This post is part of an ongoing blog series examining “Sure Things” (predictions that are almost guaranteed to happen) and “Long Shots” (predictions that are less likely to happen) in cybersecurity in 2017.
Here’s what we see coming on the threat landscape in 2017:
Sure Things
The ransomware business model moves to new platforms
As we highlighted in our May report, ransomware is not a malware problem, it’s a criminal business model. Malware is typically the mechanism by which attackers hold systems for ransom, but it is simply a means to an end. As noted in our report, the ransomware business model requires an attacker to successfully perform five tasks:
Take control of a system or device. This may be a single computer, mobile phone, or any other system capable of running software.
Prevent the owner from accessing it. This may happen through encryption, lockout screens, or even simple scare tactics, as described later in this report.
Alert the owner that the device has been held for ransom, indicating the method and amount to be paid. While this step may appear obvious, one must remember that the attackers and the victims often speak different languages, live in different parts of the world, and have very different technical capabilities.
Accept payment from the device owner. If the attacker cannot receive a payment, and, most importantly, receive the payment without becoming a target for law enforcement, the first three steps are wasted.
Return full access to the device owner after payment has been received. While an attacker may have short-lived success with accepting payments and not returning access to devices, in time this will destroy the effectiveness of the scheme. Nobody pays a ransom when they don’t believe their valuables will be returned.
The ransomware business model can target any device, system, or data, where someone can perform all five of these tasks. At DEFCON 24 in August 2016, researchers from Pen Test Partners demonstrated taking over an internet-connected thermostat and locking its controls before displaying a ransom note (Figure 1) demanding one Bitcoin in payment.
Figure 1: Ransom note displayed on internet-connected thermostat at DEFCON 24
While this was not a live attack, a similar screen is sure to appear on an internet-connected device in 2017. For a cybercriminal, making money is the name of the game. If they can capture control of a device, it’s only truly valuable if they can monetize that control. If they take control of an internet-connected refrigerator, they will probably struggle to find data they can sell or otherwise turn into cash, but holding the refrigerator for a small ransom could be very profitable. The same is true for nearly any internet-connected device, as long as they can complete all five tasks outlined above. It would be hard to communicate a ransom note via an internet-connected lightbulb, unless the victim is fairly conversant in Morse code.
Political Leaks are the New Normal
Looking back on the headlines of 2016, it’s apparent that data leaks of a political nature had a significant impact in the United States. While the election may be over, I predict that these types of breaches will continue well into the future, and throughout the world.
Some features of politically focused data leaks are both desirable to government actors and dangerous for an electorate. Consider the following:
Years of releases from WikiLeaks and others have conditioned the public to assume that leaked information is true by default. While previously released data may be authentic, this assumption could be easily exploited by a leaker interested in influencing voters.
If leaked data has been altered, the breached party may have no reasonable way to disprove the alteration. A digital signature on a document could prove its authenticity, but the lack of a digital signature does not prove it to be inauthentic.
A government (or government-sponsored) organization can release information gained through espionage under the guise of a hacktivist, absolving him or her of negative political impact. Even in cases where strong evidence suggests a government was behind the intrusion that revealed the leaked data, plausible deniability exists.
Consider a case where there are private documents describing a trade negotiation between Nation A and Nation B, which Nation C does not favor. If Nation C obtains a legitimate document describing the details of the negotiation and releases an altered version, which drastically favors Nation A; the voters in Nation C may be outraged, causing the negotiations to fail. To disprove the leak, Nations A and B would have to release the actual documents, which could also cause problems for the negotiation.
No matter your political persuasion or opinion on government transparency, it’s important to understand how certain parties can abuse the current environment. Political leaks are a form of information operations that can be conducted with great effectiveness and little chance of retribution. What we have seen in 2016 will be the new normal.
Long Shots
Secure Messaging Apps Gain Widespread Adoption in Response to Massive E-mail Leaks
If people take nothing else away from the leaks of 2016, it should probably be this:
Don’t put in an e-mail what you wouldn’t want to see on the front page of the newspaper.
This is a hard lesson to internalize, as e-mail has become asynchronous communication for most of the world (and certainly people reading these words). But it’s one we should take to heart.
