New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan

On December 24, 2015, Unit 42 identified a targeted attack, delivered via email, on a high profile Indian diplomat, an Ambassador to Afghanistan. The body and content of the email suggest that it was crafted and spoofed to look like it was sent by the current Defence Minister of India, Mr. Manohar Parrikar, commending the Ambassador on his contributions and success.

India has been a key nation in building and funding Afghanistan’s infrastructure and economic development, which includes setting up iron ore mines, steel plants, power plants and transportation systems, helping reconstruct the Salma Dam and constructing a new Parliament Complex for the Afghan Government.

Given India’s significant contributions to the development of Afghanistan, it is likely that there may be groups or nations who would be interested in tracking and spying on key individuals who officially represent India in Afghanistan.

Overview of Rover infection

Figure 1 gives an overview of the exploitation, infection and C2 communications of the ‘Rover’ Trojan campaign targeting a victim running Windows XP.

Figure 1: Overview of the infection flow and C2 communications

Rover Trojan Infection Steps:

  1. RTF file exploits CVE-2010-3333 and downloads an executable from newsumbrella[.]net.
  1. The executable file downloaded from newsumbrealla[.]net is executed on the victim machine.
  1. The executable ‘file.exe‘ is a downloader which is used to call out to a server with the IP ‘46.166.165.254‘ and download the main Rover malware along with plugins used by the Rover malware.
  1. Rover malware and plugins are downloaded and installed on the victim machine.
  1. Data exfiltrated from the victim machine.

Targeting and Infection

Figure 2 shows an email which was sent to the Ambassador of India, appearing to commend the contributions the Ambassador has made in the development and success of projects on national interest, and attaching a letter of appreciation with a file name, “Appreciation_letter.doc”.

The attachment is an RTF file which exploits a specific vulnerability in Microsoft Word, CVE-2010-3333.

Figure 2: Spear phishing email sent to the Ambassador of Afghanistan

If the recipient of the e-mail opened the attachment in a vulnerable version of Word, the exploit code would download and execute a file from the domain newsumbrella[.]net as shown in Figure 3 below.

Figure 3: Hexdump showing the domain and the executable downloaded

Malware Analysis

During the time of analysis the executable file systemupdateAPI.exe was no longer being hosted on the newsumbrealla[.]net domain. However, we have noticed the same domain hosting another executable in the past within the same parent directory and having a similar naming for the folders as shown below

newsumbrella[.]net/ne3s/lat3st/w0rld/systemupdateAPI[.]exe

newsumbrella[.]net/ne3s/file[.]exe – hosted earlier

We believe that the executables hosted under the parent directory ‘ne3s’ are variants of the same downloader Trojan, which was used to download the Rover Trojan. The file, file.exe,contains the following debug information that indicates the file was originally namedsystemupdateAPI.exe.

Figure 4: Debug information of downloader program

By analyzing file.exe, we can see that it is a downloader, which creates ‘c:\system’ directory and depending on the OS version used, downloads the main Rover payload along with multiple DLL modules from 46.166.165.254.

Figure 5: Code snippet showing the OS version check and the subsequent download from 46.166.165.254

If the infected system is running an OS version prior to Windows Vista, it would download the following files from 46.166.165.254:

  • WindowsSecurityService2.exe (‘Rover’ main module)
  • Openal32.dll
  • Cxcore210.dll (OpenCV)
  • Highgui210.dll (OpenCV)
  • libsndfile-1.dll

If the OS version is Windows Vista or later, it would download the following files from 46.166.165.254 :

  • WindowsSecurityService3.exe (‘Rover’ main module)
  • OpenAL32.dll
  • opencv_world300.dll
  • msvcp100.dll
  • msvcp110.dll
  • msvcp120.dll
  • msvcr100.dll
  • msvcr110.dll
  • msvcr120.dll

After retrieving these files, the downloader Trojan executes the main module. Even though the main modules use different library versions, the functionality of the backdoors are identical.

