Leonnewton 2016/02/22 stronghold
The article translation: researchcenter.paloaltonetworks.com/2016/02/a-l… Copyright by Bryan Lee and Rob Downs
0 x00 profile
Sofacy, also known as APT28 or Sednit, is a well-known cyber espionage group believed to be linked to Russia. Their targets are all over the world, mainly targeting governments, defense organizations and several eastern European governments. There have been so many reports of their activities that there is already a Wikipedia entry.
From these reports, we found that the organization had a wealth of tools and strategies, including using 0Day vulnerabilities to attack general-purpose applications such as JAVA or Microsoft Office; Heavy use of spear phishing; Use legitimate websites to conduct puddle-hole attacks and target operating systems of all kinds –Windows, OSX, Linux, iOS.
Linux malware called Fysbis is one tool Sofacy likes to use, though it’s not particularly sophisticated. But Linux security in general is a less mature area, and malware in particular. So it is entirely possible that this tool helped the Sofacy organization to carry out a successful attack.
0x01 Malware Evaluation
Fysbis is a modular Linux Trojan/backdoor that implements plug-ins and control modules as separate classes. Some analyses put the malware under the group name Sednit. This malware includes 32 – and 64-bit ELF files. In addition, Fysbis can implant itself into the target system with or without root permission. This increases the option to attack when you need to select an account to install.
The summary information of the three samples is as follows:
Table 1: Sample 1 — Late 2014 Sofacy 64-bit Fysbis
| MD5 | 364ff454dcf00420cff13a57bcb78467 |
| SHA-256 | 8bca0031f3b691421cb15f9c6e71ce193355d2d8cf2b190438b6962761d0c6bb |
| ssdeep | 3072:n+1R4tREtGN4qyGCXdHPYK9l0H786O26BmMAwyWMn/qwwiHNl:n+1R43QcILXdF0w6IBmMAwwCwwi |
| Size | 141.2 KB (144560 bytes) |
| Type | ELF 64-bit (stripped) |
| Install as root | /bin/rsyncd |
| Root install desc | synchronize and backup service |
| Install as non-root | ~/.config/dbus-notifier/dbus-inotifier |
| Non-root install desc | system service d-bus notifier |
| C2 | azureon-line[.]com (TCP/80) |
| Usage Timeframe | Late 2014 |
Table 2: Sample 2 — Early 2015 Sofacy 32-bit Fysbis Table 2: Sample 2 — Early 2015 Sofacy 32-bit Fysbis
| MD5 | 075b6695ab63f36af65f7ffd45cccd39 |
| SHA-256 | 02c7cf55fd5c5809ce2dce56085ba43795f2480423a4256537bfdfda0df85592 |
| ssdeep | 3072:9ZAxHANuat3WWFY9nqjwbuZf454UNqRpROIDLHaSeWb3LGmPTrIW33HxIajF:9ZAxHANJAvbuZf454UN+rv eQLZPTrV3Z |
| Size | 175.9 KB (180148 bytes) |
| Type | ELF 32-bit (stripped) |
| Install as root | /bin/ksysdefd |
| Root install desc | system kernel service defender |
| Install as non-root | ~/.config/ksysdef/ksysdefd |
| Non-root install desc | system kernel service defender |
| C2 | 198.105.125 [.] 74 (TCP / 80) |
| Usage Timeframe | Early 2015 |
Table 3: Sample 3 — Late 2015 Sofacy 64-bit Fysbis
| MD5 | e107c5c84ded6cd9391aede7f04d64c8 |
| SHA-256 | fd8b2ea9a2e8a67e4cb3904b49c789d57ed9b1ce5bebfe54fe3d98214d6a0f61 |
| ssdeep | 6144:W/D5tpLWtr91gmaVy+mdckn6BCUdc4mLc2B9:4D5Lqgkcj+ |
| Size | 314.4 KB (321902 bytes) |
| Type | ELF 64-bit (not stripped) |
| Install as root | /bin/ksysdefd |
| Root install desc | system kernel service defender |
| Install as non-root | ~/.config/ksysdef/ksysdefd |
| Non-root install desc | system kernel service defender |
| C2 | mozilla-plugins[.]com (TCP/80) |
| Usage Timeframe | Late 2015 |
In general, these samples are not very sophisticated but they are very effective. These samples demonstrate the fact that APT attackers do not need advanced means to attack their targets. Instead, the attacker kept the advanced malware and 0day on hand and used only the resources to achieve the purpose. So analysts have reason to use shortcuts or tricks to shorten the time it takes to assess threats. That said, analysts should always find ways to work more efficiently rather than recklessly.