There are many problems with using e-mail to transmit messages that are only intended for a specific audience. The messages often sit unencrypted once they reach their destinations. Even if they are encrypted, the sender typically doesn’t have control over the security of the recipient’s system; the recipient could decrypt the e-mail and store it in plain text or mismanage their encryption keys. In most cases, the messages are sorted, cataloged, and indexed automatically, allowing an individual with just temporary access to drudge up secrets by keyword and forward them to parts unknown.
If you are wondering if you should return to simply making phone calls when you want to share a private message, that’s not a bad idea, but take a look at any teenager’s phone when considering a technology solution. Snapchat’s killer feature is messages that automatically delete themselves after the recipient reads them. This allows users to send messages with less concern about them being shared with others. There are now many security-focused messaging systems, including Telegram, Wickr, Signal and Allo, which feature end-to-end encryption and self-deleting messages. While it’s still possible for someone to grab a screenshot of one of these messages, they are often much safer than e-mail.
Widespread adoption of these services in 2017 is still a long shot, as many users may not be comfortable making the transition from e-mail. However, those who’ve learned from widespread leaks will look for alternative ways to share their private thoughts with others.
What are your cybersecurity predictions around our threat landscape? Share your thoughts in the comments and be sure to stay tuned for the next post in this series where we’ll share predictions for network security.
We live in an age when social media, mobile devices and the Internet of things (IoT) dictate how we access, manage and communicate information. This technology is constantly changing and relatively complex in nature. Thus, it is essential that enterprises have a fully functional and effective information security program.
The responsibility to ensure such a program is properly implemented resides with senior management. The main objectives of such a program are to ensure the confidentiality, integrity and availability of the information assets and associated resources.
These overall objectives should be supported by safeguards known as controls, which are put in place to mitigate the risks associated with the use of the technology. If the controls are operating effectively and efficiently, the potential for loss and harm to enterprises assets should be reduced to an acceptable level. The question is who and/or what makes the determination of the effectiveness and efficiency of the controls.
This is where auditors come in. Their role is to review and perform tests to ultimately provide a level of assurance to management and the board of directors that the controls in place are appropriate, are in fact operating and are meeting the intended objectives. In many cases, this job function is relatively straightforward. However, many would argue that when it comes to cyber security technology, although the auditor’s role doesn’t change, the complexity of the audit does.
Auditors have an obligation to educate themselves on this powerful and evolving technology, and there is much to learn. Below are 10 things an auditor needs to know about cyber security. This list is not all-encompassing, nor is it ranked in any order.
Everything is connected to everything. The primary function and objective of any cyber device is connectivity. Devices are like climbers roped together on the side of a mountain – if one falls, it can bring down anything connected to it. The Target hack (through an HVAC supplier connection) clearly demonstrates the need for a holistic cyber security view. With the arrival of the Internet of Things, it’s imperative that auditors understand and address the bigger picture.
All risks are subjective. To qualify as a “risk,” a threat needs to be associated with a vulnerability that – if exploited – could negatively impact an information asset. If it does not, it is not a threat. Too many auditors worry about threats and vulnerabilities that pose no actual risk to an asset, prioritizing compliance over risk and wasting precious time and resources.
Users are (and will always be) the biggest security risk. Our industry is led by vendors, and we continue to seek security through products (firewalls, IDS/IPS, DLP, etc.). We invest in product before people while real and measurable results can be achieved by investing in information security awareness. To contribute tangible results, auditors should prioritize people over product. Cyber security education is the silver bullet.
Leverage existing frameworks/guidelines. Auditors should consider mapping of the NIST “Framework for Improving Critical Infrastructure Cybersecurity” to ISO 27001:2013 controls and COBIT 5 to reduce the scope of the audit, making the audit more manageable.
Consider forthcoming legislation. Auditors should study how forthcoming and existing legislation like General Data Protection Regulation (GDPR) and Payment Card Industry Data Security Standard (PCI-DSS) could potentially be incorporated into cyber security programs. Also, auditors need to understand the global regulatory environment and the differences that can exist between different geographic regions.
Basic information security controls still hold true. As part of overall security (including cyber security), these controls provide a valid baseline of security controls that help create in-depth security, such as physical and logical access controls and application of “principle of least privilege.”
