple Facebook accounts controlled by the threat actor. We then confirmed his location (Libya) as well as his probable identity.
What was more surprising was what he was doing with the stolen documents—apparently, he had decided to post the documents on social media:
Figure 1. Stolen document posted on Facebook (Click to enlarge)
He didn’t just post embassy documents on Facebook: he also posted stolen credit cards and screens of defaced websites.
Figure 2. Stolen credit cards (Click to enlarge)
This threat actor first published stolen documents in April 2016. His motives remain unclear since the documents themselves did not contain any particularly unusual information. Leaking supposedly secret documents to try to discredit groups and/or sway public opinion is a hallmark of cyberpropaganda efforts—even if the documents appear to be of limited value.
Perhaps he wanted to damage the reputation of the Libyan government, or he aimed to increase his popularity by appearing to be more skilled and sell other services (he offered an old exploit for Office 2007 in January 2017 on Facebook).
This incident shows how the worlds of cybercrime and cyberpropaganda can be intertwined: the tools and techniques are equally effective. Organizations should realize that defending against attacks should focus on what is technically plausible, as this will ensure protection against various threat actors—even those you don’t expect.
Indicators of Compromise
Files with the following hashes were used in the first series of attacks:
- cd8329f75b1393ead3e16c6c79ee1ab476e6487370481e5931feb63305f00983 – detected as VBS_KEYLOG.NYKW
- f46f0e8eed0361294200d64e87b3fb13f6a3797f99f5b588444534f27612a590 – archive file; contents detected as VBS_KEYLOG.NYKW
- fd883a978dd6d95fa5c3b5e0a154e0e07b06e7cb6c685f1ca9f58c73122df24d – archive file; contents detected as VBS_KEYLOG.NYKW
- 7413c7c0317e49e49d595408f721c2ab2f120215374accf2f8133c9d9ad603fb – detected as WORM_DUNIHI.AUSHH
- 89427241e26748949c235fc43805c72960d9c2711fa72036c33137648bb475fa – detected as VBS_REMCOS.B
Files with the following hashes were used in the second series of attacks:
- fb5b5906feab268f90789b15351b8a193fb5f445a3ae9afb1da8fb814ed80325 – detected as VBS_KEYLOG.NYKW
- 306f4f843c5a5a119a3385ad2b18c78a04fac618031ddecabf0633083a6c9a76 – detected as VBS_KEYLOG.NYKW
- 33709ca050fd0abc2aba38326996bf1c3b6d9b875228c9f15e624f9002c199a8 – detected as VBS_OBFUS.VUJ
- ff0f9057d3da7b3500f145ce24670c89a93cdb5cbe74946b17397fc466ddfbda – detected as VBS_AUTORUN.ASUHK
- 9b7cc8f4807df162f99f5fa592bc7cc5c6a756d9c0311c7b2529f19a0ac59c1a – archive file; contents detected as VBS_OBFUS.VUK
- 587e38fb11bd0c4021ce6965e92838521616ee4c5506ef0fa160452e9c71d5cf – detected as VBS_OBFUS.VUK