Virustracker · 2016/01/11 became known
Citizenlab.org/2015/12/pac…
0 x00 generalization
The report describes a massive campaign of trojans, phishing and disinformation attacks that targeted several Latin American countries, including Ecuador, Argentina, Venezuela and Brazil. Based on the profile and geographical distribution of the victims, the sponsors of this attack have an interest in the political situation in these areas. * * Packrat very focus on these areas of the political opposition, ALBA national alliance (the americas bolivarian alliance * * * | | | | * * *, as well as independent media within the territory of these countries. The ALLIANCE of ALBA countries was established through a trade agreement. These countries cooperate in many non-economic fields.
In 2015, we first caught a wave of attacks in Ecuador, and then in 2014, we found a link between those attacks and an operation active in Argentina. When we discovered the attack in Argentina, the attackers were trying to break into the devices of Alberto Nisman and Jorge Lanata. Based on what we know about the operation, we also found that the attack team’s activities date back to 2008.
In this report, we pieced together the pieces of activity, including trojans used, phishing campaigns and CC servers placed in Latin America. Packrat has even created fake Internet groups in Venezuela and Ecuador. Who is responsible for this? After reviewing some of the attacks used by the attackers, we concluded that Packrat was most likely a government-sponsored attack group, and that they were not concerned about their activities, targets, or maintenance methods being exposed. However, we don’t know exactly who Packrat’s backers are.
0x01 Packrat’s Seven Years in action
The authors continue to independently investigate the presence of trojans and fishing in Latin America. In this report, we summarize our findings. The main targets of the attacks were in Latin American countries, including Venezuela, Ecuador, Argentina and Brazil. We call the masterminds of these efforts Packrats, because they like to use shelled RAT trojans and have been using the same domain names and servers for years.
Packrat uses trojans and phishing campaigns to systematically attack high-level politicians, journalists and foreign targets. We found that Packrat used 12 different Trojan CC domains and over 30 Trojan samples over the course of seven years. Packrat also likes to use an interesting attack strategy: it first forms and operates fake opposition groups and news organizations, then uses those groups to spread trojans and carry out phishing attacks.
Some of these fake groups are just names, while others are more elaborate online campaigns. Packrat also started fake news outlets, but we didn’t find any evidence of that in Trojan horses or fishing.
We found Packrat’s earliest activity dating back to at least 2008. By identifying links between network infrastructures, we found several waves of attack activity in which different tools and tactics were used. In this section, we briefly describe some of the network infrastructure used by Packrat at different times and the attacks that were carried out. For a more detailed history of Trojan use, see “3. Evolution of Packrat Trojan Implants.”
Packrat’s biggest attack ever
2008-2013.
The tools and infrastructure used by Packrat suggest they have been active since at least 2008. During that time, Packrat used hosting services in Brazil, and samples of the Trojan horses were also uploaded to popular online antivirus services using Brazilian IP addresses. Some of the messages they sent also referred to baited content targeting users in Brazil. From this, we can conclude that these activities were targeted at users in Brazil, but we have not yet identified the victims who were attacked during this period.
2014
By 2014, Packrat was attacking high-value targets — Argentine lawyer Alberto Nisman and Jorge Lanata, a well-known journalist and TV host. Maximo Kirchner, son of Argentina’s president, also claimed to have been attacked. Maximo Kirchner posted phishing emails that we’ve seen, but we haven’t been able to prove that he was actually attacked. In addition, we found a large number of phishing domains related to Ecuadorian and Saturday that were very active during this time.
2015
In 2015, there were a number of phishing and Trojan horses targeting civic groups and public figures, including the Ecuadorian parliament. We observed a lot of phishing domain names and attacks. The operations that emerge during this time often take advantage of fake organizations set up by attackers. We found that the attackers used these fake organizations and disinformation to attack targets in Ecuador and Venezuela.
1.1 Nisman and the attacks in Argentina
In January 2015, Alberto Nisman, a controversial Argentine prosecutor, was shot dead. The Argentine news media reported that the Buenos Aires police Department’s investigative laboratory had found a malicious file “estrictamente secreto y confidencial.pdf. Jar” (meaning highly secret) on his Android phone.
On May 29, 2015, a user in Argentina uploaded a file with the same name to Virustotal. The file is a remote intrusion tool, AlienSpy, that allows an attacker to log a target’s activities, access its email, webcam, and more. However, the file was for Windows and did not infect Nisman’s Android phone.
Morgan Marquis analyzed Alienspy and determined that the CC server used by the attackers was deyrep24.DDns.net. In addition to the Trojans used to attack Nisman, Lanata, and Kirchner, there are three other samples using Deyrep24.DDns.net as CC servers. One of the samples, MAR PROYECTO Gripen.docx.jar, was developed on AlienSpy and disguised as a document that exploits Ecuadorian President Rafael Correa’s discussions with Ecuadorian Ambassador Luis Sveden on the purchase of fighter aircraft.
Since the discovery was announced, other targets have emerged. Jorge Lanata, a well-known investigative journalist and television presenter, said he was also attacked by the same Trojan. Maximo Kirchner, the president’s son, has also claimed to be a target. We couldn’t verify Kirchner’s claims, but he did release a screenshot of a phishing email:
The email contained an attachment called “Estrictamente Secreto y confidencial.pdf. Jar” (67.3 KB), the same Trojan that Nisman and Lanata received, he said. In addition, the email address of the author ([email protected]) claims to be that of the eminent Judge Claudio Bonadio. Lanata also received emails purporting to be from Claudio Bonadio ([email protected]).