Utilize a cyber incident response policy and plan that is fully tested. Auditors need to assess whether a proper crisis management and communication plan is in place, clearly communicated and tested as appropriate. This should enable sufficient business continuity in the event of a cyber security breach. Crisis management should include incident response and forensics, where warranted. Proactive monitoring and detection (with automated tools) should be in place.
Cyber security strategy needs to be agile – the landscape is “mutating.” Strategy needs to be adaptable and scalable to handle new attack methods, such as ransomware and cloud-related risks. Auditors need to be aware that this is an area that is constantly changing and must not assume that what currently keeps your IT environment secure will continue to remain secure indefinitely.
Cyber security awareness depends on the right training. Employees need sufficient and timely education and training to help combat ever-changing cyber security threat. Security needs to be interwoven into the fabric on an organization. One-off, box-checking exercises are not sufficient. For example:
Do employees understand the implications of a cyber security breach?
Has any thought been given to insider threats from a cyber security perspective?
Is there clear guidance on the use of social media/shadow IT solutions/BYOD/how to respond to a phishing or ransomware attack?
Are employees rewarded/praised for promoting security in an organization? Are they incentivized?
Be aware of credential theft techniques. Auditors should have knowledge of credential theft attack techniques. Typically, the Pass-the-Hash (PtH) attack and other credential theft attacks utilize an iterative, two-stage process. First, an attacker captures account logon credentials on one computer, and then uses those captured credentials to authenticate to other computers over the network.
Technology has evolved and is evolving faster than ever before.
My enterprise is facing unknown competitive threats.
After considering these statements, how would you answer the question of whether your business will be competitive in 10 years?
With the countless factors that exist across every sector, the question is very difficult to answer. The pace of positive, negative and unclassified technological advancements is exponentially greater than ever before. How will your enterprise and IT governance structure survive these exciting times?
Consider Your Enterprise’s Risk Appetite
Information technology is now a core component in achieving business objectives. So if we look at it from a business growth point of view while anticipating current trends, your strategy may have to shift to focus on digital channels. What this means for your business is that you need a digital footprint that is both secure and user-friendly. With every new strategy you may have new risks, so your company’s risk appetite has to be considered.
What type of IT service and infrastructure would you need to deal with multiple types of digital connections that deliver standard functionality across these channels? How would this impact your resources and IT management options? Do you need to move to the cloud? Broadening the enterprise’s digital footprint can create the possibility of multiple connections to your services via numerous known hardware (e.g., tablet, watches, laptops, cell phones), along with anything that can be digitized. Your traditional business structures are now expanded with newer delivery options, so supporting demand now requires a rethinking of traditional network structure to handle the new scales. This can become an issue for many enterprises.
The security aspect of the future cannot be overlooked because you now have a wider attack surface and crippling ransomware to deal with. If your security fails, this affects customer perception, and you will not be able to honor the confidentiality and integrity of the user experience. Ransomware is quite destructive because not only does it affect the availability of the infected data, you also have to pay hefty sums to get back access to your data if there is no mitigation plan in place. Can your enterprise continue to meet the current industry regulations and maintain a secure infrastructure into the future?
GEIT Can Get You There
Within the next 10 years your enterprise will face the growing Internet of Things (IoT) landscape, with faster, more convenient delivery methods, harboring both increased risk and lucrative opportunities.
With a flexible governance of enterprise IT (GEIT) model, you could construct a relevant framework that looks at how the enterprise’s strategic plans and IT work together. You could look at continuous improvement actions and keep this alive within the enterprise. You could ensure IT risk management is aligned with the enterprise’s risk appetite and that security is considered at all points. You could consider various means to optimize your IT resources and capabilities required, as all these are key to helping your enterprise adapt and remain relevant in the future landscape.
Ammett Williams CCIE, CGEIT, Telecommunication Team Leader – First Citizens, TT
Why would an employer pay its tech workers extra cash for a skill or certification if they’re already getting a salary and annual bonus?
There are a dozen good reasons why, and they all share one thing in common: None would be necessary if the company’s compensation structure and pay practices were agile enough to successfully compete for talent in volatile labor markets. The nature of the tech labor marketplace is exactly that, where the market value of a job or skill can move like a roller coaster depending on what’s hot and what’s not at any given moment. If your employer doesn’t have built-in flexibility to react quickly and correctly, it will struggle to find and keep people to execute tech-enabled business strategies.