0x02 Use the string to get enough information
Strings can carry a lot of information on their own, improving the efficiency of things like static analysis classification (such as using Yara). Tables 1 and 2 provide a good example of the FYSBIS sample installation and target platform information.
From this example, we can find the installation path of the file and determine the specific Linux version by matching. This is followed by a series of Linux shell commands that extend the lifetime on the target.
Another example is information related to sample functionality.
Figure 2 illustrates the interaction state and returned information to give the analyst an idea of sample functionality. In addition to helping with static analysis, this can also serve as a starting point for later event response priorities and threat assessment.
0x03 Symbol information can shorten the analysis time
Interestingly, the latest ELF 64-bit files (the sample in Table 3) do not have strips prior to use, which results in additional symbol information in the files. Analysts familiar with Windows PE can assume that this is the difference between the Debug and Release versions. For comparison, if we analyze the sample of strings associated with “RemoteShell” from Fysbis Strip, we can only find the following strings:
Compared to the sample without strip:
Some static analysis techniques like this can help analysts quickly analyze the function of samples and, more importantly, can be useful in subsequent similar sample association and discovery.
In addition, the latest samples show minor improvements to the malicious samples, most notably obfuscation. The samples in Table 1 and Table 2 clearly reveal installation information. This is different from the sample in Table 3. Take a look at the sample without strip using the disassembler tool. The following shows information about decrypting installation information in root accounts.
In this example, the decryption method can be seen from the symbolic information, including mask, path, name, and byte array.
The decryption algorithm uses a byte array as a mask over another byte array, and uses a looped xor algorithm with two keys to generate information about the installation path, file name, and Linux root account of the malicious sample. Malicious samples can be installed without root due to the existence of the INSTALLUSER Byte array. The same decryption method can also be used to decrypt the C2 information of the sample configuration, which further demonstrates that the integrity of the sample analysis can be greatly improved with very few symbolic operations.
If you want to know more about Fysbis, the analysis of the sample is available here.
0x04 Infrastructure Analysis
As Unit 42 noted elsewhere, we found that attackers seemed reluctant to replace their infrastructure. This may be due to a desire not to add additional resources, or simply to maintain familiarity with existing facilities to ensure timeliness. Both conditions were found in the Fysbis samples used by the Sofacy organization.
The oldest sample (Table 1) interacts with the domain azureon-line[.]com, which has been widely identified as the domain used by the Sofacy organization to conduct control commands. Using passive DNS, we find that this domain resolves to two initial IP addresses 193.169.244[.]190 and 111.90.148[.]148, which are also mapped to other domain names used by Sofacy during this period.
In the sample of Table 2, the associated IP is also 198.105.125 used by Sofacy organization [.]74. This IP is associated with a tool called CHOPSTICK, which you can check out.
The latest sample (Table 3) is a previously unknown domain name mozilla-plugins[.]com. This mirrors the strategy of the Sofacy organization, which uses names similar to those of legitimate companies for infrastructure. This domain name and IP backcheck result has not been found before, indicating that the sample in Table 3 May be related to the new community. Comparing the binaries of sample 3 with those of the other two revealed significant similarities both at the code level and at the behavior level.
0 x05 conclusion
Linux is a common operating system in businesses and homes, and there are many versions. Linux is popular in data centers, cloud services, and increasingly popular in the web and application server markets. Linux is also the basis for Android and several other embedded systems. The benefits of using Linux, especially in commercial companies, can be summed up in three points: low cost TCO, security, and feature wealth. Data statistics and comparisons can clearly assess TCO and functionality, but security needs to be studied in depth. Knowledge of Linux is in great demand for industrial applications ranging from systems administration to big data analysis to event response.
The majority of business activity is still in a Windows environment, which means that the core infrastructure also uses Windows servers (such as Active Directory, SharePoint, etc.). This shows that, as a practical matter, most of it is still supporting and protecting facilities under Windows. Some of the company’s IT professionals are not familiar with Linux, especially for network protectors. Identifying and confirming potential threats requires some familiarity with normal operations so that anomalies can be detected. The same is true for other software in the environment, where normal operation is entirely dependent on the role and function that the specified software plays in the company.
The lack of expertise and understanding of non-Windows platforms increases the risk to a company’s security situation. As a recent example, the vulnerability cVE-2016-0728 on Linux shows the breadth of potential threats from the platforms involved. Professional or opportunistic attackers, although they have different motives, increase the risk of platform exposure. Although many people believe that Linux features make it more secure (which is not true), malware and vulnerabilities do exist on Linux and have been used by attackers in practice.