1.2 Activities in Ecuador
In 2015, a large number of journalists and public figures in Ecuador were targeted by phishing attacks, mainly via email and text messages. We examined the emails, some of which were not political in nature, but were intended to steal users’ social media and email credentials, such as Gmail. But other emails used political content related to politicians and problems in Ecuador. Further investigation revealed a large-scale attack and various fake organizations set up by the attackers.
One of the authors of this article developed A Gmail search query that looks for strings related to attack activity (Appendix A: Search Query). We shared this search query with a large number of potential targets and found a lot of phishing activity and suspicious Word (DOCX) documents. Embedded in these suspect documents are rats written in Java, including Adzok and AlienSpy. We then used the identifiers found in the JAR files and updated Gmail queries to identify the various malicious files and domain names used by Packrat (Appendix B: Trojans sample).
We found a connection between phishing sites and Trojan sites. These sites often share the same registration information or are hosted on the same server. We determined that these trojans typically communicated with Daynews.sytes.net and were associated with activities in Argentina. Eventually, by investigating the Daynews.sytes.net infrastructure, we found trojans and infrastructure used in Brazil, as well as fake sites used in Venezuela.
1.3 Common CC infrastructure
This section describes the CC infrastructure used by Packrat. In Appendix B, we provide the full CC domain name, associated binaries, and Trojan family.
The domain name deyrep24.ddns.net used by Packrat was created on November 7, 2014, and at the time of the Nisman attack pointed to the IP address 50.62.133.49. This IP address belongs to GoDaddy, and on March 3, 2015, the domain name was changed to GoDaddy: 192.169.243.65. Passive DNS records show that while deyrep24.DDns.net was using this IP address, daynews.sytes.net, which was created on March 1, 2015, was also using this IP address. During our joint investigation, we found five samples of trojans using this domain name to target journalists and democratic communities in Ecuador.
The CC infrastructure used by Packrat
A search for the domain name associated with daynews.sytes.net led us to Taskmgr.serveftp.com, which had an IP address of 190.210.180.181 as of August 11, 2014. The IP address belonged to Argentina, and Daynews.sytes.net used it in its early days, then quickly switched to GoDaddy. For a few days in October 2014 and May 2015, the taskmgr.serveftp.com domain name 190.210.180.181 was used again. On July 23, 2014, Taskmgr.serveftp.com was hosted on 201.52.24.126, an IP address in Brazil that also hosted Taskmgr.servehttp.com and taskmgr.redirectme.com. In total, we found 15 samples of trojans using either Taskmgr.servehttp.com or taskmgr.serveftp.com as CC domains (several samples using both). The earliest version of the sample was compiled on December 14, 2008, which gives us an idea of when Packrat was first active. However, this timestamp could also be a fake, and we haven’t found evidence for this in other samples.
The CC infrastructure used by Packrat
On July 11, 2014, all the ‘Taskmgr’ domain names were hosted at 186.220.1.84, an IP address in Brazil. At the same time, the IP also hosted Ruley.no-ip.org. We successfully found a sample that used both Ruley.no-ip.org and Taskmgr.servehttp.com as their CC domain name. On September 6, 2012, Ruley.no-ip.org was hosted at 189.100.148.188, which is still in Brazil. Two other no-ip.org domains, Lolinha.no-ip.org and wjwj.no-ip.org, also use this IP. We found that two samples were configured to use these three no-ip.org domains as CC servers, three samples used Ruley.no-ip.org and wjwj.no-ip.org, and one sample only used Ruley.no-ip.org. On August 15, 2014, Taskmgr.servehttp.com was hosted at 186.220.11.67, which also belongs to Brazil. This IP also hosted conhost.servehttp.com and dllhost.servehttp.com at the same time. We found two sample configurations using conhost.servehttp.com and dllhost.servehttp.com as CC servers.
In addition to these domains, the domains wjwjwj.no-ip.org and wjwjwjwj.no-ip.org are associated. On March 25, 2014, WJWj.no-ip.org and WJWjwj.no-ip.org pointed to 179.208.187.216. We have not found samples that only use wjwjwj.no-ip.org or wjwjwj.no-ip.org.
The CC servers behind these domains are hosted by Latin American providers, Including Uruguay Montevideo Administracion Nacional De Telecomunicaciones, Argentina Buenos Aires Nss S.A. (IPLAN), Claro and Brazil.
Packrat also uses servers in Europe and the United States, including Portlane in Sweden and GoDaddy in the United States.
We wanted to shut down the Packrat infrastructure by identifying these hosting service providers.
0x02 Recent Trojan horse attacks in Ecuador
Packrat is active in many countries, but we have gathered most evidence of activity in Ecuador and how it relates to targets and victims. As of this writing, we are still tracking attacks on targets in Ecuador.
By using email search queries and analyzing trojans’ databases and CC infrastructure, we have collected a large number of trojans and phishing campaigns targeting journalists, public missions, politicians, and more.
2.1 Analysis report on Packrat Trojan in Ecuador
In these reports, some are public reports, some are social media discussions. The Ecuadorian freedom of speech organization Fundamedios, for example, has reported that some public figures, news organizations, and Fundamedios leaders have received suspicious messages and phishing emails. Fundamedios later updated its report to report that the trojans used the same CC infrastructure, as did the Trojan that attacked Nisman. There are also descriptions of trojans and fishing activities on Twitter. We found a lot of stories about Packrat.