Who Needs Skills Pay and Why How do you know if your employer is a victim? Say, for instance, your company doesn’t normally have trouble retaining tech talent and suddenly the best people start walking out the door. Most likely your company wasn’t able to match competing salary offers. Then to make matters worse, it’s soon discovered that the competing offers were actually realistic average local market salaries for these positions – so your employer was underpaying these people from the start. It’s called ‘salary compression,’ when market-driven pay for talent is growing at a faster rate than the annual salary increases employers are able to offer their workers.
Compression is a widespread systemic reality that tends to be much worse in the tech workforce because of the rapid evolution of technology, skills and jobs. Every employer must decide whether to fix it permanently (very difficult) or patch it occasionally (less difficult and more practical).
If there is little leeway in the incumbent’s salary range to sweeten the pot on a counter-offer, and a promotion is not a viable option, paying workers extra cash for critical skills and certifications can be the perfect solution. That is especially true when workers possess the very hot certified or noncertified tech skills that other employers are aggressively targeting. The trick is to tie this extra cash directly to current market value for the hot skill or certification and guarantee that premium for some period of time, usually one year or more. When time’s up, the employer can check whether market value has changed and decide if it makes sense to continue to pay the skills premium and how much to pay, or to switch it out for another hot skill that has become more valuable to the organization.
What is the current cash market value for certifications? Extra pay awarded to 69,900 U.S. and Canadian IT professionals for 880 certified and noncertified IT and business skills – also known as skills pay premiums – has been tracked and updated quarterly since 1999 in the IT Skills and Certifications Pay Index™(ITSCPI). About 3,000 private and public sector employers currently provide this data to Foote Partners, covering a total of 255,600 IT professionals at these companies.
ISACA certifications are doing extremely well. As a group they’ve gained 15.3 percent in cash market value in the last six months compared to nearly 8 percent growth in pay across all 80 security-related certifications in the ITSCPI. The Certified in Risk and Information Systems Control (CRISC) and Certified in the Governance of Enterprise IT (CGEIT) are the top gainers. The CSX Practitioner (CSXP) certification appeared for the first time in the latest ITSCPI, earning an average pay premium equivalent to 12 percent of base salary – a very strong number for a new certification.
The following security certifications are earning the highest pay premiums right now. They’re paying median cash premiums equivalent to 13 percent to 19 percent of base salary, typically paid out each pay period as a cash bonus in addition to salary, and are shown below in descending rank order of market value including ties, arranged alphabetically within each rank.
(Tie) Certified Information Security Manager (CISM)
Certified Information Systems Security Professional Certified in Risk and Information Systems Control (CRISC)
EC-Council Licensed Penetration Tester
InfoSys Security Engineering Professional (ISSEP/CISSP)
Market values for 412 tech certifications in the most recent ITSCPI data update are averaging the equivalent of a 7.7 percent of base salary and as a group recorded gains in 14 consecutive calendar quarters, unprecedented in the 18 years Foote Partners has been tracking and reporting compensation for certifications. Figuring prominently in this growth has been info/cyber security certifications.
Market values for 80 info/cyber security certifications have been on a slow and steady upward path for four years, up 10.7 percent in average cash value as a group in just the past 12 months and 15 percent during the past two years – the largest gain among all certification categories reported. Strong performing security certifications so far in 2016 cut a wide swath: cybersecurity, forensics, penetration testing, perimeter protection and enterprise defense, security analysis, risk and security software programming.
Editor’s note: Registration is open for the first testing window of 2017 for ISACA’s core certifications.
Exams for CISA, CISM, CGEIT and CRISC will be offered in 2017 at PSI testing locations worldwide during three, eight-week testing windows. The first testing window will be 1 May-30 June, with 28 February marking the early registration deadline. Exam registration via the ISACA website is available at www.isaca.org/examreg.
David Foote, Chief Analyst and co-founder, Foote Partners, LLC
Taiwan has been a regular target of cyber espionage threat actors for a number of years. Reasons for Taiwan being targeted range from being one of the sovereign states of the disputed South China Sea region to its emerging economy and growth with Taiwan being one of the most innovative countries in the High-Tech industry in Asia.