By analyzing the files downloaded to the victim machine, we can see that the executableWindowsSecurityService2.exe imports the four DLL files that were downloaded to the same directory. The four DDLs are cxcore210.dll, highgui210.dll, OpenAL32.dll and libsndfile-1.dll as shown in Figure 6

Figure 6: Executable and DLLs downloaded to the victim machine

Attributes of the Rover variant

##############################################

File: WindowsSecurityService2.exe

##############################################

Meta-data

===============================================

Size          : 337920 bytes
Type          : PE32 executable (console) Intel 80386, for MS Windows
Architecture  : 32 Bits binary
MD5           : 76429f8515768f9f5def697e71071f51
SHA1          : d04ce934561934f758d77dfa944bd6743dd82cff
SHA256: 7757517ae6b4d513a57826f9ab65bd070d99d25ac526cfae3e9955c3c7cd457assdeep              : 6144:JabBRNUKgZ9SN0jzoFBB9hcrpXwg9xXYOGl93XO2rQLfbTpLuO7bIWjRO5gjPNq:JarSKu6yzoF8rpAqXYv3XOgQLfnpLuOu
imphash               : b5aa366f452feb9f4dff3c72157ca1f9
Date          : 0x5637227B [Mon Nov 2 08:44:43 2015 UTC]
Language      : ENGLISH
CRC:   (Claimed) : 0x59736, (Actual): 0x59736
Entry Point   : 0x43e3c8 .text 0/5

===============================================

Imports

===============================================

[1] ADVAPI32.dll
[2] WS2_32.dll
[3] WLDAP32.dll
[4] cxcore210.dll (OpenCV module)
[5] highgui210.dll (OpenCV module)
[6] OpenAL32.dll
[7] libsndfile-1.dll
[8] GDI32.dll
[9] KERNEL32.dll
[10] USER32.dll
[11] MSVCP90.dll
[12] RPCRT4.dll
[13] MSVCR90.dll

The author of ‘Rover’ used the following open source projects to implement the main functionalities of this custom malware.

OpenCV – Taking photos from the web cam
OpenAL – Recording Audio
Libsndfile – C library used for reading and writing audio files
LibCurl – For all network communications

OpenCV and OpenAL

Both versions of Rover use OpenCV and OpenAL for some of the main functions.

OpenCV is a library of functions written primarily for building real time computer visionapplications, image processing and also machine learning. It has seen wide acceptance in security systems, medical image analysis, unmanned vehicles, visual surveillance, object tracking, Artificial Intelligence and many other applications.

OpenAL is a cross-platform audio API for rendering multichannel three-dimensional positional audio (i.e., It is a means to generate audio in a three-dimentional space.) Earlier versions of OpenAL were opensource but later versions (since v1.1) have been proprietary.

Once executed, Rover creates following registry entry to execute itself when the computer reboots.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”System Application” = c:\system\WindowsSecurityService[2 or 3].exe

The malware then creates six threads, each with a different job:

  • Heartbeat
  • Screenshot
  • Stealing Files from HDD
  • Keylogger
  • Search files on USB
  • Backdoor

Figure 7: Threads created by the malware

1. Heartbeat:

This sends heartbeat signal on HTTP to the C2 server at 46.166.165.254 every five seconds and checks whether the C2 server is running.

2. ScreenShot:

This saves screenshots as c:\system\screenshot.bmp and sends it to the C2 server at 46.166.165.254 every 60 minutes.

Figure 8: Screenshots sent to C2 server at 46.166.165.254

3. Finding specific file types on Removable Drive:

This thread searches for for files with the following extensions on removable drives and copies them to ‘c:\system’ every 5 seconds.

  • pdf
  • doc
  • docx
  • ppt
  • pptx
  • xls
  • xlsx

4. Keylogger:

This logs key strokes at ‘c:\system\log.txt’ and sends captured data to the C2 every 10 seconds

5. Stealing specific file types from Hard Drive:

This thread searches for for files with the following extensions on fixed drives and sends them to C2 every 60 minutes.