2.2 Common Technologies
The attackers were observed using social engineering techniques to spread Trojan horses against targets in Ecuador. During one campaign, we found a Trojan that was often used to bait political content, often using information about the Ecuadorian opposition. In other cases, attackers tailor their routes to specific trojans, mostly via Microsoft Word documents containing malicious Java. In other cases, however, attackers use fake updates to spread trojans.
Commonly used Trojan horse transmission technology:
- Use malicious files as attachments
- Place Trojan links on sites controlled by attackers
- Use Google Drive or Onedrive
- Pop-ups or fake political website notifications
Packrat uses social engineering to make use of senders and websites that pose as real users and organizations. For example, they registered Ecuadorenvio.co, which looks like a domain name for the Ecuador En Vivo news website (Ecuadorenvivo.com). Packrat then sends news updates that appear to come from EcuadorenVivo. Co (the real Ecuador En Vivo website does this).
Packrat also sometimes creates the same news event path and hides it in the link. Such as:
Similar domain name
What the target sees:
- Ecuadorenvivo.com/videos/el-m…
Real malicious links:
- Ecuadorenvivo. Co/videos/el – m…
2.3 Three attacks
To illustrate the Packrat attack method, three recent attacks are described in detail in this section. The three attacks took place between spring 2015 and autumn 2015. The targets included journalists and public figures in Ecuador.
2.3.1 Attack 1: Emails from the fake opposition
In April 2015, multiple targets received emails from the “Movimento anti-Correista” (Anti-Correa movement), a fictional opposition group created by the attackers. Microsoft Word attachments containing the Adzok Trojan were used in these emails, along with text and images to add credibility to the messages.
Movimento anti-Correista
The email had several purposes, apparently to entice the target to download and view the document, but it also seemed to determine the legitimacy of the domain name and the identity of the activity.
Malicious attachment
- PPT name: La Jugada Sucia De Correa ante La Oposicion
- Type: Microsoft Word Document File (.docx)
- MD5: ea7bcf58a4ccdecb0c64e56b9998a4ac
Embedded in this document is a software called “Adzok – Invisible Remote Administrator”.
2.3.2 Attack 2: You are being watched!
The purpose of this attack is to cause the panic and worry of the target, so as to induce the target to open malicious files. Phishing emails are tailored to targets and are being monitored by the state intelligence service in SENAIN, Ecuador. The email attachment purports to be a list of Twitter users monitored by SENAIN. Interestingly, the email was sent to “Guillermo Lasso,” the unsuccessful candidate in the last presidential election.
Like the first attack, the Trojan does not deliver a vulnerability, but requires the victim to double click the file and accept all pop-ups before executing.
Document requiring target click:
Once the user double-clicks the image, the target is infected with the AlienSpy Trojan. By examining the Trojan’s configuration file, we found that the Trojan used the C2 server daynews.sytes.net, a domain name that Packrat often uses in attacks. Interestingly, we found that the same decoy document (the same MD5) was used in several other attacks.
2.3.3 Attack 3: “Exclusive information about Correa lying”
The attack used a fake political website with malicious content. And the malicious mail directed the victims to the site. Interestingly, the attack tried to trick the target into believing it was a legitimate site for journalists Focus Ecuador. Packrat seems to control the.tk and.info domains.
For information on Correa lying, see the video focusEcuador. Tk /
The message also includes a trace image from mesvr.com, which ReadNotify often uses to track the message. The attacker appears to be trying to obtain more information about the target, such as identifying the target IP address for opening the malicious file not far away.
The focusEcuadore.tk website contains information copied from legitimate sites, but also displays a Flash update notification for victims. When clicked, the link triggers the download of “plugin_video.jar”.
False Flash update notification
This is not a Flash update, but a remote access Trojan bundled with AlienSpy/Adwind. When executed, the Java-based Trojan communicates with the Packrat CC server 46.246.89.246 (daynews.sytes.net). By analyzing the trojans, we found samples of LOS TUITEROS ESPIADOS POR SENAIN. Docx and LOS Trinos de Rafael Correa.docx with the same configuration.
Attack 3: binary
- Name: plugin_video. Jar
- Type: Java Archive (JAR)
- MD5: 74613eae84347183b4ca61b912a4573f
2.4 Packrat speaks!
During our analysis of Attack 3, a Packrat attacker began communicating with a Citizen Lab researcher in Spanish and English on the infected machine.
The invective is displayed as a pop-up or text in Internet Explorer. The attacker threatened our researcher, “You’re playing with fire now, and you’ll die!” Some of the messages are not in conventional Spanish, which can be used to infer the attacker’s native language.
The attackers also used The Windows text-to-speech feature to play spanish-language audio on infected computers to intimidate our researchers.
In October, the attacker again intimidated a researcher and then used an implanted Trojan to remotely shut down the infected device.
Such cases are rare, and few attackers come into contact with researchers. Because it’s not safe for an attacker to do that. It’s possible that someone has tried to process or analyze Packrat files before, especially after the infrastructure was exposed. Because Packrats like to keep infrastructure online, they don’t like other people’s attention.
0x03 Packrat Evolution of A Trojan Horse
Over the past seven years, Packrat has used several different types of Trojans, mostly available off-the-shelf rats like Cybergate, Xtreme, AlienSpy, and Adzok. Although these trojans are known to researchers, Packrat uses a number of tools to confuse them, including an unknown VB6 crypter, AutoIt3Wrapper, UPX, PECompact, PEtite, and Allatori Obfuscator. By obfuscation, Packrat attacks can bypass detection. In this section, we introduce these tools, grouped by time.