In early August, Unit 42 identified two attacks using similar techniques. The more interesting one was a targeted attack towards the Secretary General of Taiwan’s Government office – Executive Yuan. The Executive Yuan has several individual boards which are formed to enforce different executing functions of the government. The Executive Yuan Council evaluates statutory and budgetary bills and bills concerning martial law, amnesty, declaration of war, conclusion of peace and treaties, and other important affairs. Given the important functions undertaken by the Executive Yuan office, it is not a surprise that they were targeted. The second attack was against an energy sector company also located in Taiwan.
The attacks in this case are associated with a campaign called Tropic Trooper, which has been active since at least 2011 and is known for heavily targeting Taiwan. One of the attacks used their known Yahoyah malware, but the other attack deployed the widely available Poison Ivy RAT. This confirms the actors are using Poison Ivy as part of their toolkit, something speculated in the original Trend Micro report but not confirmed by them. Further analysis uncovered a handful of ties indicating the actors may also be using the PCShare malware family, which has not been previously tied to the group.
Figure 1 shows the spear phishing email which was sent to the Secretary General of Executive Yuan. The email is spoofed so that it appears as though it was sent from a staff member at the Democratic Progressive Party (DPP).
Figure 1. Spear-phishing email with malicious attachment.
The document attached to this e-mail exploits CVE-2012-0158, a Microsoft Office vulnerability. This process is described in the Malware Analysis section later in this report, but one interesting aspect of this malicious was the decoy document the attacker chose to deploy.
Decoy Document
As we have noted in many earlier reports, attackers commonly use decoy files to trick victims into thinking a malicious document is actually legitimate. After infecting the computer, the display a clean document to the victim that contains content that is relevant to them.
The decoy document used in this case is a spreadsheet with four tabs, respectively titled “example,” “0720,” “0721,” and “1041109 full update”. All of the text uses Traditional Chinese, in contrast to Simplified Chinese, which is the official written language of the People’s Republic of China. Traditional Chinese is used in Taiwan, Hong Kong, Macau, and many overseas Chinese communities. The overarching theme of the spreadsheet is documenting protestor activity and/or progressive reform attempts in progress across Taiwan and the tone of the spreadsheet suggests it was compiled by progressive supporters. Because we were unable to find the spreadsheet online, and there is specific persona data included related to these movements and protests, we are not including any screen shots except for the one below.
Figure 2. The four tabs in the decoy spreadsheet.
The “example” spreadsheet tab is exactly as described – it contains the headers and suggested information within two of the remaining three tabs. The headers themselves translate, from left to right, to “responsible department,” “issue,” “developments this week,” “political situation judgment,” and “related information.” The tab labeled 0721 only has the matching headers and no additional information. None of the information in the spreadsheet relates to activities past 2015, and there are references made to the then upcoming January 16, 2016 elections in Taiwan. In that election the DPP won, displacing the Chinese Nationalist Party (KMT) for only the second time in history, and with Taiwan’s first female President.
The spreadsheet labeled 0720 refers to the Anti-Black Box Movement, which was a protest by Taiwanese high school students against certain proposed curriculum changes. The use of “black box” by the protestors is in reference to former Taiwanese President Ma Ying-Jeou’s government and its lack of transparency concerning government decisions. Protestors occupied Taiwan’s Ministry of Education last July. A resolution passed by Taiwan’s legislature and approved by the Executive Yuan in May of this year delayed implementing that curriculum until 2020 to allow time for the act to be amended.
The Anti-Black Box Movement is related to the Sunflower Student Movement, a coalition of both student groups and other civic organizations that protested the Cross-Strait Trade Agreement between Taiwan and the PRC, feeling it would hurt Taiwan’s economy and increase the PRC’s sway over the island. On March 17 2014, the KMT, the ruling party at the time, tried to force a vote without a previously agreed clause by clause review with the DPP. The following evening protesters occupied the Legislative Yuan, the first time that had occurred Taiwan’s history. On March 23 of the same year, after then President Ma re-affirmed he supported the pact and would not alter or drop it, protestors occupied the Executive Yuan where over 150 were injured and 61 arrested.
