- The first versions of Pirpi appeared in 2008.
- Several domains were observed as remote control channels (command and control, or C2) used with the first variants. These domains appear to currently be sink-holed, but a Domain Tools “Whois History” report revealed the original registrants. Domains don't always make the best indicators when chasing compromise (because they change often), but the meta data associated with them rarely does. What's meta data? Names, phone numbers, addresses, etc., associated with the person or organization that registered the domains. These make great indicators in identifying new bad actors or actions, and Wapack Labs has a great internally built tool to help us identify patterns in the registrant meta data. We call it "WhoisRecon". In this case, there is a lot of history --and those who don't learn from it, may be doomed to repeat it. Four early domains used by Purpi for C2 were identified.
- A well known Advanced Persistent Threat (APT) group, is believed responsible for leveraging this recent exploit. The group today leverages several back doors including older versions of Pirpi.[iii]
- One email address, the original registrant of three of these four early domains is believed linked to over 140 others. The email address was reported in an Infosec forum operated by a Chinese information security company in September 2009. The email's connection with the attacks is unknown, but certainly enough information is available to suggest malintent.
This was a simplified snippet of deeper analysis that we provide to our members and customers on a weekly basis. This week was busy and I thought this might be interesting. The reports, when possible, provide not only the analysis of the activity but also snort rules -for your intrusion prevention systems, yara rules for are used to check files for badness (a great overview can be found here), and indicators are currently presented in Lockheed's Kill Chain format.
Red Sky Alliance and Wapack Labs are one of the few places where users can come in, get up to speed, and get no-kidding analysis and protection strategies for advanced threats... and everyone has them. Last week I wrapped my victim notifications with a call to a four person company. While we don't do incident response, we do offer victim notifications and referrals to trusted partners. In this case, we had a local partner with deep experience in exactly the same industry as the victim.
As an added note, I had the opportunity to participate in the US Cyber Crime Conference this week. While no longer associated with DoD, the conference was excellent. A much smaller crowd turned out.. I think about 600 or so, but it was heavily commercial participation, with ten educational tracks, and as usual, Jim Christy and the folks at Tech Forums did a hell of a job.
Ok, going for a run before it rains.
Until next time,
Have a great week!