3.1 2008-2014: Hulled RAT, mainly CyberGate RAT
Between 2008 and 2014, Packrat made extensive use of existing rats and then wrapped them with AutoIt3Wrapper. The shell program is written in AutoIt, a Scripting language for Windows that automatically handles tasks. Obfuscation can mislead detection, and they use some basic anti-debugging techniques.
Many of the trojans released by the attackers were CyberGate rats. In 2013 and 2014, Packrat also seems to have adopted XtremeRAT. Both Cybergate and Xtreme are written in Delphi, using the same code as two other Delphi-based trojans, SpyNet and Cerberus.
In many attacks, Office documents were used as decoys that opened when the Trojan was implanted. Among the decoy files we found were resumes of Brazilian job applicants and payment slips from the Brazilian Bar Federation.
These attacks suggest that Some of Packrat’s targets during this period were Portuguese speakers. There are specific decoy files for targets in Brazil.
We found that a large number of no-ip.org native trojans communicate with the CC domain taskmgr.servehttp.com, along with Ruley.no-ip.org, lolinha.no-ip.org, and taskmgr.serveftp.com.
3.1.1 Analysis of CyberGate RAT
The CyberGate RAT samples we analyzed typically encapsulated a layer of AutoIt. The code and strings in the binary indicate that this Trojan is based on spy-net RAT version 2.6. The RAT was developed by a Brazilian hacker using spynetcoder and is noted on the “official website” of Spy-Net RAT.
CyberGate’s infection routine
Once decompressed, CyberGate enters the second phase, running the infection routine. The infection routine injects phase 3 DLLS into the running process. After implantation, CyberGate deploys maintenance technology and monitors the victim.
The phase 3 module takes three execution paths (depending on the mutex) :
- Password collection (Mutex:”
_x_X_PASSWORDLIST_X_x_“). - Block mouse and keyboard input from other applications (mutex:”
_x_X_BLOCKMOUSE_X_x_“). - The infection routine
CyberGate back analysis
Trojan infection routines come with their own back analysis functions, which are packaged in a separate function. CyberGate searches virtual and sandbox environments and checks debugging tools through the IsDebuggerPresent API to find SoftICE and Syser through pipes. The Trojan will determine if there is a breakpoint at the function entry by checking if the first byte of each function is “CC”.
CyberGate process injection
The infection routine takes the encrypted implant from the resource section and, after decrypting it, attempts to inject the implant into the Windows System shell process (Explorer.exe). If that fails, CyberGate itself starts an Explorer. Exe process, injects the implant into the process, and then completes the setup. In addition, another CyberGate instance is injected into the hidden default browser process.
The infecting routine copies itself and places the copy in a different directory, depending on the Windows version: /System, /Windows, or /Program Files. The name of the embedded Trojan will also change: Taskhost. exe, regedat. exe, and TaskMgr. exe are commonly used. In addition, the infection routine will also write the encrypted embedded Trojan copy to the %TEMP% directory, and named XX – XX – xx.txt.
To make the Trojan last longer, the second stage writes the registry keys to make CyberGate boot up:
Password to collect
If there is a task to collect passwords, the second-stage binary will collect passwords from multiple locations: no-IP Dynamic Update Client (DUC), MSN Messenger, Firefox, and Internet Explorer. Login credentials are obtained from the Windows registry, browser, RAS dial-up Settings, Local Security Authentication (LSA) Settings, MS ProtectedStorage, MS IntelliForms, and credential stores.
The function of CyberGate
CyberGate runs two routines. The first routine runs in the default browser process. At the same time, the Explorer. Exe routine acts as a “watchdog” to maintain trojans and ensure that the binary infected with the routine is not erased from the disk
CyberGate embedded Trojans have the same credential stealing functionality as infection routines, and can also be used to monitor Chrome and STEAM credentials. Also inherited from infection routines, CyberGate uses the same backanalysis routines to intercept sandboxes and debugging tools.
In addition to the features seen in infection routines, CyberGate provides attackers with complete monitoring and remote control capabilities.
CyberGate’s capabilities include:
- Collect detailed system information
- Enable and control webcam and microphone
- Screen capture
- Blocking user input (e.g. keyboard, mouse)
- Control processes, Windows, applications, devices, disks, ports, TCP&UDP connections, clipboards, registry keys and registry values
- Control file system
- Download and execute the binary
- Data is transmitted through FTP
- Collect information about installed security products
Interestingly, CyberGate launches a hard coded cscript.exe on the VBS script that collects information about security products installed on the system through Windows Management Instrumentation (WMI). This script requests the name and version number of the antivirus product and firewall solution installed on the system, and rolls the data out to a file:
The collected data is stored in a dump file on disk, which is then sent to a remote server via HTTP or FTP.
3.1.2 analysis XTremeRAT
XTremeRAT is a Trojan horse that can be bought and is often used to monitor victims’ machines. Although it has been used by non-political hackers, it has been used by government hackers to attack the opposition during the Syrian civil war, and by politically motivated hackers in the Middle East and North Africa.
Although often husked, XTremeRAT itself has limited hiding and maintenance capabilities. The monitoring function is also straightforward. The version of XTremeRAT we analyzed did not use obfuscation. The implementation of XTremeRAT is a client/server architecture in which the infected machine acts as the server and CC acts as the client.