The final tab contains the most information of the three and has different headers. From left to right, the headers are titled “responsible person(s),” “summary of issues and major groups,” “crisis simulation, political judgment, and recommendations,” “degree of tension,” and “participating members.”
Information related to the November 2015 “Autumn Struggle” protest, which is an annual protest first done in 2013.
Information on a Taichung City government development proposal being protested largely on environmental impact grounds, and protestor demands.
Army 1st Special Forces veterans attempt to receive compensation for alleged illegal extension of forced military service
The recently settled case where toll workers forced into unemployment by the Taiwanese government’s agreement with the Far Eastern Electronic Toll Collection Company to create a national electronic toll collection system ended up resulting in the 2013 layoffs of hundreds, who have since protested for new jobs as well as lost severance and pension.
Kaohsiung refinery closing and protestor demands, also largely related to environmental effects and necessary cleanup; the refinery officially closed at the end of December 2015
Closely watching any trade agreements between the Malaysian government and Taiwan
Potential environmental and current residential issues related to the development of the Aerotropolis around Taoyuan International Airport, which is intended to create a major transportation hub and industry center for Asia with infrastructure for corporate research and development, conference centers, and other facilities.
The Puyu Development Plan, which is part of Taiwan’s Knowledge-based Economy plan
Taiwan’s 12-year compulsory education plan
Anti-Black Box Movement demands and recent activity
Improving working conditions for Taiwanese firefighters
Pension reforms
The Nest Movement, which started in 2014 and is related to the older “Shell-less Snail Movement,” focused on affordable housing, neighborhood and urban development, ending forced demolition and relocation, property tax reform, and related housing issues
The Environmental Impact Assessment (EIA) voted on by the Environmental Protection Bureau (EPB) for the Dongshi-Fengyuan Expressway, part of the National Highway #4 Project and anti-eviction efforts
Kaohsiung water quality issues and related projects
Same sex marriage legalization
Protecting old trees in Kaohsiung amidst construction for a new “green” library; most of the designated “precious trees” are rare exotic species
Indigenous peoples in Kaohsiung land return
Activities against the Miramar Resort Village, including the revocation of the EIA, forcing development to halt
Lowering the voting age in Taiwan from 20 to 18
Malware Analysis
The documents attached to spear-phishing e-mails used in both attacks contain code that exploits CVE-2012-0158, which despite its age remains one of the most common Microsoft Word vulnerabilities being exploited by multiple threat actors. This matches with known Tactics, Techniques, and Procedures (TTPs) for Tropic Trooper, targeting both government institutions and also the energy industry in Taiwan.
The delivery document uses the XLSX extension typically used by OpenXML documents, but the file itself is actually an OLE (XLS) document. The file extension to file type discrepancy was caused by the actor using Excel’s built-in encryption capability, which stores XLSX ciphertext and the information needed for decryption in an OLE document.
Filename: 進步議題工作圈議題控管表.xlsx
MD5: a89b1ce793f41f3c35396b054dbdb749
SHA1: f45e2342e40100b770d73dd06f5d9b79bfce4a72
SHA256: 2baa76c9aa3834548d82a36e150d329e3268417b3f12b8f72d209d51bbacf671
Type: CDF V2 Document, No summary info
Size: 327128 bytes
Table 1. Details of the malicious document attached to the e-mail.
The embedded shellcode enumerates open handles for a file with a size greater than 0xa6f0 (Decimal – 42736) bytes. It will then set the file pointer to 0xa6e8 (Decimal – 42728) and starts looking for the following delimiter:
GfCv\xef\xfe\xec\xce
If it finds this delimiter, the shellcode knows it is working with the correct file and continues by reading 0x600 (decimal 1536) bytes following this delimiter. The shellcode then decrypts the first 0xc0 (decimal 192) DWORDs of the data read from the file using an XOR algorithm that decrypts one DWORD of ciphertext at a time with 0x29f7c592. The resulting cleartext is a second piece of shellcode that continues carrying out further functionality.