  • pdf
  • doc
  • docx
  • ppt
  • pptx
  • xls
  • xlsx

Figure 9: Document file being sent to C2

6. Backdoor:

This thread obtains backdoor commands from C2 every 10 seconds and executes them. Backdoor commands are listed below:

Command Description
CAMERA Take photos using system webcam and store them as c:\system\camera.jpg before sending to the C2.
AUDIO Record audio from default audio input as c:\system\audio.ogg and sending it to the C2.
SCREEN Take a screenshot and save it as c:\system\screenshot.bmp then send it to the C2.
KILL Remove persistence registry entry and terminate itself.

Though ‘Rover’ is unsophisticated and lacks many modern features common to advanced malware, detection rate of the ‘Rover’ is extremely low. At the time of this writing, two out of three samples on VirusTotal were not detected by any Antivirus product

Figure 10: No detection by any AV product on Virustotal

Figure 11: Low detection rate

Summary

OpenCV has been extensively used by organizations, government bodies, and research groups for real time capture, image manipulation, object detection and many other uses in new forms of Human-Computer interaction, security systems, driver-less cars among many others. OpenCV was also used by the Mars Rovers to send captured data back to Earth.

It is interesting to see the very code used in such significant projects also being used to track and spy on individuals being targeted and which can remain undetected by traditional security systems. Though ‘Rover’ is an unsophisticated malware lacking modern malware features, it seems to be successful in bypassing traditional security systems and fulfilling the objectives of the threat actor behind the campaign in exfiltrating information from the targeted victim. It is important to understand the techniques and tools being used by such threat actors to better defend and protect organizations from such threats.

Palo Alto Networks AutoFocus users can identify this threat using the Rover tag.

IOCs:

C2:
46.166.165.254

Downloader hosting links:
newsumbrella[.]net/ne3s/lat3st/w0rld/systemupdateAPI[.]exe
newsumbrella[.]net/ne3s/file[.]exe
newsumbrella[.]net/bla3k/extra7/systemupdateAPI[.]exe 

Filename File Type SHA 256
Appreciation_letter.doc RTF 6c9862a65741b56b849928300
aff310d60b815ee5f5f9f133469
e3b035e7e936
Questionnaire.doc RTF 5f656cf07a1d5e7c439aad4023
5dc78e47bac719c62e03728cc
40267383880bd
Terrorism.doc;India &amp RTF 6096ff941af95638944f2fcdf4a5
046aa028b803b010b1a2d000
028b1a4967bc
Appreciation_
letter.doc
RTF 7bf3a425be41ad9cc713e4821
6e061c788f36e2727de5d0b6b
6ac4f435fe1c06
RTF 06b12649dba7f61cb581f97797
bdfba3a7f057a36b448d4c91a3
a7d89fff8d54
WindowsSecurity
Service3.exe
PE 61a2935fcb0a385f9e67855ef6f
95bda5f09fdb7c1435f215ce18
b7b61993daa
file.exe PE a5e5571cda838e97a6beb1a65
acdfbaaf80027f60417aadb0d3
4292f19c0f3b3
WindowsSecurity
Service2.exe
PE 7757517ae6b4d513a57826f9ab
65bd070d99d25ac526cfae3e99
55c3c7cd457a
WindowsSecurity
Service3.exe
PE 3dc709a3bcaa82220d6a76ea47
374bd864c37817c7041c7e9f4e
e8ba42847f34

References

https://en.wikipedia.org/wiki/Afghanistan%E2%80%93India_relations
http://docs.opencv.org/3.1.0/#gsc.tab=0
http://docs.opencv.org/2.4/modules/highgui/doc/highgui.html
https://en.wikipedia.org/wiki/OpenAL
http://www.cs.uml.edu/~holly/teaching/91450/spring2013/bschroeder_vision_robotics1.pdf
https://ti.arc.nasa.gov/m/pub-archive/422h/0422%20(Pedersen).pdf

and

[Palo Alto Networks Blog]

Cloud Data Security Services Just Got Easier to Build and Assess

It is well documented that security is the leading concern hindering cloud adoption. However, it is not so clear cut how to build secure cloud services, or how to assess whether cloud services adhere to relevant security requirements. The Cloud Security Alliance (CSA) Cloud Control Matrix (CCM) framework was specifically designed to offer insights on these topics. The CCM framework provides fundamental security principles to guide cloud service providers (CSPs) and to assist prospective cloud customers in assessing the overall security risk of a cloud offering.

Using the latest CCM framework, version 3.0.1, Vormetric has created two white papers that shed further light on these critical topics. One paper helps cloud providers understand how to meet industry security guidelines with Vormetric data security solutions. The second paper explains how customers looking to adopt cloud services can assess whether their cloud vendors adhere to cloud security best practices. This paper also describes which Vormetric solutions to look for in complying with these standards.

The CCM is aligned with many industry standards and control frameworks, including International Organization for Standardization (ISO) 27001 and 27002, ISACA COBIT, National Institute of Standards and Technology (NIST), Jericho Forum, North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP), the Payment Card Industry Data Security Standard, version 3, and several others. As a result, CSPs can meet a number of industry security guidelines simply by adopting CCM requirements. In addition, the CCM framework features the Consensus Assessments Initiative Questionnaire (CAIQ), a detailed questionnaire that customers can use to assess the security capabilities of CSPs.

To develop our white papers, Vormetric staff worked with CSA CCM experts to identify which requirements pertained to data security. These white papers explain how the Vormetric Data Security Platform meets critical data security requirements.

By leveraging these white papers, security teams at CSPs can establish a clear path forward for securing data in their cloud environments. Further, executives at enterprises can use a concrete list of questions to assess and qualify prospective CSP offerings and ensure their data security needs are met. Below is a brief description of each white paper and the link to download the paper directly.

Industry Guidelines for Building Secure Cloud Services: This white paper explains how CSPs can use the Vormetric Data Security Platform to address CCM requirements for data segregation, persistent protection of customer data, data access monitoring and auditability, availability, and data destruction.

Best Practices for Assessing Your Cloud Data Security Services: This white paper offers a detailed look at how Vormetric solutions address the requirements specified in the CAIQ. In addition, the paper details what enterprise decision makers should look for in their cloud data security services.

Both white papers are also available on the Vormetric resources page.

By Alan Eng, Senior Manager/Product Marketing, Vormetric

[Cloud Security Alliance Blog]

Cloud Security Alliance Appoints Daniele Catteddu to CTO Post

As Its First Ever CTO, Catteddu to Spearhead Organization’s Global Technology Strategy and Roadmap Throughout Key Lines of Business

Seattle, WA – February 23, 2016 – The Cloud Security Alliance (CSA) today announced the appointment of Daniele Catteddu as its first ever Chief Technology Officer. In this role, he will be responsible for driving the development of CSA’s global technology strategy and roadmap throughout its lines of business including research, membership services, standards, education and products. Additionally, Catteddu will be charged with identifying technology trends, products, global policies and evolving social behavior and the impact of each in relation to CSA’s activities.

“Daniele is one of the industry’s foremost cloud security experts,” said Jim Reavis, CEO of the CSA.  “I look forward to working with him in the CTO role as we grow CSA’s influence and continue our expansion into defining assurance for important next generation information technologies.”

Prior to this appointment, Catteddu served as Managing Director of CSA EMEA, where he is credited for establishing and elevating CSA’s presence in the region, making it a center of excellence as viewed by both corporations and policy makers. Catteddu also was instrumental in the development of CSA’s Open Certification Framework, an industry initiative to allow global, accredited and trusted certification of cloud providers.

“I am very much looking forward to taking on the role of CTO for the CSA, where I will have the opportunity to combine my passion for technology with critical and creative thinking to help ensure that any technological advancement is in harmony with and in support of society,” said Catteddu. “I see a tremendous need to educate the market on the fundamental role that information security will play in our future and to provide each market stakeholder with the tools to approach the complexity of the information security issue. With ‘data as the new currency,’ providing high level of info security and protecting people’s right to privacy has become equal to protecting their future investments.”  In the year ahead, Catteddu plans to focus on advancing CSA’s Security, Trust and Assurance Registry (STAR)certification program, including the launch of the STAR Continuous, the identification of new trends especially those related to IoT security, and the creation of the Futures Advisory Committee.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.

Contact

Kari Walker for the CSA
ZAG Communications
703.928.9996
kari@zagcommunictions.com

Newbies/Mid-Careerists: Jumpstart Your IT Audit Careers

In the two decades that I have been an IT Audit recruiter, the field has come a long way, and there is now much more recognition for the IT Audit profession. Going back to 1995, whenever I speak at an ISACA gathering I’ve always asked how many knew in college that they wanted to be an IT auditor. Just 10 years ago, no one ever raised their hand. About five years ago, hands started to go up. That IT Audit is now considered a viable career choice has been helped considerably by the steady increase in college curriculum focused on IT risks and controls.

As an IT Audit recruiter I am often asked by individuals at various stages of their IT Audit journey—from college to mid-career—what they can do to jump-start their IT audit careers and stand out from the pack. Here are some suggestions.

IT Audit Internships for Newbies
Let us start with those still in college. I strongly recommend you get into a good internship program to gain experience and “try before you buy” to help you decide if IT audit is something you are truly interested in. A good place to look for these programs is with the Big 4 accounting firms, but also with Fortune 500 companies, more and more which are developing audit internship opportunities.

ISACA Membership/CISA Highly Recommended
For those starting out or at mid-career looking to get into the IT audit field, my first suggestion: You need to become a member of ISACA. To get a foothold in the IT Audit world, ISACA can be invaluable particularly for the networking opportunities an ISACA membership affords. Robust ISACA chapters can be found in most major cities.

You should approach every chapter meeting as a networking opportunity. Yes, those events are great for learning more about the profession through training and presentations, but networking is key for those looking to break into the IT audit field. Sit with people you do not know. Move around the room. Introduce yourself to the chapter president or vice president. Ask for 30 seconds to a minute to introduce yourself to the entire group and present your stump speech/elevator pitch to make everyone aware of who you are and that you are looking to get into the IT audit field. How many times will you need to introduce yourself and network your way to an opportunity? Maybe once, maybe one hundred times…but if you put in that level of effort to go beyond the comfort zone and market yourself, you will eventually win somebody over.

Next: It is critical that you sit for the CISA certification. It sends a clear message to prospective employers that have mastered the IT Audit body of knowledge, but even more important, it shows you have taken initiative in your professional development. It demonstrates that you have bought into IT audit, which is something potential employers need to know, especially if they are going to take the risk of hiring someone who needs additional time and training to get up to speed. The CISA has gone from a “nice to have,” to a “Why in the world do you not have your CISA?” CISA is a door opener if you have it and a door shutter if you do not….so dig into your wallet and pay for the exam. If you are serious about the IT Audit field, this is an investment that will definitely pay off.

As for other ISACA certifications, both the CISM and CRISC are continuing to gain recognition. Non-ISACA certifications I recommend include the CISSP from the International Information Systems Security Certification Consortium and the CIA from the Institute of Internal Auditors (IIA).

To sum up, with IT audit candidate scarcity as significant as it has been since the initial years of Sarbanes-Oxley compliance, demand for qualified IT audit professionals will likely continue to exceed supply for the foreseeable future. This creates opportunities for those looking to break into the field, and an ISACA membership and certification are the keys to doing just that.

Derek Duval is the owner of Duval Search Associations, which is devoted exclusively to enhancing careers of IT audit, risk management, compliance, and advisory professionals.

Derek Duval, CPC
Duval Search Associates, LLC

[ISACA Now Blog]

English
Exit mobile version