This version of XTremeRAT has the following features:
- Recording keyboard input
- Record the name of the foreground desktop application
- Sniff the clipboard for passwords
- Download and execute binary via HTTP, which should be the Trojan of the second stage
Xtreme RAT’s operations and keylogging capabilities
The Xtreme RAT uses the installed clipboard explorer to sniff out the contents of the clipboard through the keyloggers window. Whenever the clipboard content changes, the clipboard viewer receives the window message WM_DRAWCLIPBOARD and accesses the clipboard content. The clipboard and keyboard input data are dumped to a.dat file, along with the configuration file (.cfg) in the current user’s [… Application Data Microsoft Windows folder. File names are determined based on the configuration of XTreme RAT.
Data files for XTreme RAT
Dump files are transferred through FTP. XTreme RAT comes with a pre-configured FTP server credentials placeholder (ftpuser/ftppass) for logging into ftp.ftpserver.com and then exchanging updated values issued from CC at run time.
The XTreme RAT also creates a mutex (such as “RJokLSZBjPERSIST”) based on the naming conventions of the configuration and dump files. The configuration file for XTreme RAT is obtained from.rsrc, encrypted with RC4, and the secret key is “CONFIG”. Other XTreme RAT variants have also used this algorithm and secret key combination.
This XTreme RAT variant uses Explorer. Exe to accommodate remote threads for specific functionality. There are at least three cases where thread injection occurs.
XTreme RAT explorer. Exe injection:
- A “watchdog” thread that restores registry values, finds infected routines, and executes them. To enhance concealment, the drop module modifies the timestamp of the infected routine.
- A thread responsible for deleting XTreme RAT files on disk
- Complete keylogging code and FTP transfer function
AlienSpy 3.2:2014-2015
For the past two years, Packrat has been using the latest AlienSpy Trojan. The software began as a free RAT, “Frutas,” which was identified during a Mexican operation in 2013. It was then modified and sold as the “Premium RAT” Adwind. Adwind costs $75 per license and $250 for multiple licenses. Then, in 2013, AdWind changed its name to UNRECOM and was detected in multiple campaigns targeting the Middle East.
The software, more recently known as AlienSpy, is believed to have been used in some targeted espionage operations. At the time the report was written, the RAT was re-shelled and called JSocket. In our report, we call all variants “AlienSpy.” AlienSpy features include recording a victim’s keyboard input, recording ambient sounds through a built-in microphone, remotely viewing a victim’s desktop, and secretly turning on a victim’s webcam.
3.2.1 Alienspy deployment for Packrat
From 2014-early 2015, Packrat enjoyed sending AlienSpy as an attachment in phishing emails, usually with the extension ‘.pdf.jar ‘. Windows does not display extensions by default, so users will only see.pdf. During this time period, all samples were compiled in a similar manner with little difference. There is a. Jar (Java Archive) file that contains a folder called meta-INF and two files favicon. ico and Principal.class. When executed, principal.class unpacks the contents of “favicon.ico” (not an icon file, but a.zip file) and looks for files with “.jar “in the file name.
The Favicon. The content of the ico
Once the correct file is found (in this case, 0doc.jar), it is put into a randomly named temporary file with a constant string, and Java is called to run the file.
Jar file in favicon. ico
“Main.class” is confused with Allatori, a JVM Obfuscator from Russia that AlienSpy uses.
First, read a portion of the RC4 secret key from the “ID” file, append a constant string, and then decrypt the contents of the manifest.mf using the full RC4 secret key to get the real Adwind JAR file.
AlienSpy in MS Office documentation
In 2015, Packrat started sending AlienSpy implants via.docx files. This method of obfuscating files is more complex, but similar to previous techniques. Unpack the infected MS Word document and you’ll get an “oleObject1.bin” file in the Word/Embeddings directory. If you open this Jar file, you get:
Similar to the earlier Packrat approach to AlienSpy confusion, a portion of the decryption key is stored in a.txt file. The other half is a string, obtained after decrypting the abcdefghijk[a,f,j, S,u,z].class file.
The maintenance mechanism is implemented by adding the following registration values to the registry:
3.2.2 Adzok appear
During 2014-2015, Packrat also used Adzok- Hiding remote administrators. Similar to AlienSpy’s features, this Java-based Adzok is clearly from Bolivia. The premium version costs $990, but Packrat seems to be using the free version. This version of Adzok does not use obfuscation, making it easy to unpack jar files in docX documents and read plaintext configuration files. Given that other Trojans used by Packrat have been mixed up, it’s surprising that Packrat would use such a Trojan. It is possible that other rats are stable. Compatibility and detection issues caused Packrat to use Adzok.
0x04 Packrat’s long fishing campaign
Packrat has been using fishing activities to attack the same organizational and personal targets. We found that Packrat attacked these personal targets at the same time, using both trojans and phishing. The domain names and false identities used in the Trojan are also used in the phishing campaign, and Packrat maintains dedicated phishing sites and servers. Although phishing emails are sent regularly, we also observed Packrat occasionally sending phishing emails to contact targets.
We’ve basically systematically understood Packrat’s actions against targets in Ecuador, but there’s evidence that Packrat is also attacking targets in neighboring countries, including Venezuela. Packrat uses email and social media messages, as well as text messages, to initiate phishing messages.
This section mainly introduces Packrat fishing activities, including political and non-political themes.
4.1 Fishing content with non-political themes
The most common phishing techniques are password verification requests, unauthorized login notifications, and so on disguised as from email services or social media sites. Packrat makes extensive use of email provider templates, including Gmail, Yahoo, and Hotmail. Most of the emails were in Spanish. The content of the message is also customized to the target, including their name and email address.
Depending on the purpose of the attack, a phishing email may contain a phishing URL or use a thumbnail website.
4.1.1 Recent non-political fishing
Recently, the attackers appear to have modified their techniques slightly. We observed attackers using the TinyURL thumbnail service and relocating phishing sites to the free cu9.co. An attacker may believe that using a free provider reduces costs and increases flexibility.
Phishing urls and abbreviated urls that appear recently:
- tinyurl.com/nww83ov Yields: main-latam-soporte-widget-local.cu9[dot]co
4.1.2 Non-political phishing messages
A large number of Packrat targets also received phishing messages. The phishing messages use similar language to phishing emails and sometimes use the same abbreviated URL. In some cases, attackers also warn users that their accounts will be suspended if they don’t click on the link. In one case, we found a message containing an abnormal email address.
4.2 Fishing activities with political themes
We observed a large number of emails and messages with political content. Packrat attacks in two ways. The first way: create fake political and media organizations. The second way: masquerade as a famous group or individual. Attackers often use related news events as content for text messages and emails. Most of it has to do with criminals.
While most phishing emails appear to come from email services or social media sites, in certain cases Packrat masquerades as email services used by high-level targets, such as Ecuador’s National Assembly.
4.2.1 Attack on the Ecuadorian Parliament
Packrat had launched phishing attacks disguised as an email portal for Ecuador’s National Assembly. The malicious site tricks victims into entering their email credentials.
- asambleanacional-gob-ec.cu9.co
The legal domain name is:
- http://mail.asambleanacional.gob.ec/
4.2.2 A typical credential stealing page
Whatever the bait, the link in the phishing message (usually a short url) usually leads the victim to a domain name similar to that of a free email provider. In the summer of 2015, Packrat used a google-like domain name, but they also used several other domains:
- mgoogle.us
In the attack, mgoogle.us was disguised as a Spanish-language Google login interface.
Once victims enter their login information, they are greeted with a message in Spanish “confirming” that their Gmail account has been unlocked and thanking “Choose us.”
In other cases, Packrat sends a “confirmation” email to the victim’s email address, congratulating them on their “verification success.” We found that in some cases, attackers sent this email before they hacked the phishing account.
Although these phishing campaigns used different tools to collect credentials, we found that Packrat reused the legitimate Formmail.com service to accept phishing credentials.
4.3 A sample phishing/Trojan site
Attackers control a wide range of domain names to phish or spread trojans. In this section, we analyze the characteristics of these infrastructures. The phishing page mgoogle.us, for example, resolves to several IP addresses, including:
Of these, the first IP (198.12.150.249) is very interesting. We found some suspicious domain names with similar themes hosted at this IP address. Some are disguised as login and update pages (such as Sopporte-gmail.com or Login-office365.com), and others are disguised as political sites.
WHOIS
This site is registered to [email protected], and of these sites, with two exceptions, all look like landing pages or service updates, such as Android and Java. The two exceptions are Lavozamericana.info and pancalien.info. These two domains were registered at the same time as other phishing domains.
4.3.1 Fake news websites
Ecuadorenvivo.com was a legitimate news site, but the attackers took control of a similar domain ecuadorenVivo.co. Packrat uses the fake domain name to send emails to targets that contain Trojan attachments or links to malicious websites. The Trojan is then downloaded to the victim’s device via a plug-in.
One Twitter user spotted a fake plugin notification in May 2015.
Similarly, Focusecuador.net was a legitimate news site, but attackers took control of a similar domain, FocusEcuadore.tk, which used fake pop-ups to spread the Trojan. By checking the IP of Focusecuador. Tk (193.105.134.27), we found many more similar domain names.
4.3.2 Fake News organizations: The Voice of America?
The second interesting domain name is lavozamericana.info, which is no longer active. However, we did find a Twitter account and some tweets that seemed to try to make the domain look legitimate.
- https://twitter.com/voz_americana
Interestingly, the fake Twitter identity was at least successful, and some of the following users may have fallen for it. Although the site is no longer active, Google Cache indicates that the site was once a phishing page.
4.3.3 False opposition activities
We found that there are a lot of goals are received from movimientoanticorreista.com email and information, are included in the aforementioned attack activity 1. It was also used by attackers in a Trojan attack on Ecuadorian journalists. We found that the Trojan information associated with this domain name, is sent by [email protected]
Another email from the anti-Correa campaign
4.4 A window into the scope of action
Some of Packrat’s activities provide a more systematic understanding of the extent of the attacks. During March 2015, we observed Packrat periodically using the same bit.ly link for activities.
- http://bit.ly/1wl3YE2
This link was created on October 30, 2014. By examining the bit.ly link statistics, we get an idea of the scale of the operation, its timing, and the geographical distribution of links clicked.
Most of the links were clicked in Ecuador, with others in Argentina, Germany, the United States, Spain, Uruguay and Venezuela. The absence of Brazil is not surprising, since the attackers would have used portuguese-language sites to target Brazil. This gives us an indirect idea of where Packrat will attack.
The majority of hits (322) were directly linked, not shared. Most of the hits to the Bitly link aren’t on social networks, because Packrat doesn’t use social media to spread the word.
4.5 Note: Not all fishing activities are related to each other
As a result of this investigation, we found some phishing campaigns that used Spanish-language phishing messages to attack individual targets Packrat had previously attacked, but we have every reason to believe that these campaigns were not connected to Packrat. One notable campaign took advantage of gmail.com.msg07.xyz and disguised it as a Gmail account notification. Typically, such information would appear as coming from an address like [email protected]. Sometimes, some targets receive these messages every few weeks.
0x05 is probably meant to fool the target
Not all Packrat domains are designed to spread trojans or steal passwords from their victims. Several domains masquerade as news sites, and some of their political content is original. At least two websites are aimed at Venezuela and one at Ecuador.
We have not found any evidence that any of these three sites spread trojans or phishing. Maybe these sites have other uses.
5.1 Anti-Chavez – very weird pancalien.info
Note: pancalien.info was taken offline before we published this report, but it can be viewed in Google Cache. The second domain, Chavistas24.com, is still online.
At 198.12.150.249, the most interesting domain name is pancalien.info. At first glance, this is a news and information site focused on Venezuela. Unlike other sites on this IP, we found a lot of original news content on this site.
Anyway, this site has a lot of connections to other domains. Although the domain’s registration information is hidden, other phishing sites use the same email address.
Pancalien.info’s WHOIS information is protected, but its registration can also be verified.
Closer examination revealed that most of the content was designed to appeal to Venezuelans opposed to Chavez’s party, both at home and abroad. Some of the reports on the site are interesting because they say they are personal files, but they don’t say where they came from.
In other instances, the site reported what it called “leaked” files. Some of them are related to pSUVs. There have been many reports of foreign experts in venezuela’s criminal diaspora, especially among the Jewish diaspora in Spain.
PanCaliente is also cited elsewhere, as in a leaked file on Sidesahre. Other online news sites have also cited their stories.
Although there seems to be a lot of content, there’s no byline in the PanCaliente article. Although the site is associated with a Twitter account (twitter.com/pancaliente…) The campaign is close, but the associated Facebook account (twitter.com/pancaliente…) But very few. As you can see from the WayBack Machine, PanCaliente has only recently become active.
Interestingly, some of the first reports published on this website were written when it was still called “Venezuela365.com.”
We can also see the website’s logo change information on the Internet. Also, a report cited the website venezuela365. Interestingly, the first report also mentioned some “secret” information, including remaking invoices, without explaining its source.
- http://pancaliente[.]info/los-negocios-secretos-de-leocenis-garcia-y-gonzalo-tirado/
The sources of the page also include Venezuela365.com
- “Http://venezuela365.com/wp-content/uploads/2014/10/tirado-g-300 * 169 JPG”
Now an image with the same name appears in the same directory from pancalien.info.
The domain name Venezuela365.com was registered by DomainsByProxy, but previous WHOIS information showed that it was Registered by Sistekon Corp. Sistekon Corporation seems to be out of use now, but information about Sistekon Corporation is available at Archive.org. The company develops IT software and sells security solutions. Given that the domain expired in 2013, but was re-registered in 2014, and pancalien.info was registered around the same time, the connection between the two could be coincidental.
We found no evidence that PanCaliente or Venezuela365 had been used to spread Trojan horses or to carry out fishing activities.
5.2 Pro-Chavez :Chavistas 24.com
The domain chavistas24.com appears to be a pro-Chavez site with a lot of pro-Chavez party content.
Chavistas24.com also has a Twitter account to send tweets, mostly citing articles posted on the site.
- https://twitter.com/chavistas24/
We found no evidence that Chavistas24.com was ever used to spread trojans or carry out phishing activities.
5.3 Search for police?
Packrat seems to have taken an interest in the disaffected Ecuadorian police, creating a website -Los Desvinculados (justicia-desvinculados.com) and a social media identity. The site also has a login section for news and reports about the Ecuadorian government.
The police, who have protested against poor welfare, are now the biggest threat to Rafael Correa, Ecuador’s president.
Below is related to the twitter account (twitter.com/justdesvincula2).
As with the previous two campaigns, we found no evidence that Justicia Desvinculados had ever been used to spread trojans or carry out fishing activities.
0x06 Challenges to Owning Judgment
The evidence presented in this paper suggests that Packrat was an organized group with the ability to carry out attacks over a long period of time, targeting distinct regional features. So who is Packrat? Here, we propose two hypotheses.
6.1 Hypothesis 1: Packrat is subsidized by the state
6.1.2 Target list
The Packrat attackers are influential individuals whose activities can influence national and regional politics. In Ecuador and Argentina, Packrat has targeted prominent critics and independent journalists. Interestingly, Packrat also attacked Ecuador’s parliament and government ministries. The data showed that Packrat regularly attacked a variety of targets associated with the opposition.
Among other things, we found highly political phishing and trojans sites, emails and messages. Packrat created fake political organizations and then used the associated identities and websites to launch phishing attacks or spread trojans. The sites seem designed to attract critics and some members of the Ecuadorian and Venezuelan governments. We think some targets in other countries have been targeted, like Brazil, but we don’t know who they are.
Other targets are of greater interest to the region’s intelligence or security services. And the sponsors of these events may have an interest in opposing forces.
6.1.3 Motivation for spreading false information
We found a number of fake websites that were politically motivated, but clearly intended to spread trojans. Although some sites share the same registration information as Trojan sites, they can be distinguished by the content on the site, and there are no malicious files or phishing pages on these sites.
There are three possible explanations for these sites. First, these sites are designed to make fake organizations seem more credible, so they can spread misinformation. Second, these sites can be honeypots, used to attract or manipulate targets for Trojan attacks. Finally, these sites may be trying to gather information about operations we don’t yet know about.
It is not clear which country would be interested in these actions and would support them.
6.1.4 Ability to pay
Hosting, registering and maintaining this infrastructure for seven years is certainly not cheap. The human cost of creating and maintaining fake sites is also a cost, especially for sites with original content, such as PanCaliente. Finally, such a large-scale and customized attack would require additional manpower.
Given these costs, Packrat must have the resources, or backers, to foot the bill. We have not found any evidence that they are attacking the industrial, commercial or financial sectors. Given the cost of their activities, it is hard to imagine that no one but a certain country would both want this information and be willing to pay them.
6.1.5 Clues that Packrat is “comfortable.
In early 2015, reports were first published that Packrat had attacked Nisman and Argentina and exposed their infrastructure. Still, a lot of infrastructure remains online. From a project perspective, that makes sense. If Packrat successfully infiltrates the target, shutting down the infrastructure will cause them to lose control of the target. Packrat must reinfect the target and connect to a new host. Not only does this process waste time, it’s not easy to succeed or even detect.
If Packrat were afraid of punishment, it would be natural for them to take down exposed servers. Because if law enforcement gets hold of their servers, they might be able to track them down.
The fact that the servers are still online suggests that Packrat is only worried about the viability of its operation, not the government’s pursuit. We suspect that they may be protected by local authorities.
Although there is no conclusive evidence, they are confident that they will not be punished, judging from their daring to threaten Citizen Lab researchers. Judging by their performance, Citizen Lab researchers are not the first analysts to bother them.
6.1.6 Two schemes for national participation
In this section, we present two possible state support scenarios. We use data to illustrate the likelihood of each situation.
Option 1: Sponsor only one country
Based on our findings, there are several possible explanations. It’s possible that the Packrats are working for an intelligence agency, and their activities reveal the agency’s goals. The intelligence agency may spy on many groups, including their adversaries, such as foreign governments.
The most obvious are the ALBA (American Glass Tile Union) countries and, more recently, Argentina, where leaders have forged political alliances, although the president of the country recently voted against such ties. Ecuador and Venezuela also have close ties.
One could argue that Packrat’s attack on some Ecuadorian government ministries was conclusive evidence that Ecuadorian officials were involved with Packrat. However, the Ecuadorian parliament and other government targets have not proved that the Ecuadorian government is the sponsor, but the possibility cannot be ruled out.
Option 2: There is not just one country to sponsor
The range and diversity of regional targets suggests that Packrat may be attacking hostile forces on behalf of multiple governments. For example, Packrat might have multiple customers and use the same infrastructure for activities.
6.2 Hypothesis 2: Packrat has no national sponsorship
While some of the evidence above suggests government support for Packrat, other features of Packrat activity do not support this speculation. In this section, we’ll list some important pieces of evidence: Packrat, for example, is not technologically advanced. We evaluated the evidence and noted that Packrat may also have no state sponsorship.
6.2.1 Lack of highly technical tools
Packrat uses existing RAT trojans that can be purchased. It is not developed by Packrat, nor is it an advanced Trojan that is sold exclusively to governments. In addition, these attackers will not use vulnerabilities to put in Trojan horses. For example, some decoy documents also require the victim to double click on an icon in the document. This operation is too cumbersome and may cause the attack to fail. State-sponsored attackers could exploit more sophisticated trojans and vulnerabilities.
But that doesn’t mean that all government-linked attack teams will necessarily exploit advanced trojans or vulnerabilities.
We can’t draw conclusions, though, just from the commercial trojans they use and the lack of exploits. One thing to note, though, is that Packrat effectively bypasses detection and hides its identity through obfuscation.
6.2.2: Programme: Panels without national sponsorship
The inescapable possibility is that Packrat is a criminal organization with no state sponsorship. In theory, such attack cells could be supporters of the opposition or have other related interests. In South America, there are also a lot of strong ngos and gangs that definitely have the financial resources to support these operations. In any case, given what Packrat is targeting, we don’t understand why illegal groups would be interested in these people.
Another possibility is that an NGO with political ambitions is in charge of Packrat. Such groups would be very interested in political union and government.
6.3 Which guess is right?
In the end, we don’t think the data in the report is enough to determine which guess is right. But it is the region’s governments that stand to benefit from Packrat’s activities.
0 x07 summary
In this report, we describe a seven-year campaign that targeted several Latin American countries. Although there are many well-known attack groups in Latin America, Packrat’s most notable feature is its frequent attacks on politicians, journalists and others. Packrat also has the ability to execute long-term campaigns, independent of media coverage.
One of the most remarkable things about Packrat is that it has been able to sustain its activity for years by using a Trojan horse that is not so technologically sophisticated. From a technical point of view, they mostly rely on existing rats that can be purchased and then shell to bypass detection. They also create fake organizations to spread Trojan horses to infect their targets.
Even though the infrastructure was exposed, Packrat didn’t take down its servers and domain names. This shows that Packrat takes its actions seriously.
While we can’t be sure who’s behind Packrat, we hope that exposing their activities will encourage more people to continue their research.
Citizenlab.org/2015/12/pac…
0 x08 appendix
Appendix B Trojan horse samples
Appendix C Trojan Horse Configuration
CyberGate RAT configuration
Xtreme RAT configuration
Adzok configuration
Adwind variant configuration
Appendix D: Malicious domain names
Resolved to 198.12.150.249 domain name
The domain name 193.105.134.27 was resolved
The domain name registered at [email protected]