The secondary shellcode starts by resolving the following API functions using a ROT13 hashing algorithm:
Immediately following these API functions there are three DWORDS; one used to locate the payload embedded within the exploit file, one for the size of the payload, and one for the size of decoy document. The two size values are added together to get the length of the ciphertext that the shellcode will decrypt. In the sample we analyzed, the following values were present, showing that the payload is at offset 0xabc0 and has a size of 0x45218:
The shellcode then creates a string that it uses to create a registry key to automatically run the final payload each time the system starts. It then opens the registry key ‘Software\Microsoft\Windows NT\CurrentVersion\Winlogon’ and sets the value to the “Shell” subkey to the previously created string. Ultimately, the following registry key is created for persistence:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell:
“explorer.exe,rundll32.exe “C:\Documents and Settings\Administrator\Application
Data\Identities\Identities.ocx” SSSS”
It then uses the “offset_toPayload” value as an offset that it will read 283160 (45218h) bytes from the XLS file. The shellcode then enters a decryption loop to convert the embedded payload from ciphertext to cleartext. The algorithm uses the length of the ciphertext negated as the initial encryption key, which it bit rotates right by 1 to adjust the key for each of decryption. It will use this key to decrypt four bytes of the ciphertext with the XOR operation until all the ciphertext is decrypted. During each iteration of the decryption process, the algorithm will check to make sure the four bytes of ciphertext are not equal to the key or equal to zero before decrypting the ciphertext. The following table contains the first five rounds of the algorithm to explain the decryption process:
Key
Ciphertext
Cleartext
0
~0x45218 = 0xFFFBADE8 >> 1 = 0x7FFDD6F4
0x7F6D8CB9
0x00905a4d = MZ\x90\x00
1
0x7FFDD6F4 >> 1 = 0x3FFEEB7A
0x3FFEEB79
0x03 = \x03\x00\x00\x00
2
0x3FFEEB7A >> 1 = 0x1FFF75BD
0x1FFF75B9
0x04 = \x04\x00\x00\x00
3
0x1FFF75BD >> 1 = 0x8FFFBADE
0x8FFF4521
0xFFFF = \xff\xff\x00\x00
4
0x8FFFBADE >> 1 = 0x47FFDD6F
0x47FFDDD7
0xB8 = \xb8\x00\x00\x00
5
0x47FFDD6F >> 1 = 0xA3FFEEB7
0x00000000
0x00000000 = \x00\x00\x00\x00
6
0xA3FFEEB7 >> 1 = 0xD1FFF75B
0xD1FFF71B
0x40 = \x40\x00\x00\x00
7
0xD1FFF75B >> 1 = 0xE8FFFBAD
0x00000000
0x00000000 = \x00\x00\x00\x00
8
0xE8FFFBAD >> 1 = 0xF47FFDD6
0x00000000
0x00000000 = \x00\x00\x00\x00
9
0xF47FFDD6 >> 1 = 0x7A3FFEEB
0x00000000
0x00000000 = \x00\x00\x00\x00
10
0x7A3FFEEB >> 1 = 0xBD1FFF75
0x00000000
0x00000000 = \x00\x00\x00\x00
11
0xBD1FFF75 >> 1 = 0xDE8FFFBA
0x00000000
0x00000000 = \x00\x00\x00\x00
12
0xDE8FFFBA >> 1 = 0x6F47FFDD
0x00000000
0x00000000 = \x00\x00\x00\x00
13
0x6F47FFDD >> 1 = 0xB7A3FFEE
0x00000000
0x00000000 = \x00\x00\x00\x00
14
0xB7A3FFEE >> 1 = 0x5BD1FFF7
0x00000000
0x00000000 = \x00\x00\x00\x00
15
0x5BD1FFF7 >> 1 = 0xADE8FFFB
0xADE8FEF3
0x108 = \x08\x01\x00\x00
16
0xADE8FFFB >> 1 = 0xD6F47FFD
0xD84E60F3
0xEBA1F0E = \x0e\x1f\xba\x0e
17
0xD6F47FFD >> 1 = 0xEB7A3FFE
0x26738BFE
0xCD09B400 = \x00\xb4\x09\xcd
18
0xEB7A3FFE >> 1 = 0x75BD1FFF
0x39BCA7DE
0x4C01B821 = \x21\xb8\x01\x4c
19
0x75BD1FFF >> 1 = 0xBADE8FFF
0xD28AAE32
0x685421CD = \xcd!Th
20
0xBADE8FFF >> 1 = 0xDD6F47FF
0xAD4F3496
0x70207369 = is p
21
0xDD6F47FF >> 1 = 0xEEB7A3FF
0x9CD0CC8D
0x72676F72 = rogr
22
0xEEB7A3FF >> 1 = 0xF75BD1FF
0x947BBC9E
0x63206D61 = am c
23
0xF75BD1FF >> 1 = 0xFBADE8FF
0x94C3869E
0x6F6E6E61 = anno
24
0xFBADE8FF >> 1 = 0xFDD6F47F
0x98B4D40B
0x65622074 = t be
25
0xFDD6F47F >> 1 = 0xFEEB7A3F
0x909E081F
0x6E757220 = run
Table 2. Decrypting the payload
As you can see from the table above, the algorithm decrypts what is an embedded portable executable that acts as the payload in this attack. The embedded payload is written to %APPDATA\Identities\Identities.ocx and has the following attributes:
The shellcode will move the decoy document to the location of the originally executed XLSX file and will create the following command:
cmd /c start excel /e “<path to original XLSX file, now decoy
document>”
Before running the above command to open the decoy document, the shellcode enumerates the running processes on the system, specifically looking for processes created for an executable with a filename that starts with “avp.”, presumably in an attempt to find Kaspersky’s antivirus process. If the process is found, the shellcode will not open the decoy document and exits.
The shellcode does not launch the payload, rather it relies on the registry key it created for persistence to execute the payload when the user reboots the system, meaning during dynamic analysis the execution of the payload may be missed.
Delivered Payload – Poison Ivy
When the system starts up, the persistence registry key will launch the Identities.ocx payload and call its “SSSS” exported function. The “SSSS” function checks to make sure that the DLL is running within the context of a “rundll32.exe” process and then begins piecing 0x141B bytes of data together in the correct order to build the shellcode of the Poison Ivy Trojan.
We found and parsed the following configuration from the Poison Ivy shellcode:
Active Key registry key:Software\Microsoft\Active Setup\Installed Components\
Looking for more samples which exhibited the same file structure, encryption and obfuscation to deliver the above Poison Ivy sample yielded only two additional samples. In the other two instances the delivered payloads were respectively PCShare and Yahoyah. PCShare has not been previously associated with Tropic Trooper, but in addition to the aforementioned overlaps, the two samples have passive DNS overlap with some known Tropic Trooper infrastructure. For those reasons, we assess with limited confidence the group is also using this malware family.
Figure 3. The limited ties between C2 infrastructure used by Yahoyah samples (top) and PCShare malware samples (bottom).
The below table shows the details of the documents, payload delivered and the C2 servers used for communications.
It is interesting to see that the exploit documents we found had either low or no detections on most popular antivirus engines, showing that the threat actors behind this campaign have been having considerable success in bypassing static analysis undertaken by traditional antivirus solutions with this technique.
We further expanded our search using the AutoFocus Threat Intelligence platform on the IOCs extracted from the PIVY, PCShare and Yahoyah payloads and found 42 samples which either matched unique behaviors, the unique PIVY mutex or had common C2 infrastructure. The hashes of all the samples found are given in the appendix section at the end of this blog.
Figure 4 below shows the compilation timestamps of the payload samples found using AutoFocus. Given some of the payloads that were used in recent attacks, which were compiled months before, it shows that the threat actor group continues to reuse the payload within their exploit documents.
Figure 4. Payload Compilation Timelines
The below Maltego graph shows some of the shared infrastructure which have been used by Tropic Trooper. The complete list of indicators on the graph can also be found in the appendix section of this report.
Figure 5 Maltego graph of Tropic Trooper infrastructure
Conclusion
The Tropic Trooper threat actor group has been known to target governments and organizations in the Asia Pacific region for at least six years. In addition to using Yahoyah malware, we were able to confirm they are also using Poison Ivy and possibly PCShare malware families. They are also still exploiting CVE 2012-0158, as are many threat actors. Palo Alto Networks customers are protected from Tropic Trooper’s malicious activities by:
WildFire correctly identifies all related malware as malicious
The C2 infrastructure are classified as malicious in PAN-DB
Traps prevents exploitation of CVE-2012-0158
Autofocus customers can discover additional information on Tropic Trooper via the following AutoFocus tags:
