Saturday, May 03, 2014

Red Sky Weekly: Pirpi RAT

Last week (April 26th), FireEye reported a new Internet Explorer (IE) zero-day exploit used in targeted attacks. A "zero-day" is a new exploit or vulnerability that has never been seen in the wild before; normally referring to the first discovery.

According to Kaspersky bloggers, during the week of the 20th, attackers sent well crafted emails (well crafted means they often times look very normal, like they might come from your boss or a customer) to specific, high value targets. These targets generally have trust relationships with someone or something that has information related to targeting objectives assigned to the group performing the attacks. In this case, the idea was to deliver a newer version of an old remote access trojan (RAT) named the Pirpi RAT. Once installed, the Pirpi RAT can be used to take full control of a user's browser, and in turn, their system, and larger network (where attackers may remove or destroy information as desired).

The vulnerability identified by FireEye affects Internet Explorer versions 6 through 11, but according to FireEye, the attacks appear to be targeting versions 9 through 11. And to make matters worse, the zero-day bypasses two Windows security measures -Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).[i] (Address Space Layout Randomization (ASLR) randomizes the memory locations used by system files and other programs, making it much harder for an attacker to correctly guess the memory location of a given process. Data Execution Prevention (DEP) is a Windows feature that enables the system to mark one or more pages of memory as non-executable, disallowing their ability to run. Microsoft announced Security Advisory 2963983 the same day.[ii] 

This week's Cyber Threat Analysis and Intelligence (CTA&I) report provided analysis, situational awareness, mitigation strategies, for two variants of Pirpi malware, as well as possible attribution for its use. Wapack Labs analyzed, and published to our members, analysis of two primary strains of the Pirpi malware with some interesting findings:
  • The first versions of Pirpi appeared in 2008. 
  • Several domains were observed as remote control channels (command and control, or C2) used with the first variants. These domains appear to currently be sink-holed, but a Domain Tools “Whois History” report revealed the original registrants. Domains don't always make the best indicators when chasing compromise (because they change often), but the meta data associated with them rarely does. What's meta data? Names, phone numbers, addresses, etc., associated with the person or organization that registered the domains. These make great indicators in identifying new bad actors or actions, and Wapack Labs has a great internally built tool to help us identify patterns in the registrant meta data. We call it "WhoisRecon". In this case, there is a lot of history --and those who don't learn from it, may be doomed to repeat it. Four early domains used by Purpi for C2 were identified.
  • A well known Advanced Persistent Threat (APT) group, is believed responsible for leveraging this recent exploit. The group today leverages several back doors including older versions of Pirpi.[iii] 
  • One email address, the original registrant of three of these four early domains is believed linked to over 140 others. The email address was reported in an Infosec forum operated by a Chinese information security company in September 2009. The email's connection with the attacks is unknown, but certainly enough information is available to suggest malintent. 

BT BT 

This was a simplified snippet of deeper analysis that we provide to our members and customers on a weekly basis. This week was busy and I thought this might be interesting. The reports, when possible, provide not only the analysis of the activity but also snort rules -for your intrusion prevention systems, yara rules for are used to check files for badness (a great overview can be found here), and indicators are currently presented in Lockheed's Kill Chain format. 

Red Sky Alliance and Wapack Labs are one of the few places where users can come in, get up to speed, and get no-kidding analysis and protection strategies for advanced threats... and everyone has them. Last week I wrapped my victim notifications with a call to a four person company. While we don't do incident response, we do offer victim notifications and referrals to trusted partners. In this case, we had a local partner with deep experience in exactly the same industry as the victim. 

As an added note, I had the opportunity to participate in the US Cyber Crime Conference this week. While no longer associated with DoD, the conference was excellent. A much smaller crowd turned out.. I think about 600 or so, but it was heavily commercial participation, with ten educational tracks, and as usual, Jim Christy and the folks at Tech Forums did a hell of a job. 

Ok, going for a run before it rains.

Until next time,
Have a great week!
Jeff








[i] http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html
[ii] https://technet.microsoft.com/en-US/library/security/2963983
[iii] http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html